Passkeys slowly replacing passwords for account logins

  • Passkeys are a new secure way of logging into websites and apps without the need for a username and password. Google just made passkeys the default method for sign-in unless you opt-out.
  • As of fall 2023, few websites support the use of passkeys for sign-in.
  • Usernames and passwords will continue to exist for many years due to the slow and voluntary adoption of passkeys. Therefore we still recommend the use of a password manager to store passwords, passkeys and secure information.

Passkeys are a new type of login credential that allow you to log in to websites and apps more easily and securely. After enabling passkeys on a specific account, instead of having to type in a username and password on a website, you’ll simply click a “Sign in with passkey” button or link.

Websites and apps that support passkeys

Passkeys are still a relatively new technology, but they are quickly gaining adoption. A number of major websites and apps already support passkeys, and more are being added all the time. As of October 2023, some of the more popular websites supporting passkeys include:

  • Amazon
  • Apple
  • Google
  • PayPal (Apps only)
  • Shop by Shopify
  • Best Buy
  • CardPointers
  • Carnival
  • eBay
  • Microsoft
  • PayPal

The following password managers currently support passkeys:

  • 1Password
  • Bitwarden
  • Dashlane
  • Google password manager
  • iCloud Keychain
  • Keeper
  • LastPass
  • Microsoft Edge password manager

This list is growing all the time, as more and more websites and apps are adding support for passkeys. To find out if a particular website or app supports passkeys, you can check their website or contact their customer support. An updated list can be found on the website passkeys.directory.

How to create and use passkeys

To use a passkey for a particular website or app, you first need to create one for the website or app that you want to log in to. This is done by following the instructions on the website or app. Once you have created a passkey, you can use it to log in by simply authenticating with your biometric authentication (fingerprint, face scan, PIN, etc.) on a compatible smartphone or device.

As of October 2023 the following devices support passkey authentication:

  • Microsoft Windows devices with Edge or Chrome
  • Apple devices with iOS 16, iPadOS 16, or macOS Ventura
  • Google Android devices with Android 9 or later
  • Chrome OS devices

You can also use an external security key device to log in to Google on any device that has a USB port or supports Bluetooth.

Another method to sign into a website is to use your mobile device to sign into a website on your computer. FIDO Cross-Device Authentication allows you to use a passkey created on one device to sign in to another device. This is useful if you don’t have a device that supports passkeys natively, or if you want to use the same passkey on multiple devices. To use this method, you will need to install a compatible authenticator app on both of your devices. Some popular authenticator apps that support FIDO Cross-Device Authentication include:

  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • LastPass Authenticator

Once you have installed an authenticator app on both of your devices, you can create a passkey on one device and then use it to sign in to the other device. To do this, follow the instructions on the website or app that you are signing in to.

For example, to sign in to a website using a passkey created on your phone, you would open the website on your computer and then scan a QR code with your phone’s authenticator app. Once you have scanned the QR code, you will be prompted to authenticate with your phone’s biometric authentication (fingerprint, face scan, etc.) or a security key. Once you have authenticated, you will be signed in to the website.

Where are passkeys stored?

Passkeys can be stored in a variety of places, including:

  • On your device: Passkeys can be stored on your device in the secure enclave, which is a hardware-based security module that protects your data from unauthorized access.
  • In a password manager: Passkeys can be stored in a password manager, which is a software application that securely stores your passwords and other sensitive information.
  • In the cloud: Passkeys can be stored in the cloud, such as in a cloud-based password manager or in the cloud storage service of a trusted company.

The best place to store your passkeys depends on your individual needs and preferences. If you are concerned about security, you may want to store your passkeys on your device or in a password manager. If you need to be able to access your passkeys from multiple devices, you may want to store them in the cloud.

Pros and cons of using passkeys instead of passwords

Pros of using passkeys:

  • More secure: Passkeys are more secure than passwords because they are based on public key cryptography, which makes them much more difficult to hack.
  • Easier to use: Passkeys are easier to use than passwords because you don’t have to remember them. You can simply use your biometric authentication (fingerprint, face scan, etc.) or a security key to log in.
  • More convenient: Passkeys can be used on a variety of devices, including smartphones, tablets, and computers. You can also sync your passkeys across devices, so you can use them to log in to any website or app that supports them.

