Transforme insights em ação: o Bitwarden Access Intelligence já está disponível

Saiba mais >

Blog do Bitwarden

Building a smarter path to passkeys for stronger, more complete credential security

publicado :

The need for phishing-resistant authentication is accelerating passkey adoption and replacing shared secrets like conventional passwords with much more secure cryptographic sign-in credentials that are resistant to theft, reuse, or phishing.

Phishing is still a major problem

Phishing remains one of the most persistent risks facing individuals and organizations, and major software providers are beginning to require stronger authentication for high-risk and privileged users. Salesforce’s recent move to require phishing-resistant MFA for certain privileged users is one example of how enterprise platforms are pushing authentication toward more secure, passwordless methods. Another example is Microsoft's announcement that passkeys will become the default phishing-resistant authentication method for Microsoft Entra ID starting in September.

As more work, data, and infrastructure sit behind identity-based access, protecting credentials, passkeys, secrets, and recovery paths becomes central to both personal and business security.

Why authentication is moving beyond passwords

Traditional passwords are shared secrets. A user types a password into a website, which is then compared with the known password or hash to determine authentication. The fact that a password can be phished, guessed (especially if it was made by a human), replayed, or socially engineered makes it a sub-optimal authentication method. Additionally, the website that receives the password can be breached, and the password may be leaked onto the dark web.

Password managers help address these risks by generating a strong, unique password for each account. Solutions like Bitwarden also include phishing protections and breach alerts. Together, these capabilities strengthen password-based security; however, passkeys offer a fundamentally different approach to authentication.

Phishing-resistant passkeys are the future of security

Passkeys use public key cryptography to authenticate the user without sending a reusable password to the website or application. The private key stays protected on the user’s device or within a credential manager, while the service verifies the sign-in using the matching public key.

Because passkeys are bound to the website or application they were created for, they will not authenticate on a spoofed domain. This helps individuals reduce the risk of account takeover and gives organizations a stronger way to protect privileged users, sensitive systems, and business-critical applications from credential-based attacks.

Synced passkeys help reduce lockout risk

Device-bound passkeys and hardware security keys can provide strong protection, but they can also create challenges when a phone, computer, or physical key is lost, replaced, unavailable, or damaged. For a business, that can create support overhead and productivity disruption. For an individual, it can mean being locked out of an important account at the worst possible time.

Synced passkeys reduce that risk by making passkey authentication available across trusted devices through a secure credential manager like Bitwarden, protected by end-to-end encryption and multifactor authentication. This makes it easy for users to adopt phishing-resistant authentication without making sign-ins dependent on a single device or physical key.

Passwordless progress does not eliminate all credential risk

Passkey authentication is only one part of the journey. Implementing their usage alone does not remove every identity-related risk. Organizations still need visibility into the credentials and systems that sit outside the primary login flow. That includes passwords, recovery paths, shared credentials, SaaS integrations, service accounts, and systems that do not fully support passwordless authentication.

Recent third-party integration incidents involving OAuth token abuse show why credential risk cannot be measured only by the strength of a human login or passkey authentication. Even as logins become more phishing-resistant, organizations still need to manage the credentials, integrations, and recovery mechanisms that remain part of their environment.

Secure the transition and destination

A practical passkey strategy needs to account for the systems people still use today, including passwords, recovery codes, shared credentials, service accounts, and applications that do not yet support passwordless authentication. Users and organizations need a way to adopt stronger authentication while keeping access secure, usable, and recoverable along the way.

A strong passwordless transition plan should make it easier to:

  • Store and use passkeys across trusted devices

  • Keep remaining passwords strong, unique, and protected

  • Manage recovery codes and backup access securely

  • Share credentials safely when shared access is still required

  • Maintain visibility into weak, reused, or compromised credentials

  • Protect secrets, service accounts, and emerging non-human access needs

Bitwarden supports that transition by bringing passwords, passkeys, secrets, shared access, and credential risk visibility together in an end-to-end encrypted vault. Individuals can protect personal accounts as passkey adoption grows, while organizations can strengthen authentication and continue managing the access methods, recovery paths, and legacy systems that remain part of daily operations.

Passwords will remain part of the transition

Passwords have long been the default method of digital authentication and will remain part of many accounts and workflows as passkey adoption grows. Passwords, passkeys, recovery flows, shared accounts, and legacy applications will continue to coexist across personal and business environments, including where access is not centrally managed.

During this transition, passwordless authentication and password-based sign-ins need to be managed together. Treating passkeys as a replacement for every credential too early can create blind spots. Teams still need a way to protect the remaining paths, including passwords, recovery information, shared access, and credentials tied to legacy systems.

Get started with Bitwarden

Passkeys are an important step toward phishing-resistant authentication, but passwords, passkeys, secrets, recovery flows, shared access, and emerging machine-driven use cases will continue to coexist for the foreseeable future.

Bitwarden helps individuals and organizations manage passwords, passkeys, and secrets from an end-to-end encrypted vault.

Get started today with an individual account at bitwarden.com or sign up for a free trial of Bitwarden business plans to help your organization strengthen identity security across passwords, passkeys, secrets, and secure access.

Back to Blog

Get started with Bitwarden today.