Passkeys: How they work, how to use them

Once upon a time, signing into sites and apps was simple.

You remember those days, right? (They really weren’t that long ago, though by tech standards, it’s been roughly seven centuries.) All you’d do is remember a single username and password — or maybe put it on a Post-it and stick it to the bottom of your 11″ oatmeal-gray 7,000-lb. monitor monster, if you were really feeling fancy — and that’s it: You’d be ready to rush into whatever site or service you wanted, whenever the need arose.

Now, it’s a whole other story. If you’re following best practices, you’ve got unique, complex alphanumerical passwords for every single site and service you visit — managed by a password manager and supplemented by two-factor authentication. And if that isn’t enough, you’re increasingly being prompted to drop all of those elements and instead rely on a newer and even more mystifying method of authentication called a passkey.

Whether you’re a gadget-loving technophile or a perpetually befuddled technophobe — and whether you’re an individual tech user or part of a broader corporate organization — the one consistent reality about passkeys is that they’re confusing as all get-out. Their aim may be to simplify security around sign-ins, but in actuality, they create all sorts of uncertainty and unanswered questions.

Think of this as your one-stop spot to find those elusive answers.

Time to dive deep into passkeys and explore all the pressing questions about what they are, how they work, and how you can put ’em to proper use — without putting yourself in harm’s way.

First: What are passkeys, anyway?

Let’s start at the beginning: Passkeys are a relatively recent security feature that let you log in to an account simply by authenticating on a device with your fingerprint or face scan — or, in some cases, another screen lock mechanism (e.g., the PIN or passcode you put into your device when first firing it up).

In a sense, it’s kind of like two-factor authentication — only instead of typing in a traditional password and then verifying it’s you as a second step, you’re basically just jumping right to that second step with the knowledge that such action shows you’ve already unlocked an approved device and demonstrated your identity.

So how is that better than a password, in terms of security?

The idea is that passwords are inherently vulnerable, since they’re text-based codes that you type in or store somewhere and thus that someone else could potentially access or figure out (or find in one of the endless series of breaches we hear about these days).

With a passkey, that risky variable is eliminated. Instead, you’re signing in solely based on the fact that you’ve already unlocked your phone or computer — ideally using some manner of biometric authentication but at the very least using a PIN or passcode there — and thus have already proven who you are. And you set up a different passkey for each site or service, eliminating the possibility of reused credentials.

Plus, you personally have that device in front of you, which means a hacker couldn’t crack the code and pretend to be you without physically taking your device and being able to get past its lock screen.

That also means the long-standing issue of phishing — where someone tricks you into sharing your sign-in credentials so they can steal ’em — isn’t really even possible anymore (unless you’re tricked into skipping the passkey entirely and entering a traditional password somewhere along the way). And it means you’re no longer going through a cumbersome multistep process every time you need to sign into something, too, since passkeys streamline those steps and take the burden off of your shoulders.

How are passkeys even stored? Couldn’t someone still steal them?

On a technical level, the bits and bytes that make up a passkey are encrypted with public key cryptography — a fancy way of saying they rely on a pair of keys, one that’s public and one that’s stored privately on your local device — which makes them exceptionally difficult to crack or plunder.

That’s in large part because of the way the private key piece of the puzzle works: In short, the site you’re signing into never sees your private key and only receives confirmation that it’s present and valid. The key itself remains on your device, with encryption keeping it unreadable until the moment you authenticate. The actual passkey data is never transferred during the login, and there’s no real mechanism to even copy and paste it anywhere, like you would with a password, so the potential for a hacker to exploit it is pretty darn slim.

The one extra wrinkle is that for most people and purposes, the underlying (and encrypted) passkey data is synced to a service that’s connected to a secure account you own and thus can use to sign back in and restore the passkey on a different device. That’s the case with the Google Password Manager system associated with Android, with the iCloud Keychain system associated with iOS, and with most third-party password managers such as 1Password and Bitwarden, too.

But the version of the passkey stored in any such service is securely wrapped and not in any raw, readable, or exportable form. It’s only when the data is on your authenticated device that decryption occurs (locally, on the device) and the signing operation is able to take place — with your device’s secure hardware elements and your on-device authentication serving as key elements that couldn’t be replicated in any cloud environment.

As with any security system, one can’t say it’s 100% foolproof or impossible to be compromised. But, again, with all the layers in place and the reliance on local on-device mechanisms, the odds of any hack taking place seem fairly small — certainly much smaller than they’d be with a more conventional password or even password-plus-two-factor-authentication approach and the added points of vulnerability those situations present.

What about two-factor authentication, then? Does that still exist?

Two-factor authentication is absolutely still advisable in any traditional sign-in scenario, but with a passkey, nope: It’s not needed — since that first step (the password) is no longer relevant and the second factor (the passkey) is already built in and present.

