Passkeys FAQs: What they are, and other frequently asked questions
by Nick Summers on
Everyone is talking about passkeys at the moment, and with good reason: they’re a promising replacement for passwords that are secure, resistant to phishing, and convenient to use!
While they haven’t gone mainstream yet, passkeys are building momentum. So, if you haven’t used one before, or only partially understand how they work, we’re here to help.
We’ve gathered up and answered some of the most frequently asked questions about passkeys, so you can learn more and use them with total confidence when signing in to your accounts.
Contents
- What are passkeys?
- How do you use passkeys?
- How do passkeys work?
- Are passkeys better than passwords?
- Do passkeys merely mask a password?
- Will passkeys replace passwords?
- Do you use the same passkey for all of your online accounts?
- Do you need a Bluetooth connection to use a passkey?
- Where are passkeys stored?
- Can thieves access passkeys from a stolen device?
- How will 1Password support passkeys?
What are passkeys?
Passkeys are a new kind of login credential that entirely replaces passwords. They’re a simple and secure way to log in to your online accounts, like the ones you might have for email, video streaming services, and e-commerce sites.
Behind the scenes, each passkey consists of two parts. The first part is the private key, which doesn’t leave your device, and is never shared with the site or app you want to sign in to. The second part is the public key, which as the name implies, is safe to share publicly. That means it’s seen and stored by the website or app you’re logging in to.
Passkeys don’t need to be memorized, and there’s no such thing as a “weak” passkey, because your device generates the underlying private and public keys on your behalf.
Passkeys also can’t be stolen in a data breach. Only the public key is stored on an app or website’s server, and it’s useless without the corresponding private key. Without physical access to your device (and a way to unlock it), no one can log in to your passkey-protected accounts.
Passkeys are supported by all of the major platforms run by Apple, Microsoft, and Google. Soon, you’ll also be able to create, store, and use passkeys in 1Password.
How do you use passkeys?
First, you’ll need to create an online account using a passkey. (Visit passkeys.directory to discover apps and websites that have already added passkey support!) When prompted, choose the option to create and secure an account using a passkey, rather than a traditional password.
You’ll see a window or message asking you to confirm the device or service that your private key will be stored on. That could be your phone, tablet, PC … or, in the not so distant future, a password manager like 1Password.
A new passkey – which includes a public and private key pair – will then be generated for that specific website.
When you sign in with a passkey, you won’t have to enter a password. Instead, you’ll be asked to authenticate using biometrics. You’ll most likely do this via Touch ID, Face ID, or Windows Hello. If you’re unable to use biometrics, the system will request the PIN or password that you normally use to unlock your device. Once you’ve authenticated, you’ll be signed in to your account.
The bottom line: using passkeys on the web will be just like unlocking your device. You’ll unlock your passkey using biometrics, then immediately gain access to your account.
How do passkeys work?
Passkeys are a form of passwordless authentication that leverage an API called WebAuthn. The API was jointly developed by the FIDO Alliance and the World Wide Web Consortium (W3C). Passkeys and WebAuthn utilize public and private keys, better known as public key cryptography.
When you create an account with a passkey, your device automatically generates a public and private key pair. The two pieces are mathematically linked to one another. You can think of them as a one-of-a-kind key that’s designed to go in a one-of-a-kind lock. You need both pieces to authenticate and log in to the account that your passkey was created for.
The public key is shared with the website or app, while the private key never leaves your devices.
When you sign in, the website or app generates a ‘challenge’ behind the scenes. You authenticate with biometrics or your device PIN, which unlocks your private key. Your device then uses the private key to “sign” the challenge, and sends the completed signature to the website or app. The last step is verification. The website or app uses the public key stored on its server to check the signature is correct and authentic.
The best part? This entire process happens behind the scenes, and near instantaneously. From your perspective, you simply authenticate with biometrics or your device PIN, and then immediately sign in to your account.
Are passkeys better than passwords?
Passkeys are a simple, fast, and secure form of passwordless authentication. They’re a modern password replacement that 1Password and other members of the FIDO alliance believe will go truly mainstream in the coming years.
First, let’s explain why passkeys are more secure than passwords. You can choose a weak or predictable password, like “password123”, but you can’t create a weak passkey. Passkeys are generated by your device, and are strong by default. They can’t be guessed by an attacker, either.
Passkeys can’t be phished like a traditional password because the underlying private key never leaves your device. That makes them resistant to social engineering scams, too.
If an attacker breaches a website or app, the best they can hope to find is your public key. That key is useless without the associated private key. And as we’ve already established, you can’t use a public key to reverse engineer its companion private key, and vice versa.
