Are passkeys safer than passwords?

Passkeys are a relatively new form of authentication that is considerably more secure than traditional passwords. By using passkeys, users don't have to enter a password to log into an app or website. Passkeys achieve this by leveraging public key cryptography and user verification methods (such as biometrics or PINs) to authenticate a user. With this method, private information remains safe, even from phishing or hacking attempts.

Ask any user, and they'll confirm how frustrating it is to have to deal with complicated passwords. And then, ask any member of an IT staff how frustrating it is to deal with end users who forget their passwords and require them to be changed. On top of that, changing and managing passwords consumes a lot of IT staff time, time which could be spent on more important tasks.

That's where passkeys come into play, and Bitwarden has support for passkeys built in.

But are passkeys truly safer than passwords?

The initial seeds for passkeys were planted around 2018, when Google, Microsoft, and Apple began working on pre-passkey systems that were focused on key exchange protocols for the purpose of identification verification. Those early attempts came about due to the need for better ways to combat phishing attacks and other cybersecurity threats. After Apple introduced support, iCloud Keychain allowed users to sync and store passkeys across Apple devices.

Then, in 2019 development of passkeys truly began, thanks to collaboration between the World Wide Web Consortium (W3C), Apple, Google, Microsoft, Samsung, and others. The next step was leveraging biometrics (i.e. facial recognition and fingerprints) for authentication, such that users wouldn’t need to use sensitive information (passwords) that are far easier to steal. This involves the creation of a unique key based on factors like facial recognition. Passkeys can be set up on various devices, including Android devices and computers, to ensure compatibility across platforms. In the long run, passkeys are designed to replace passwords, offering a more secure and convenient authentication method.

Once passkeys started to become standardized, companies began employing them. Even password managers, such as Bitwarden, include features for generating and storing passkeys so they can easily be managed. Users can store passkeys securely within password managers, and storing passkeys safely is essential for seamless access. Creating and utilizing passkeys is accomplished with the Bitwarden web extensions and mobile apps.

Passkeys rely on public-key cryptography, where private keys are securely stored on your device and only a public key is shared with the website. They are not as complicated as one might think. Here’s how passkey work. When signing up for a website or app that supports passkeys, follow these steps:

1. Device Setup - This is done on your phone. When signing up for a site or app that supports passkeys, you’ll be prompted to set it up on your mobile device (like Android or iOS). This involves the creation of a unique key based on factors like facial recognition.

2. Verify the key - You will then be asked to verify the key via facial or fingerprint recognition to complete the setup process. This process may involve unlocking your device using biometrics.

3. Using the passkey - Once you have the passkey set up, the website or app associated with the key will ask for the associated passkey when attempting login. Logging in with a passkey typically requires only your username and biometric verification. Your phone will present options based on biometric data (Face ID/Touch ID). If the biometrics match what’s stored within the passkey, you are granted access.

Mobile apps and web extensions are available to help manage your passkeys. Web browsers are increasingly supporting passkey authentication for seamless login experiences. When you set up a new device, your passkeys can be synchronized to ensure continued access to your accounts.

Learn more on how passkeys work.

We’re entering a new era of passwordless authentication, where accessing online accounts is both more secure and more convenient than ever before. Unlike traditional passwords, which often require users to remember complex combinations or rely on password managers to generate strong passwords, passkey technology allows you to authenticate with just a touch or a glance. By leveraging biometric authentication — such as fingerprint or facial recognition — users can securely log in without ever typing a password.

This shift is being driven by the growing number of data breaches and security vulnerabilities linked to traditional passwords. Hackers have become adept at exploiting weak or reused passwords, and even the most diligent users can fall victim to phishing attacks or brute force attempts. With passkeys, authentication requires something you are (like your fingerprint or face), making it far more difficult for attackers to gain unauthorized access.

Password managers are also evolving to support this new technology, helping users store and manage their passkeys alongside any remaining passwords. By combining the convenience of biometric authentication with the robust security of passkey technology, users can enjoy a seamless and secure experience across all their online accounts without the constant worry of remembering or protecting complex passwords.

This is the big question, and it’s a legitimate one. With the continued rise of cybersecurity threats, ensuring accounts are locked down as tightly as possible has become an absolute must. However, using passwords alone leaves accounts vulnerable to brute force attacks and social engineering tactics.

Generally speaking, passkeys are safer than passwords, and there are some very specific reasons for this. The biggest reason is that users tend to work with very weak passwords that can be easily cracked. This is one of the key differences between traditional password systems and passkeys. This happens because most users want to take the path of least resistance, and typing password123 is much easier than 7rfw#ZVnPa4^pP. And given how hackers love an easy target, it makes sense that they would target users who employ traditional passwords. 

On top of that, users tend to use the same password for multiple accounts/apps. Which means that a hacker only needs one successful attempt, and they can access multiple websites and apps associated with that reused login. This practice increases the risk of a data breach, as one compromised password can lead to multiple account compromises.

Passkeys don’t rely on the user to ensure each login credential is strong and unique, so they are generally considered a more secure option for authentication. Each passkey is unique to the creator, and because the private key is generated and stored on a device, the only way to access a passkey-protected account is with that device.

Another reason why passkeys are safer than passwords is that there’s no need to type a password on a keyboard or a phone. Unlike passwords, passkeys are not vulnerable to being stolen through phishing or brute force attacks. Imagine you have someone looking over your shoulder as you type that password. That person could memorize that password and use it against you. With passkeys, that’s not possible. Even if the bad actor were to steal your phone, they wouldn’t be able to use the passkeys without getting past the biometrics. No matching fingerprint or facial scan means no entry into the account or app. Passkeys are more secure than passwords because they protect users from common threats and reduce the need for two factor authentication.

Passkeys are designed to replace traditional passwords over time, offering a secure option that isn’t vulnerable to human error and, therefore, less vulnerable to cyberattacks.

Password managers will begin to take on a bigger role with passkeys, thanks to centralized storage, with some managers adding features like biometric integration and user verification. And with centralized storage of passkeys, they would then become even easier to use.

Imagine all of your accounts are set up for passkey verification, and you lose your phone. What do you do? Password managers can store those passkeys and then seamlessly sync them from one phone to the next, requiring your biometrics to successfully hand off the keys from the password manager to the phone. In some cases, passkey transfers may require physical proximity between devices, such as using Bluetooth, to enhance security during the process.

With passkeys becoming more and more popular, you can count on password managers integrating with this improved authentication function. When that happens, the authentication process will be both easier and more secure.

Looking ahead, the future of online authentication is set to become truly passwordless, with passkeys poised to replace traditional passwords as the standard for securing online accounts. The FIDO Alliance — an industry group that includes tech giants like Google, Microsoft, and Apple — is leading the charge in passkey adoption, ensuring that more companies and platforms support passkeys across multiple devices and operating systems.

Passkey technology relies on public key encryption, which means that your private key stays securely stored on your device, while only a public key is shared with the website or application. This approach eliminates the need to transmit or store passwords, dramatically reducing the risk of data breaches and security vulnerabilities. As more companies support passkeys, users will be able to authenticate seamlessly across all their devices, without juggling multiple complex passwords or worrying about password reuse.

Password managers will continue to play a vital role in this transition, helping users store and manage their passkeys as easily as they once managed passwords. With widespread adoption of passkeys, the authentication process will become more secure, user-friendly, and resistant to common threats like phishing attacks. As technology advances and more companies embrace passkey implementation, the vision of a passwordless future — where your digital privacy and security are stronger than ever — will soon become a reality.

Effectively generate and manage passkeys using Bitwarden.