Are Passwords Dead? What Are Passkeys, and Why Everyone's Talking About Them

What happens if I lose my device?
Passkeys require biometric authentication on your phone. Even if your phone is stolen, the passkeys can't be accessed without your biometric data
This only really answers half of the question, I do use a password manager and authentication app, but the biggest pain in the arse is if your device is inaccessible such as damage, factory reset, loss or stolen, recovering access to your accounts once you've got a new device. This is easier if you do a 'graceful' transfer from old to new device but it's still an absolute ballache.
 
Weird My samsung phone updated and enabled passkey. Either way I have a 26 input password and yes it takes time to type my password but passkey works from my email account so it is easier just to click on email and I log in. I still don't trust it though as anything can be hacked. Well I hate AI but makes web development so much easier ^^
 
Edit: Below is a bit of a rant, but I do want to thank you for the article. It's a nice explainer, and honestly passkeys with biometrics + pin are probably secure enough for most people anyways.

"In contrast, passkeys provide a more secure and simplified solution by removing the need to manage or store multiple credentials."

Well, not true. Each website gets its own passkey. The user just doesn't have to manage it.

The "What happens if I lose my device?" forgot to answer the important question - how to recover. Or more broadly, how to use multiple devices. Presumably the keys would need to be synced across devices.

The fact that passkeys requires biometrics - a known insecure way of logging into devices - is unfortunate. A pin helps the situation, but if it's intended to compensate for the known weaknesses of biometrics, it is inadequate. I don't know why people think that fingerprints, which you leave everywhere, or your face, which is in public everywhere, are good ideas for logins. They are usernames at best, not "passwords". Somewhat difficult to fake, sure, but it can be done, especially since the underlying technology doesn't capture your biometrics in full detail. Not to mention the fact that you can't really change them once they get compromised, at least not without surgery. That's a problem if malware gets on your device and can swipe the database. Sure, it's encrypted, but if that malware can swipe the database it can probably intercept your pin, too. To be fair, malware would crack anything, but at least you can change passwords after the fact, not so with bio.

Passkeys with a master passphrase - now that I could get behind.

Two-factor authentication is fairly annoying these days. It often assumes that a mobile device is the correct second device to authenticate to (not true if you are logging in from the mobile device in the first place), that you have two devices or a (smart)phone (there's a subtle wealth assumption being made, which is fine for most people in the States but not all, and perhaps quite a leap for the developing world), if it's sent over SMS (bad idea since it is unencrypted) then it assumes you have cell service where you have internet, and worst of all many sites don't give you choices in how you would want two-factor to be used.

A good two-factor solution is an app that works single-device for those without two devices (you can't have 2FA if you only have 1 device, just a weakness that has to be accepted), but can be configured to be multi-device (so not just a mobile app, it needs to be desktop, Mac, Linux, etc) and with an integration into whatever login system you are using (maybe it is also your password manager) so that it can guarantee that the second factor goes to a second device. If you login on mobile and get your 2FA there, you didn't really get 2FA. And the app shouldn't require or need your phone number. It irks me when apps claim to be private and then turn around and demand you hand over your PII. An email you can more easily create in an anonymous way.
 
Last edited:
Goog Appl, Amaz and Micro all already know too much about us. I'd rather deal with my own account for each site like this and give the giants a little less info. Ultimately, big data combining our tracks pigeon holes us into fewer choices. I'd rather work the system to my advantage than having the system working me for theirs
 
Last edited:
Edit: Below is a bit of a rant, but I do want to thank you for the article. It's a nice explainer, and honestly passkeys with biometrics + pin are probably secure enough for most people anyways.

"In contrast, passkeys provide a more secure and simplified solution by removing the need to manage or store multiple credentials."

Well, not true. Each website gets its own passkey. The user just doesn't have to manage it.

The "What happens if I lose my device?" forgot to answer the important question - how to recover. Or more broadly, how to use multiple devices. Presumably the keys would need to be synced across devices.

The fact that passkeys requires biometrics - a known insecure way of logging into devices - is unfortunate. A pin helps the situation, but if it's intended to compensate for the known weaknesses of biometrics, it is inadequate. I don't know why people think that fingerprints, which you leave everywhere, or your face, which is in public everywhere, are good ideas for logins. They are usernames at best, not "passwords". Somewhat difficult to fake, sure, but it can be done, especially since the underlying technology doesn't capture your biometrics in full detail. Not to mention the fact that you can't really change them once they get compromised, at least not without surgery. That's a problem if malware gets on your device and can swipe the database. Sure, it's encrypted, but if that malware can swipe the database it can probably intercept your pin, too. To be fair, malware would crack anything, but at least you can change passwords after the fact, not so with bio.

Passkeys with a master passphrase - now that I could get behind.