If I lose the device where a passkey is stored, couldn’t someone else then use it?

An excellent question indeed. Since the device is already protected by a lock screen — which requires your authentication to get past — no one else should be able to get into the device at all, let alone get to a point where they’d be authenticating as you a second time and signing into something with your passkey.

And, of course, if you ever do lose a device, you’d be well-advised to tap into systems for remotely resetting it as soon as possible to erase all stored data and essentially eliminate any (even mostly theoretical) risk.

But if I lose the device — or even just reset it, or move into a new device — wouldn’t I then lose access to the passkeys stored on it?

It’s possible — and that’s where passkeys can get particularly perplexing.

Remember: In most situations, the underlying data is stored securely in a service that handles the passkey creation — Google Password Manager, iCloud Keychain, or any number of third-party password managers. That data isn’t usable or accessible in those places, but it is available for syncing to a secured device once you’re signed in and authenticated.

That means if you ever change devices for any reason, you can simply sign back in to the appropriate service and access your passkeys as needed in that new environment. Most services also allow you to create and manage multiple passkeys across multiple devices — as is the case with Google, for instance, via its universal Google Account website. And, if all else fails, most services will still allow you to sign in with your traditional password as a backup.

That aside, you can often opt to have a passkey stored on a physical security key (cue the confusion!), which is a USB or Bluetooth stick like the ones made by Yubico and Google. In those instances, the key is limited to that one single apparatus and can be used anywhere it’s connected, but if you lose it, it’s lost — so you’d want to be extra-cautious and aware of the risks (as well as extra-cognizant of any available backup methods) if you opt to go that route.

Speaking of options, can I have multiple passkeys for a single site?

Generally speaking, you can! It all depends on the specific device or service you’re using to create and store your passkeys, but with your Google account, for instance, you can create as many passkeys as you want across multiple secure devices so you always have options available.

Google allows you to create and manage multiple passkeys so you have plenty of ways to sign into an account.
JR Raphael / Foundry

All right — so where exactly can I use a passkey?

This is another area of complication: It’s a bit of a Wild West out there as far as passkey support is concerned right now, and there’s no great way to know if a service does — or doesn’t — let you create and use a passkey without just digging through its settings or waiting to see if it offers up the opportunity.

That being said, more and more professional-oriented apps and services are starting to add passkey support, and many of the common business-software contenders are already on board. You can create and use passkeys with apps by Apple, Google, Microsoft, Adobe, and HubSpot, for instance. Docusign, Notion, Stripe, LinkedIn, and Zoho are among the other companies also offering support.

It’s almost certainly not a comprehensive or up-to-the-minute database, but a crowdsourced site called Passkeys.directory has a helpful list of places where passkeys are presently available.

How do I even create a passkey in the first place?

Alas, there’s no simple, consistent process — as it really just depends on the specific site or service.

But generally speaking, if something supports passkeys in the first place, it’ll either automatically prompt you to create one as you’re signing in or encourage you to make your way into its security or sign-in settings to find the option to create a passkey there.

For a smattering of specific examples, here are the passkey-creating instructions for:

Google

Microsoft

Apple

Adobe

HubSpot

Notion

Got it. Once I have one, then, how do I actually use it?

My, you’re full of astute questions, aren’t you?

Again, the answer here varies somewhat depending on the specific site or service — as it’s up to each individual entity to determine how, exactly, its sign-in setup works. (Sensing a theme here yet?)

In general, though, once you’ve set up a passkey, you’ll either see an option to use it as a part of the standard sign-in process or see a confirmation automatically pop up confirming its presence at some point along the way.

Signing in with a passkey is typically just a matter of clicking a button and confirming your identity.
JR Raphael / Foundry

Is this all the same if I’m using an enterprise or company-connected account?

Mostly — and maybe. If your account is part of a company-associated team, there could be certain restrictions in place as to how and when you can put passkeys to use. If something isn’t working in the way you’d expect, you may need to check with your organization’s IT department or administrator to see what options are available and if any special permissions need to be granted.

In an enterprise environment, you may run into even more requirements about what specific sorts of apps or devices can be used to store your passkeys, especially if your organization is relying on a single-site sign-on (SSO) solution such as Microsoft Entra or Google’s SSO setup. Your company may require you to use a physical key, for instance, or a specific app such as Microsoft Authenticator.

But that aside, the actual setup and sign-in process for passkeys in enterprise and/or SSO environments shouldn’t be any different from setting up and signing in with a passkey in any other scenario.

Is it possible to say ‘passkey’ 10 times fast without slurring?

If you put your mind to it, you can accomplish anything. I believe in you! (But please, for the sake of your professional future, limit your practicing to after-work hours.)

Does anyone ever request a passkey and accidentally get a pasty instead?

If only, my friend. If only.