- 2025 Cyber Security Predictions: Navigating the Ever-Evolving Threat Landscape
- Not Just Another List of Top 10 Metrics You Should Measure
- My new favorite headphones for swimming come bundled in a unique charging accessory
- Why I recommend this Windows laptop to creatives and professionals - even if it's meant for gamers
- This HP laptop may be the closest thing to a MacBook Pro for Windows users - and I don't mind it
If we want a passwordless future, let's get our passkey story straight
In a recent article from a well-known tech publisher that extolled the virtues of Bitwarden’s password manager, the author wrote the following (by the time you read this, the passage may have been corrected):
“Passkeys are an attempt to replace the password with a key that you don’t have to remember or worry about at all. When you create a passkey for a website, the site spits out two pieces of code, one it saves on the server, one it saves on your device. When you return to the site, the site checks for the code it saved to your device and if it’s there, it logs you in.”
The passage includes multiple incorrect statements that work against the efforts of the FIDO Alliance to educate the public on why passkeys are more secure than passwords for authenticating with websites or applications. (The FIDO Alliance is a consortium of high-tech leaders — including Microsoft, Google, and Apple — that develops and promotes the passkey technology standard.)
The passage gets one thing right: “Passkeys are an attempt to replace the password with a key that you don’t have to remember or worry about.” That’s definitely one of the aspirations of the passkey standard.
Also: Why the road from passwords to passkeys is long, bumpy, and worth it – probably
“That’s the vision. The end result should be completely effortless,” said Mitchell Galavan, Google lead authentication UX designer, during a recent interview with ZDNET. “[You shouldn’t] even have to think about it,” added Galavan, who also serves as co-chair of the FIDO Alliance U/X Working Group. “The experience should be seamless. You wouldn’t even have to know that the passkeys are showing up on your device if you don’t want to — you’re just getting to where you want to go.”
When passkeys work, which is not always the case, they can offer a nearly automagical experience compared to the typical user ID and password workflow. Some passkey proponents like to say that passkeys will be the death of passwords. More realistically, however, at least for the next decade, they’ll mean the death of some passwords — perhaps many passwords. We’ll see. Even so, the idea of killing passwords is a very worthy objective.
The damage done by passwords
For four decades, passwords have been the Achilles’ heel of computer technology. Most of the damage done — by compromised accounts, identity theft, exfiltration of personal information, and digital theft of funds — involved compromised passwords.
In many cases, passwords were unknowingly shared with malicious actors, often through phishing (and more recently, smishing). Phishing (email) and smishing (text messaging) are digital forms of social engineering that trick unsuspecting users into entering their user IDs and passwords into bogus, authentic-looking, and criminally operated websites.
Also: 7 password rules security experts live by in 2025 – the last one might surprise you
Passwords and passkeys are similar in one important respect: They each involve a secret. However, the biggest difference between passwords and passkeys is how that secret is handled. With passwords, that secret is a shared secret.
With passwords, you must always share your secret with the operator of the website or application (known in the cybersecurity world as the “relying party”). You do this when you set or reset the password, and you do this when you login.
Phishers and smishers depend entirely on the shared secret’s basic principle. Their initial objective is always to get you to share your secret with them.
In contrast, with passkeys — implausible as it sounds — the secret is never shared with a relying party. That’s right. With passkeys, when you login to a website or application, you never have to share a secret to complete the login process. Once you’re in the habit of not sharing secrets with legitimate sites and apps, the likelihood of sharing a secret with a phisher or smisher is greatly diminished or eliminated altogether.
The passkey principle
Passkeys are based on public key cryptography, where two keys are paired. One key is public and can be shared with anyone, while the other is private and shared with no one.
Also: The best security keys of 2025: Expert tested
More than likely, when the aforementioned article referred to “two pieces of code,” it was referring to the public and private key that make up what’s known as the public/private key pair that forms the basis of a passkey.
The reason that a public/private key pair is so cool is that anything that’s encrypted with the public key can only be decrypted with the private key and vice versa. So, if I give you the public half of a public/private key pair and you encrypt something with it, I’m the only person who can decrypt that information as long as I’m the only person in possession of the private half; the private key. On the flip side, if I use my private key to encrypt something, anyone with the corresponding public key can decrypt it.
