Security experts are increasingly urging users to move away from traditional passwords and adopt passkeys, a newer method of logging into accounts that aims to reduce risks such as hacking and phishing.
Passwords remain widely used, but they are often reused, simplified or poorly managed. Even with password managers, which help generate and store complex credentials, risks remain. These systems typically rely on a single master password, creating a potential point of failure if compromised.
Passkeys take a different approach.
Instead of requiring users to remember or enter passwords, they rely on device-based authentication, such as a phone’s screen lock or biometric verification like fingerprint or facial recognition.
The system works using a pair of cryptographic keys. One key is stored on the service being accessed, while the other remains securely on the user’s device. When logging in, the service sends a request that the device verifies locally.
If the authentication is successful, access is granted without transmitting a password.
Because no password is shared or stored centrally, passkeys are considered more resistant to phishing attacks, which the FBI has previously identified as one of the most common forms of cybercrime.
The method is supported by the FIDO Alliance and adopted by major technology companies including Google, Apple and Microsoft.
Passkeys are designed to work automatically once set up, requiring minimal user input.
However, they are tied to specific devices, meaning losing access to a device could complicate account recovery unless backup options are enabled.
Experts say the shift reflects broader concerns about password security.
Once an email address or login credential is exposed through data breaches or online use, it can be reused by attackers across multiple platforms.
Passkeys also generate unique credentials for each service, limiting the impact of a breach on any single platform.
While adoption is still growing, the approach is increasingly seen as part of a move toward passwordless authentication, as companies look to reduce reliance on systems that have long been vulnerable to misuse.
