Passkeys Explained
Vira Bhakta
The first digital password was actually invented in 1961 by MIT computer science professor Fernando Corbato who needed a way for several users to work on the same computer. In the time since, passwords have become an integral part of our digital lives and we now use them everyday.
Tom's Guide also spoke with Andrew Shikiar, the executive director and CMO of the FIDO Alliance, about passwords and passkeys. He explained that the main difference between the two is that unlike passkeys, passwords are easily readable by humans which makes them less secure, saying:
"Unlike passwords, passkeys do not rely on human-readable shared secrets that are highly susceptible to attack and easy to bypass. Passkeys change the paradigm of how people are typically authenticating online today by replacing the password with an unphishable primary factor for user authentication that is built into virtually every modern computing device today."
As for your web browser, Chrome, Edge, Safari and Firefox all currently support passkeys. You need to be running version 79 or higher for Chrome/Edge, version 13 or higher for Safari and version 60 or higher for Firefox.
Since you store passkeys on your smartphone instead of remembering them, you may be wondering what happens when you upgrade to a new smartphone. No need to worry as they can easily be transferred over to a new device.
On Android, when you set up a new smartphone, your end-to-end encryption keys are securely transferred when you move the rest of your apps and data to it. However, in some cases such as when an older device is lost or damaged, you may need to recover them from a secure online backup. To do this, you need to provide the lock screen PIN, password or pattern from the previous device that has access to those keys.
Besides setting up passkeys on your smartphone or computer, you also need to find sites and services that support them in order to use them. Fortunately, a number of big brands including eBay, PayPal, Best Buy, Nvidia and more already do.
Passwords have been around for a long time and people are familiar and comfortable with using them. Still, weak or reused passwords can put both people and the companies they work for at risk, which is why there has been such strong support for passkeys.
Passkeys are a safer and easier alternative to passwords. With passkeys, userscan sign in to apps and websites with a biometric sensor (such as a fingerprintor facial recognition), PIN, or pattern, freeing them from having to rememberand manage passwords.
Developers and users both hate passwords: they give a poor user experience, they add conversion friction, and they create security liability for both users and developers. Google Password Manager in Android and Chrome reduces the friction through autofill; for developers looking for even further improvements in conversion and security, passkeys and identity federation are the industry's modern approaches.
A passkey can meet multifactor authentication requirements in a single step,replacing both a password and OTP (e.g. 6-digit SMS code) to deliver robustprotection against phishing attacks and avoids the UX pain of SMS or app-basedone-time passwords. Since passkeys are standardized, a single implementationenables a passwordless experience across all of a users' devices, acrossdifferent browsers and operating systems.
A passkey is a digital credential, tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor. This technology aims to replace legacy authentication mechanisms such as passwords.
When a user wants to sign in to a service that uses passkeys, their browser or operating system will help them select and use the right passkey. The experience is similar to how saved passwords work today. To make sure only the rightful owner can use a passkey, the system will ask them to unlock their device. This may be performed with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern.
A user can sign into services on any device using a passkey, regardless of where the passkey is stored. For example, a passkey created on a mobile phone can be used to sign in to a website on a separate laptop.
Passkeys are intended to be used through operating system infrastructure thatallows passkey managers to create, backup, and make passkeys available to theapplications running on that operating system. On Android, passkeys can bestored in the Google Password Manager, whichsynchronizes passkeys between the user's Android devices that are signed intothe same Google account. Passkeys are securely encrypted on-device before beingsynced, and requires decrypting them on new devices. Users with Android OS 14 orlater can opt to store their passkeys in a compatible third-party passwordmanager.
For example, a user visits example.com on the Chrome browser on their Windowsmachine. This user has previously logged into example.com on their Androiddevice and generated a passkey. On the Windows machine, the user chooses to signin with a passkey from another device. The two devices will connect and the userwill be prompted to approve the use of their passkey on the Android device, forexample, with a fingerprint sensor. After doing so, they're signed in on theWindows machine. Note that the passkey itself isn't transferred to the Windowsmachine, so typically example.com will offer to create a new passkey there.That way, the phone isn't required next time the user wants to sign in. ReadSign-in with a phone tolearn more.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Organizations can deploy FIDO sign-ins with passkeys across a variety of use cases. Passkeys enable users to access their FIDO sign-in credentials on many of their devices, even new ones, without having to re-enroll every device on every account. Alternatively, device-bound passkeys that are bound to a FIDO security key or platform are an option for organizations that do not require syncing.
When a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). The app or website can use this mechanism instead of the traditional (and insecure) username and password.
Because the status quo is downright sobering: Billions of personal accounts have been hacked worldwide. In Germany, almost one in three people have had their online accounts spied on, according to a representative survey commissioned by the consumer advice center.
We focus on the practical use of passkeys and only explain the technology behind them to the extent that it helps you understand them and have the necessary trust. Passkeys are a further development of the established Fido 2 security standard with asymmetric encryption.
If you use a smartphone, the private key is also securely synchronized in the cloud of the operating system, i.e. Apple or Google. This is one of several advantages of the smartphone, which we will come back to in a moment.
Once a passkey has been set up, the next time you visit the website (or app), you simply tell it that you want to log in. The online service then sends your device a so-called challenge: a task that can only be solved with the help of your private key stored in your device and which you authorize using your fingerprint, face scan, or PIN.
There is no official directory of all providers with passwordless login. Lists are provided by Passkeys.io, Passkeys Directory, and Keeper, among others. New providers with Passkey support may not be included at first. Important services are listed below.
If you only want to use Passkeys on your PC at home, you can store your private keys exclusively on your computer. The requirements are straightforward, a compatible browser such as Chrome, Edge, or, more recently, Firefox (from version 122) is all you need.
If the mobile device breaks or is lost, you have a backup right away. Synchronization is not yet available for Windows. You can read more about the backup strategy for passkeys in the box at the bottom of this page.
Android and iOS differ only slightly here. Depending on the device configuration, you may still need to enter the unlock PIN before authenticating with a fingerprint or face scan. You already know the rest.
Logging in is even quicker and more convenient if you allow this step to be skipped on your smartphone after the QR scan. In the future, all you need to do to log in on the PC is select the linked mobile device and authorize the login using a finger or face scan. Authentication takes place via Bluetooth (from version 5.0). If your computer fails to fulfil this requirement, a USB Bluetooth dongle for around $10 will help.
You now know how passkeys work. To familiarize yourself with the concept, we recommend only switching one or two accounts to begin with. The box above lists important providers that support the method.
Microsoft at least offers the option of removing the password completely in the personal settings under Security > Advanced security options > Passwordless account. With NAS manufacturer Synology, you even have to choose between a password and a passkey.
Tip: Passkeys are also suitable for particularly security-relevant applications, such as payments, which should be protected by a second factor. You can quickly authorize, say, Paypal transactions with your fingerprint without having to enter a short code or do anything else first.
At the same time, management with the smartphone ensures a backup of all private keys and thus the possibility of restoring them if the hardware breaks down or is lost. If you only use the passkeys on your computer at home, you can in principle also save them on your PC.
c80f0f1006