Also: Biometrics vs. passcodes: What lawyers say if you’re worried about warrantless phone searches
With passkeys, the device that the end user is using – for example, their desktop computer or smartphone — is the one that’s responsible for generating the public/private key pair as a part of an initial passkey registration process. After doing so, it shares the public key – the one that isn’t a secret – with the website or app that the user wants to login to. The private key — the secret — is never shared with that relying party.
This is where the tech article above has it backward. It’s not “the site” that “spits out two pieces of code” saving one on the server and the other on your device. It’s the device that spits out two pieces of code, saving one — the private key — to your device while sending the other one — the public key — to the relying party (“the server”).
Passwords vs. passkeys at a glance
Password |
Passkey |
|
Relies on a shared secret easily mishandled by involved parties, making it vulnerable to discovery by threat actors. |
Relies on a secret that stays in the user’s possession and is never shared, virtually eliminating the chances of discovery by threat actors. |
|
A string of characters picked by the user, sometimes with the help of a tool (a password manager) that’s in the user’s control. |
A matching pair of system-derived public and private cryptographic keys. |
|
User chooses how to store the secret (memory, sticky note, a password manager, etc.). |
The secret (the private key from the public-private key pair) is automatically stored in some secure manner where even the user cannot readily recall it or share it. |
|
Entering user IDs and passwords is a ubiquitous user experience that’s widely understood and supported. |
User experience can be wildly different from one implementation to the next, which can be confusing. Not yet supported by many websites and apps. |
|
The same secret can be reused across multiple websites and applications (aka, relying parties). |
The secret is unique and specific to a relying party. User doesn’t have the option to reuse it. |
|
De facto standards for password and multifactor implementations are relatively ancient and complete. |
Consortium-led standard is a work-in-progress. The passkey ecosystem still involves some technological gaps. |
|
Users are vulnerable to credential recovery as long as websites and apps support user IDs and passwords (which most sites do). |
Will truly fulfill its promise only once passwords are eliminated, which isn’t likely in the foreseeable future. |
The distinction between the two is incredibly important because if the relying party generated the public/private key pair, then the implication is that the relying party was, at one point, in possession of the full pair, which means it was in possession of the secret. One of the key principles of the passkey standard is that relying parties never come into contact with the secrets.
How passkeys work their magic
After the relying party receives the public key from the user’s device, it saves the public key in a way that it can be recalled when the user returns to login. When the user comes back to log in, the relying party uses the user’s public key (the one it saved in the previous step) to encrypt a relatively randomized string of information known as “the challenge.” It sends that challenge back to the user. Upon receipt of the challenge, the user relies on the matching private key to decrypt the message. Then it re-encrypts the string and sends it back to the relying party, which then uses the public key to decrypt it to see if it matches the random string that was originally sent to the user. If there’s a match, the user is authenticated to use the relying party’s site or app.
Also: Why multi-factor authentication is absolutely essential in 2025
Therefore, the statement that “when you return to the site, the site checks for the code it saved to your device and if it’s there, it logs you in” is also untrue. First, the site never saved anything to your device. Second, the site is unable to interrogate your device for the existence of either of the keys.
So, how does this stop phishing? First, once a user registers a passkey with a relying party, they should, from that point forward, never be asked for their user ID or password by that relying party. If the user receives an email (phishing) or text (smishing) with a link that takes them to a website that, in turn, asks for their user ID and password, the user should assume that the site is bogus. After all, it’s asking for a deprecated piece of information.
Furthermore, let’s say that a malicious site somehow got hold of your public key and offered you the ability to log in with your passkey. You might go so far as to authenticate with the malicious site. But even if you went that far, you would never have shared any actual credentials with the malicious actors in a way that they could reuse to break into your accounts.
Also: How going passwordless can simplify your life
Passkeys have a long way to go before they realize their potential. Some of the current implementations are so alarmingly bad that it could delay their adoption. But adoption of passkeys is exactly what’s needed to finally curtail a decades-long crime spree that has plagued the internet. In order to drive that adoption, it’s terribly important to make sure that when anyone tells the passkey story, it gets told accurately.
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
