- Passkeys are a safer, simpler and faster replacement for passwords, which are fraught with security concerns.
- Major companies are increasingly adopting passkeys and Microsoft is ditching passwords altogether.
- Still, more companies need to get rid of passwords entirely and make passkeys available.
Passwords may be coming to an end.
Passwords have long faced criticism for their weak security: Data breaches expose billions of passwords every year and people often use the same phrases or combinations, such as "admin" or "1234," that can be guessed.
Now, companies are increasingly pushing for users to ditch passwords and switch to passkeys, which are more secure because they are privately stored on devices such as computers or smartphones.
More than 15 billion accounts now have the option to use passkeys, according to FIDO Alliance, an industry cybersecurity group that developed passkeys.
"What is happening for consumers is even though they are under increasing attack, websites are using passkeys to help them sign in securely," Andrew Shikiar, CEO of FIDO Alliance, told ConsumerAffairs.
Microsoft said this year it would make all new accounts "passwordless by default" and instead have accounts setup passkeys. Google is also encouraging passkeys after a surge of phishing attacks on Gmail.
"Microsoft's leadership on this front is fantastic and will help others follow suit," Shikiar said.
Image via Microsoft.And more than a dozen big financial companies have also made passkeys available, including American Express, Bank of America and Wells Fargo. E-commerce websites, such as Amazon, eBay and Walmart, have also adopted passkeys.
"The results speak for themselves: Time after time, companies report that their customers have a much faster time to sign in," Shikiar said.
How do passkeys work?
Passkeys work by having a private key and public key, creating an encrypted way to sign in.
"That means there's no way to remotely get in," Shikiar said. "You can go steal my public key all you want."
What provides the strong security is the private key, linked to a device, that can be verified through a code, fingerprint or facial recognition.
"Whatever you do to unlock your device is highly secure, personal to you," Shiikiar said. "All of these are highly secure methods."
For instance, Windows 11 lets users have a PIN code to verify the passkey stored on the device.
You can safely use the same code, fingerprint or facial recognition for every online account because of how it is stored.
"That's only on your device," Shikiar said.
Password managers, such as 1Password, can also manage passkeys for users and transfer passkeys between devices.
Can passkeys be hacked?
It is very difficult for a bad actor to use a passkey to get into an account.
In theory, a thief could glance over your shoulder to see the code you enter and then steal the device and use the passkey to access accounts. Or a criminal could threaten you to unlock a device with your fingerprint or face.
But this is much harder than a hacker guessing a password or using one that was exposed in a data breach.
Still, until passkeys totally replace passwords, they aren't perfect substitute for protecting accounts from hackers.
Passkeys are more convenient than passwords, but they can offer a "false sense of security" since they aren't yet disabling passwords, Roger Grimes, analyst at cybersecurity firm KnowBe4, told ConsumerAffairs.
He said this means that hackers and scammers can still get people's passwords from data breaches or trick them into handing them over even if passkeys are activated.
"What you are really getting is a log-in method of convenience," Grimes said. "The attacker can still use your password so you haven't really increased the security on your account at all."
Microsoft does now allow accounts to disable passwords and use passkeys instead, but users still need to authenticate their login through a separate app, called Microsoft Authenticator.
Do you have to reset passkeys?
It's not possible to forget your device's private passkey because it stored in an encrypted format, which prevents the headache of having to reset passwords.
As long as a user has their device, they can sign in through a passkey.
But changing how you verify a passkey, such as through a code, fingerprint or facial recognition, depends on the operating system.
On Windows 11, for instance, users can change their PIN under settings in "sign-in options."
Windows 11 users can also delete passkeys and then create new ones with their online accounts. But there's really no reason to do this.
Image via Microsoft.
How did passkeys start?
FIDO Alliance, which developed passkeys with other companies, introduced the term in 2022. There are now more than 300 companies involved with FIDO Alliance.
"This really speaks to the magnitude of the problem and the threat presented by passwords that necessitates this level of collaboration," Shikiar said.
Apple was the first major adopter of passkeys in late 2022, when it added them to iOS, the operating system for iPhones and iPads, Shiikiar said.
Apple's passkeys are verified in the form of an unlock code, fingerprint or Face ID for an iPhone or iPad, which other companies can then recognize for signing on.
Image via Apple.
In 2023, Google's Android operating system also began supporting passkeys.
"We have more sites than we can count supporting passkeys," Shikiar said. "I think that's fantastic progress."
Still, he said there is room to grow and FIDO Alliance doesn't have numbers on the percentage of users only using passkeys.
"We need to make sure that everyone who has the option to use passkeys is using them," Shikiar said. "Furthermore, that people start to eventually delete their passwords altogether."
Sign up below for The Daily Consumer, our newsletter on the latest consumer news, including recalls, scams, lawsuits and more.