What are passkeys?

Passkeys are a replacement for passwords. Using passkeys allows users to login to accounts the same way they use to unlock their device, e.g., with their fingerprint or a scan of their face.

They are easy to set up. It is as simple as consenting to save and use them. This makes passkeys very intuitive and convenient for users.

Are passkeys secure?

A passkey is a secret stored on the user’s device. The secret is unlocked with biometrics. These steps are all protected by dedicated hardware integrated into modern devices.

This is a huge advantage alone compared to passwords where it is technically impossible to ensure users save password securely; it could be in super fancy password manager or on a sticky note next to the user’s monitor.

By design, passkeys are unique per service. Unlike passwords, it is impossible to reuse them.

Also, services using passkeys do not know or have access to the secret. They are only aware of an associated public key. As “public” implies that part is not a secret and can only be used to verify whether the login request comes from the actual passkey or not.

This is a huge security gain. Even if the service has a security breach, attackers only get hold of the public keys which cannot be used to login or authenticate to other services.

Are passkeys ready for use?

The number of devices and platforms supporting passkeys is already quite high: Passkey Device Support.

This includes support of major organizations like Apple, Google, or Microsoft.

And more and more services have started to roll out passkeys for their services, like Meta’s WhatsApp: “Android users can easily and securely log back in with passkeys”.

Also, Identity@ThingsRock, our Identity and Access Management Service supports passkeys. Setting up your own subscription is easy and totally free: ThingsRock Customer Portal.