Cons of using passkeys:

  • Not widely adopted: Passkeys are not yet widely adopted, so you may not be able to use them to log in to all of your favorite websites and apps.
  • Requires additional hardware or software: To use a passkey, you will need a device that supports biometric authentication or a security key.
  • Can be difficult to recover: If you lose your security key or forget your biometric authentication, it may be difficult to recover your passkeys.

Overall, passkeys offer a number of advantages over passwords, including improved security, ease of use, and convenience. However, it is important to note that passkeys are not yet widely adopted, and they may not be available for all websites and apps.

Here are some additional things to consider when deciding whether or not to use passkeys:

  • Your level of security needs: If you have highly sensitive accounts, such as banking or financial accounts, you may want to consider using passkeys to improve their security.
  • Your comfort level with technology: If you are not comfortable using biometric authentication or security keys, you may want to stick with passwords.
  • Your device compatibility: Make sure that your devices support passkeys before you switch.

If you are considering using passkeys, I recommend starting by switching to passkeys for your most important accounts, such as your email and banking accounts. As passkeys become more widely adopted, you can switch more of your accounts to passkeys.

What’s the difference between passkeys and two-factor authentication?

Passkeys and two-factor authentication (2FA) are both security measures that can help protect your online accounts from unauthorized access. However, there are some key differences between the two.

2FA is a security measure that requires you to provide two different pieces of information when logging in to an account. This typically includes a username/password, then a 6-digit number from an authenticator app or one-time password sent as an email of text message. 2FA adds an extra layer of security to your account, making it more difficult for attackers to gain access even if they have your password.

Passkeys are a newer type of security measure that is designed to replace passwords altogether. Passkeys are based on public-key cryptography, which is a very secure way to authenticate users. To use a passkey, you simply need to verify your identity with a biometric factor, such as a fingerprint scan, face scan or device PIN.

One of the key differences between passkeys and 2FA is that passkeys are passwordless. This means that you don’t need to remember or type a password when using a passkey. This can make it easier and more convenient to log in to your accounts, and it also helps to reduce the risk of phishing attacks.

Another key difference is that passkeys are more secure than 2FA. Passkeys are based on public-key cryptography, which is very difficult to crack. Additionally, passkeys are stored on your device, which means that they are not vulnerable to server breaches.

Here is a table that summarizes the key differences between passkeys and 2FA:

FeaturePasskeys2FA
Uses a passwordNoYes
Requires multiple factorsYesYes
Uses public-key cryptographyYesNo
Stored on your deviceYesNo
Vulnerable to server breachesNoYes
Supported by all websites and appsNoNo

Which is better for you depends on your individual needs and preferences. If you are looking for the most secure way to authenticate yourself online, then passkeys are the better option. However, if you need to be able to log in to websites and apps that don’t support passkeys yet, then you may need to use 2FA instead.

Access to your passkeys and other data after you die

Your next-of-kin may need to access your passkeys (just like your passwords) in the event you become disabled or die. When considering your passkey for your Google account(s), they currently do not have a way to access a user’s passkey after death. This is because passkeys are stored on the user’s device and are encrypted with the user’s biometric data. This means that even Google cannot access a user’s passkey without the user’s fingerprint or face scan or PIN.

However, Google is working on a way to allow users to designate a legacy contact who can access their passkeys after death. As of October 2023 this feature is not yet available, but it is expected to be released in the future.

In the meantime, there are a few things you can do to ensure that your loved ones can access your Google account after you die:

  • Create a legacy contact. A legacy contact is someone who can access your Google account after you die. You can create a legacy contact by going to your Google Account settings and clicking on “Manage legacy contact.”
  • Use a premium multi-person password manager. Premium (paid) password managers such as Bitwarden and LastPass can soon store passkeys in their vaults, and have already an Emergency Access feature so that you can share access to your password/passkey vault with a trusted person after you die.

It is important to note that there is no one-size-fits-all solution for passing along passkeys after you die. The best approach for you will depend on your individual circumstances and preferences.

Also read: How to set up legacy contacts for your online accounts.

You’ll still need to use passwords for some applications for many more years

Unfortunately the need for passwords is not going away any time soon. It’s taken websites many years just to enable 2FA, yet it’s still not available on all sites. And it will take many more years for all sites to enable passkeys.

In the meantime, it’s important to adopt and stick with a system to easily and safely manage your passwords. In this article we show you the variety of methods of creating a password system and using a password manager or other secure method of keeping track of all your logins.

If you need in-home service to help with passkeys or passwords, and setting them up on your devices and websites, please contact us.