Why Passkeys are Better

Nick Hodges
October 17, 2022

Maybe you’ve had the feeling — or maybe you’ve imagined it.  The feeling of your stomach sinking to the bottom of your belly.  That panic you feel the very second you realize that you just entered your login credentials into a fake website.  Maybe you realized it right away.  Or maybe you realized because you went back the next day and couldn’t log in.  Maybe you realized it because your bank account has been cleaned out.  However you realized — or imagined — it, it’s not a feeling you ever want to have.

But imagine not having to worry about that ever again.

That’s what passkeys and passwordless authentication can bring you.

Why Passkeys are Better

Every day we grow closer to a passwordless world.  We here at Passage are doing what we can to make that happen for everyone.  We all carry devices with us that can be used to easily declare who we are, normally via a fingerprint or face scan.   All new laptops have fingerprint readers.  Passkeys leverage these new technologies to drastically increase the security of your accounts.  Apple has introduced passkeys into their eco-system, with Microsoft and Google releasing their versions very soon.

I’ve written about why we must move beyond passwords and how the whole passkey system works.  In this post, I will discuss why passkeys are a vastly better solution than passwords.  There are many reasons why passkeys are a superior solution, but it all boils down to two things.

Passkeys Share no Secret Information

This is the biggest reason passkeys are much more secure than passwords.  With Passkeys, passwords are simply no longer a threat vector.

Passwords account for north of 80% of all security breaches.  Passkeys mitigate this threat down to almost nothing.  You can’t reuse your passkeys.  You don’t have to remember them.  They are generated and stored for you, so you don’t have to worry about creating and storing them yourself. You can’t be lured into giving them up because they are unique to a specific website and thus can’t be shared with a phishing website.

Sensitive data associated with each passkey never leaves your device.  The information is stored on your phone on a special chip (a Trusted Platform Module) that even the NSA might not be able to crack.  If you register with a website using a passwordless solution like Passage, that site gets nothing but a public key, which is useless for cracking open your account.  While Apple lets you share your account with others via AirDrop, you couldn’t even share the actual private key with a phishing site if you wanted to.

Passkeys are a Much Better User Experience

Registering for an account on a website can be a hassle.  Often you have to think up a password meeting various criteria designed to make it hard to guess.  Frequently, users have to context switch away from your site to get a six-digit number from their phone or an email.  Over 30% of all online shopping carts are abandoned because of the bother of registering for an account or because users don’t remember their passwords. Password Managers can help the situation, but they can be complicated to use for many. The whole experience needs improving.

Multi-factor authentication (MFA) can improve the security of a password-based system but does so at the cost of decreased user experience.  MFA requires the user to switch contexts, usually by going to another application to grab a six-digit number.  I know I’ve often fumbled to find my phone to get that one-time password.

Instead, passkey registration requires a biometric system validation — as simple as a fingerprint touch or a glance at a camera — and one-time device approval.  After that, logging in is as simple as that biometric validation.  Instead of typing complicated passwords and grabbing one-time password codes or checking emails, your users can log in in seconds or less.

Passkeys actually use MFA, requiring you to supply something you have (your device) and something you are (for example, your face or your fingerprint).

Passkeys are only getting better. Ultimately, you will be able to log in without even entering your password or phone number.  Instead, the login input box will just know that your device has a Passkey for the given domain and will auto-prompt you.

Let’s Do This

I remember that great feeling when my bank’s mobile application allowed me to log in with my fingerprint instead of typing my complicated (and ultimately not secure, no matter how complex it was) password.  It was a freeing moment for sure.  You want that for your users when they come to your website or log in to your mobile application, don’t you?  Heck, you want that for yourself every time.

In the end, passkeys appear virtually unexploitable and vastly more convenient.  Why not give it a try right now?

Thank you to Mac Evans for reading the draft and making many excellent suggestions.