Traditional passwords are no longer enough to protect our accounts. Every day we see data breaches, phishing attacks, and credential theft through malware. Even when using two-step authentication, users can fall for traps by entering their credentials on fake sites.
That’s where passkeys come in—a new cryptography-based standard offering much stronger protection. In this article, we will look at how they work from a user’s point of view and why they might mark the beginning of a password-free future.
What Are Passkeys?
Passkeys are based on public and private key cryptography. When you create a passkey for a website, a pair of cryptographic keys is generated: a private key that stays encrypted on your device (like your phone or computer), and a public key that is stored on the website’s server.
The following table shows some differences between passkeys and traditional passwords:
Feature
Passkeys
Passwords
Storage
Private key on user’s device
On server (with hash)
Creation
Automatically generated
Created by the user
Security
Very high (phishing, brute force, leaks, etc.)
Depends on complexity, 2FA use, and server-side protections
Ease of use
High
Depends on complexity
Theft protection
High
Low
How Passkeys Work
Creating a Passkey
Setting up a passkey is quick and typically located in your account’s password settings. The name varies by platform—for instance, Google calls them “access keys” and Microsoft refers to them as “passkeys.”
(Free access, no subscription required)
After locating the option, the passkey is generated, and you choose where to store the private key: browser, password manager, or mobile device.
If the same password manager is used across multiple devices, the private key will sync automatically, allowing site access from any of them.
Here is an example of adding a Passkey in Google, saved to a mobile phone:
After locating the option, the passkey is generated, and you choose where to store the private key: browser, password manager, or mobile device.
If the same password manager is used across multiple devices, the private key will sync automatically, allowing site access from any of them.
Here is an example of adding a Passkey in Google, saved to a mobile phone:
During this process, the key pair is created: the private key remains on the client side and the public key is saved on the server.
Accessing a Website Using a Passkey
Find the Passkey option on the website:
It may appear as “Passkey” or “Access key,” depending on the translation.
Some sites offer it directly; others must be selected manually.
Enter your username.
Choose where your private key is stored: It may be on your phone, computer, a security key, or the cloud.
Confirm your identity using your device’s unlock method:
Fingerprint
Facial recognition
PIN or other configured method
Ready. You will access the site without typing or sharing a password.
Examples of logins using Passkeys on Amazon and Google:
It is important to configure multiple Passkeys for the same website, especially if you use different devices or separate password managers. This prevents losing access if the device storing your private key is unavailable. Having multiple Passkeys is recommended.
Characteristics of Passkeys
Unlike traditional passwords, they are based on public-key cryptography. This makes them resistant to:
Phishing. The user never exchanges passwords with the server.
Brute force attacks. These attacks are meaningless with this type of cryptography.
Credential leaks. If the server is compromised, leaking public keys poses no risk, as the private key remains protected on the user’s device.
Malware theft. Resistant to info-stealer malware.
They also eliminate the need to remember multiple complex passwords, simplifying their use. Thanks to their design, they enable quick and easy access from various devices while maintaining high security.
Passkey Implementation and Adoption
You can find a list of websites supporting this technology here:
Higher security: Prevents stolen or leaked passwords. Protection against info-stealers and data breaches.
Limited compatibility: Not all services support Passkeys.
Simple and fast authentication: Often just a fingerprint or PIN.
Ecosystem dependency: Passkeys aren’t shared across Apple, Google, Microsoft.
Phishing-resistant: Cannot be reused or sent to fake sites.
Difficult on shared devices: May be tricky on non-personal devices.
No need to remember passwords: Automatically managed.
Learning curve: Users need to understand a new model.
Cloud sync: Usable on multiple devices (depending on platform).
Conclusion
Passkeys represent an evolution in how we access digital services. By removing passwords and leveraging cryptography, they offer both security and simplicity. In future articles, we will explain how to implement this technology in applications and how to support users in adopting it.
