Ok, you want to create a new account, and that’s already a hassle: you have to make up a new password yourself or have your password manager generate one. Then you also have to enable two-step verification to secure your account a little decently. No thanks! But good news, passwords will soon be replaced by Passkeys.
What are passkeys?
Passkeys are a form of authentication that allow you to quickly create accounts and log in without having to use less secure passwords.
We know that passwords and TOTP 2FA codes can be easily intercepted by an attacker. Passkeys are fundamentally different: they can only be used on the same domain name for which they were originally registered, and there is no way someone can be tricked into revealing their secret key. Even if you wanted to, there is no way to extract the secret key from your device.
How do Passkeys work?
Using passkeys is much easier than you might think. When you sign up for a new account, instead of a traditional username and password (and the extra action for two-step verification), all you have to do is create a single passkey. This passkey can be paired with the secure biometrics on your device, such as a fingerprint scanner or facial recognition. When you try to log into the account, you only need to authenticate via biometrics to gain access. And rest assured, biometric data is only used locally on your device and is never sent to the website.
So with passkeys, you will never again create a weak password that is easy to guess. Indeed; you’re not going to use a password anymore anyway.
How does this work for websites where I have already set a password?
When a website or app that previously used a traditional username/password supports passkeys, it is often enough to create your first passkey with the click of a button. The process is as simple as unlocking your device. Behind the scenes, when you create a passkey, a pair of cryptographic keys is generated. The first is the public key, which is stored on the website for which you create the account. The second is the private key, which is stored on your device your password manager such as Bitwarden. This key pair is protected on your device by your biometric fingerprint or facial scan.
What information is required when setting up a passkey?
When creating a passkey for a site, you must first log in with your existing username and password (unless you are creating a new account). The server will then send a request to your browser to provide specific encryption information. You must approve the request using, for example, biometrics (fingerprint scanner or facial recognition) or your device PIN. Upon successful authentication, your device generates the key pair and sends the public key to the site. And that’s all the information you need to provide when setting up a passkey.
What happens if I lose my phone?
Passkeys can often be synced between your devices, but not all platforms support this yet. Bitwiring, for example, allows you to store your passkeys in your vault, which is backed up and synchronized between all your devices. Should you somehow lose your passkeys, most sites should have recovery options so you can create a new passkey for your account. Of course, this will vary from site to site.
My device is stolen, will the thief have all my passkeys?
The only way a thief can successfully use your passkeys on your device is if they can also unlock your device and thus gain full access to your data. Further, every time you use a passkey, user authentication is often required, such as biometrics or re-entering your device PIN, so stealing your unlocked device would not be enough.
Isn't a password with 2fa more secure than passkeys?
Passkeys are more secure than the traditional method of username & password authentication for several reasons. First, you can no longer use easily cracked passwords, such as “password.” Also, 2FA is built into the passkey and the only way someone can access your account is to have both the private key and your biometric login or device PIN.
Indeed, one of the crucial aspects of passkey security is the protection of the private key. This key is stored on your device and is protected by your biometric data, such as a fingerprint or facial recognition, or by entering your device PIN. This means that even if someone gains physical access to your device, they still have to go through this extra authentication step to access the private key.
When you register for a website, your device generates a brand new public and private key specifically for that website. When you register for another site, that site gets its own public key from your device, completely independent of the first one. So no.
So do passkeys replace physical Yubikeys?
A Yubikey can serve as a form of passkey, specifically as a Security Key or a “device-specific passkey,” where the key itself resides on the small device and is never synced or backed up. This may be more difficult to use than a synchronized passkey, but can be useful in certain scenarios. But for most users, mobile will be the main “key.”
So passkeys can never be hacked?
Nothing is 100% foolproof. But hacking a passkey is hellaciously difficult, not only to access the device on which the private key is stored, but also to break into your device. It is (almost) impossible to fake your biometric login (fingerprint or face) or crack your device PIN. Therefore, passkeys are much safer than traditional methods.
Are there no disadvantages then?
A potential concern is “vendor lock-in,” where you become dependent on a specific service provider or technology. For example, if you only use passkeys that are built into a particular operating system or device, you run the risk of being stuck with that ecosystem. Google and Apple will try to convince you to store your passkeys in their eco-system.
To avoid this, consider using passkeys in conjunction with a reliable password manager, such as Bitwarden, which offers passkey support. This allows you to centrally manage your passkeys and switch to other services or devices without problems.
It is always wise to make sure that you can use new security methods with different services and devices so that you do not become dependent on a single provider. That way you can take full advantage of the benefits of passkeys without being stuck with one specific option.
Will passkeys replace passwords altogether?
No one can say for sure whether passkeys will completely replace passwords. However, we are optimistic about this new form of passwordless authentication and think it has the potential to become truly mainstream. The simplicity of passkeys sets them apart from two-factor authentication and other solutions that add friction to the login process.
We can say with certainty, however, that passkeys will not replace passwords overnight. It is a transition that will take some time. People need to understand what passwords are and feel comfortable using them instead of traditional passwords. It will also take some time for every organization to add password support to their website and apps.
When can I really switch to Passkeys?
It will be a while before all websites offer passkeys.
Yet you see that almost all operating system and browser vendors, are working hard to implement Passkey support. Broad support for Passkeys is expected to be in place soon on all major platforms.
We have already listed popular services that support passkeys.
One thing is certain; passkeys will become the new standard for secure and user-friendly online authentication in the future.