Two-factor authentication is fairly annoying these days. It often assumes that a mobile device is the correct second device to authenticate to (not true if you are logging in from the mobile device in the first place), that you have two devices or a (smart)phone (there's a subtle wealth assumption being made, which is fine for most people in the States but not all, and perhaps quite a leap for the developing world), if it's sent over SMS (bad idea since it is unencrypted) then it assumes you have cell service where you have internet, and worst of all many sites don't give you choices in how you would want two-factor to be used.

A good two-factor solution is an app that works single-device for those without two devices (you can't have 2FA if you only have 1 device, just a weakness that has to be accepted), but can be configured to be multi-device (so not just a mobile app, it needs to be desktop, Mac, Linux, etc) and with an integration into whatever login system you are using (maybe it is also your password manager) so that it can guarantee that the second factor goes to a second device. If you login on mobile and get your 2FA there, you didn't really get 2FA. And the app shouldn't require or need your phone number. It irks me when apps claim to be private and then turn around and demand you hand over your PII. An email you can more easily create in an anonymous way.

Agreed with everything you just said.

Aside from the odd technical hiccups that still exist (e.g. I briefly got locked out of my Google account when I last tried to switch to a passkey, stored in BitWarden, access via Firefox, because Google refused to accept the passkey being handled by BitWarden after creation, even though it had no issue 'giving' BitWarden the passkey during its creation; a known bug at the time), passkeys have another key, legal weakness in some jurisdictions:

- Passwords are protected under rights against self incrimination (in such jurisdictions where this is right, such as the US), but biometric data is not protected under these same rights since it is "public" information.

Right now, you can sorta sidestep this weakness by using a vault that still relies on a master password + some kind of 2FA (a OTP code, a hardware FIDO key, etc). But at that point, what is the point of a passkey aside from convenience? A chain is only a strong as its weakest link, and while passkeys are more secure than password+2FA, if you have to secure your passkeys with one password+2FA, then what practical/security benefit does a passkey provide?

If FIDO and other passkey advocates really want replace passwords, they need to be lobbying to get biometric authentication to be legally protected the same way that passwords are (if not better protected).
 
Something you have plus something you are is WAY more insecure! It's even in the infographic, notice they are in the same step?

If someone steals your phone, they can now unlock ALL your other accounts, because they are now "something you are" and they posses something you have.

Short of torture, nobody can get the password you have swimming in your head.
 
Thanks for the feedback. I helped to research and edit this article along with David. Based on some of your comments I tweaked the first Q&A answer to be more comprehensive:

What happens if I lose my device?
If you lose your device, your passkeys aren’t lost — they’re securely backed up in the cloud through services like Apple's iCloud or Google's Password Manager (or the password manager of your choice). These backups are end-to-end encrypted, meaning only you can access them, and they sync across your devices for easy recovery.

When you set up a new device, you can restore your passkeys simply by signing in to your cloud account. If you don’t have another device, recovery options like a recovery key or multi-factor authentication can help you regain access.

Passkeys also require biometric authentication (like Face ID or a fingerprint) to use. Even if someone steals your phone, they can’t access your passkeys without your biometric data.
 
I understand the difference between a "password" (first chart, left hand side) and a "Face ID or Fingerprint" (right hand side). But isn't a PIN, listed on the right, a lot more similar to a shorter password than to a biometric identification method?

My Windows login screen currently takes my 4 digit PIN instead of my longer password, which not only has more characters but each of those characters is from a much larger character set (60+ possibilities for each, vs 10 possibilities for the digits).

I'm not sure how this is all that different or an improvement in security. But since my desktop is locked in my home I'm not all that worried about it.
 
“You are not your job, you're not how much money you have in the bank. You are not the car you drive. You're not the contents of your wallet. You are not your ****ing khakis. You are all singing, all dancing crap of the world.”
None of these are security factors.
 
Passkeys are not a strong as passwords because courts can't force you to reveal passwords, not in America at least. Even in America, police can easily get your biometric data to unlock devices and accounts.
 
It's the same thing as a password, but doesn't work across platforms. iOS/Android/Window do not share passkeys among others. The concept is great, the execution is pathetic. I accidentally enabled passkeys on one of my Gmail accounts, never making that mistake again until they fix this glaring problem.
 
They say "Passkeys also require biometric authentication (like Face ID or a fingerprint) to use." While I have these, my computer does not. So how does this work again? I will NOT buy another gadget just because they want to change stuff, again.
 
On Windows, all you need is either account password or your PIN. If you’re using a password manager like Bitwarden, all you need is your password.
 

"if you lose your device, your passkeys aren't lost – they're securely backed up in the cloud through services like Apple's iCloud or Google's Password Manager"

That's the bit that worries me. Does it mean the American government can get the passwords, and therefore access, to all the systems you use? Would they also have access to your phone for locations and contacts etc? I guess this would be true for folks outside of Americans too.
 
Back