What is a Passkey?
Juggling unique passwords for every online account you create isn't convenient, but until recently it's been necessary to keep sensitive data secure. In recent years, however, an alternative option has emerged in the form of passkeys. Passkeys allow you to verify your identity and eliminate the need to create, remember and use passwords.
They're not as widely available as passwords for account authentication, but if you have a newer version of popular operating systems or browsers, chances are you've been asked if you want to create one. If you've ever wondered what a passkey is and whether it's worth trying, here's what you need to know about how they work and how they compare to passwords.
What Is a Passkey and How Does It Work?
A passkey lets you sign in to online accounts or apps without entering a password. It includes two parts—a public version and a private version—that work together to verify you are who you say you are. The public version of a passkey is stored in the browser, on the website or in the app where you create it. The private passkey is stored on your device. It isn't saved anywhere else and is never transmitted to third-party sites.
When you begin the login process, the server that stores the public version of your passkey asks your personal device to unlock the private version of your passkey to verify your identity. This is typically accomplished through biometrics like facial recognition or a thumbprint or by entering a PIN. If your identity is confirmed and the private version of the passkey matches the public version, you're granted access to the site.
Passkeys aren't available with every website, app or online service, but they're becoming more popular. Certain operating systems, including Apple, Windows and Android, and web browsers including Chrome and newer versions of Firefox give users the option to create a passkey instead of using a password.
Are Passkeys Safe?
Passkeys are a more secure alternative to traditional passwords, helping to protect your personal information online. Passwords are vulnerable to phishing attempts because they have to be shared with third parties to verify your identity at login. However, the private version of a passkey is stored locally on your device and never shared publicly and therefore isn't vulnerable to theft the way a password would be.
If you access a website or app using a passkey and that website or app is hacked, the hackers only have half the information (the public passkey) they need to log in to your account. The private passkey is inaccessible to them because it's stored on your personal device.
Passkeys vs. Multifactor Authentication
Multifactor authentication (MFA), such as entering a code that's texted or emailed to you, provides an additional layer of security when accessing a password-protected account, but it doesn't eliminate the need for a password. Passkeys replace passwords and are touted as being more secure than password-protected accounts, even when MFA is enabled.
When you use a passkey, MFA is built into the process because you need both the public and private versions of the passkey to gain access to your account. Additionally, the service you're trying to log in to must verify your identity, typically through biometrics, to unlock the private passkey, enhancing the security of your accounts.
Should I Use a Passkey?
When available, passkeys can offer a simpler, more secure alternative to coming up with yet another strong password you have to memorize and enter every time you want to log in. However, not all devices, browsers and online accounts support passkeys. You'll need to find one that does if you want to give it a try. For accounts that only offer password protection, enabling MFA provides more security than using a password alone.
How to Use a Passkey
Before you can use a passkey to log in to an online account or app, you have to set one up. Some sites and apps that support passkeys may prompt you to create one when you attempt to log in. If they don't, you can typically set one up by completing the following steps.
- Go to the security settings of your account to create the passkey. When you create a passkey, it may be stored locally, synced across your devices if you save it to the cloud through a service such as iCloud Keychain or stored in a password manager like Google Password Manager. (The exact location for completing this process may vary based on the account.)
- Go to the login screen. Once you've created a passkey, go to the login screen just as you would if you were using a password and tap the account name field.
- Select the account name you want to use. If you don't see the name you want to use, enter it manually.
- Verify your identity. Depending on the authentication method you used when creating your passkey, you may need to enter a PIN or confirm your identity with facial recognition or a thumbprint. Once your identity is verified, you'll be logged in automatically.
Frequently Asked Questions
The Bottom Line
Passkeys could one day become the gold standard for online account security, eventually replacing the need for usernames and passwords. However, the transition to this more secure and convenient login option is going to take time. While you wait, consider giving passkeys a try while you still have the option to use a password. Easing into the process allows you to familiarize yourself with this new technology and get comfortable using it.
Monitor your credit for free
Credit monitoring can help you detect possible identity fraud, and can prevent surprises when you apply for credit. Get daily notifications when changes are detected.
Get free monitoring
About the author
Jennifer Brozic
Jennifer Brozic is a freelance content marketing writer specializing in personal finance topics, including building credit, personal loans, auto loans, credit cards, mortgages, budgeting, insurance, retirement planning and more.
Read more from Jennifer