By comparison, a password can be exposed in a data breach if it hasn’t been properly protected by the app or website. Many people also reuse passwords, which allows attackers to break into other accounts using a technique called credential stuffing. Every passkey is not only strong but also unique, so there’s no chance of an attacker using one passkey to break into a different account.
Passkeys aren’t just secure – they’re incredibly convenient to use, too. You don’t have to manually create a password, and there’s nothing to type out or memorize. When you want to sign in, you simply verify your identity using biometrics, or by entering your device’s password or PIN.
Do passkeys merely mask a password?
Passkeys are a complete replacement for passwords. They don’t mask a traditional password like most forms of passwordless authentication.
For example, you likely already use FaceID, Windows Hello, or another form of biometrics to unlock your devices. This experience is passwordless – you don’t have to enter a password – but it’s not the same as using a passkey. That’s because your biometrics simply prove to the device that it’s safe to retrieve and use your password or PIN.
When you use a passkey, meanwhile, there’s no underlying password. Instead, you’re using a public and private key pair – otherwise known as public-key cryptography – to sign in to your online account.
Will passkeys replace passwords?
No-one can say for sure whether passkeys will completely replace passwords. However, we’re bullish on this new form of passwordless authentication, and think it has the potential to go truly mainstream. That’s because passkeys are not only secure but also convenient to use. The simplicity of passkeys sets them apart from two-factor authentication and other solutions that add friction to the sign in process.
We can say with certainty that passkeys won’t replace passwords overnight. It’s a transition that will take some time. People need to understand what passkeys are, and feel comfortable using them over traditional passwords. It will also take some time before every organization adds passkey support to their website and apps.
There’s likely to be a period where everyone is using a mixture of passkeys and passwords to log in to their online accounts. Over time, that balance will change until passkeys protect the majority of accounts, rather than the minority.
Here at 1Password, we’re excited to play a role in accelerating this transition. Our team is hard at work bringing passkey support to 1Password in two different ways:
- Create, store, manage, and use passkeys in 1Password
- Create and unlock your 1Password account with a passkey
Passage also joined the 1Password family in November 2022. The team is focused on making it easier for developers to add passwordless authentication to their websites and apps. So a truly passwordless future might be closer than you think.
Do you use the same passkey for all of your online accounts?
You’ll need to create a new passkey for each online account. Think of your passkeys like physical keys – you don’t use the same key to unlock your front door, car, and everything else that’s important in your life. Creating passkeys isn’t tedious, though. Your device generates the passkey on your behalf, and unlike traditional passwords, there’s nothing for you to type out or memorize.
Do you need a Bluetooth connection to use a passkey?
You don’t need a Bluetooth connection if you’re signing in to an account with the same device that was used to create your passkey. Your device will ask you to authenticate using biometrics, but that’s it – no bluetooth required.
Bluetooth only comes into play if you create a passkey using one of the solutions built into Windows, iOS, macOS, Chrome, or Android – and then need to access that same passkey from a device that sits in a different company’s ecosystem.
Let’s go through this with an example. Imagine you create a passkey using the built-in solution on your iPhone. And then you want to log in to that account on your Windows PC at home. In this scenario, you’ll normally be prompted to authenticate using your iPhone. The system uses bluetooth to check that your two devices are close to one another, and that you’re not being phished by an attacker somewhere.
Remember: If you create and store passkeys using 1Password (coming soon!), you’ll be able to access your passkeys across all of your devices, and any major web browser.
Where are passkeys stored?
Each passkey consists of two parts – a public and private key – which are stored in different places. Both pieces are required for account access.
The private key is stored securely on your device. It’s never shared with the app or website you want to log in to. The public key, as the name implies, is safe to share publicly. In practice, that means the public key is seen and stored by the website or app you’re creating an account with.
You’ll have the choice to sync your passkeys across your devices using a password manager. For example, you’ll soon be able to create, store, and autofill passkeys using 1Password.
Google, Microsoft, and Apple’s solutions will also let you sync passkeys using their respective cloud-based storage services. This syncing is limited to the devices in their respective ecosystems, however. So Apple will offer to sync your passkeys between your iPhone, iPad and Mac, but not to a Windows PC.
Can thieves access passkeys from a stolen device?
If an attacker steals your phone, they can’t access your passkeys right away. The theoretical attacker would still need to unlock your device.
You might have Touch ID, Face ID, or another kind of biometrics set up. While secure, someone can always ask to enter your device password or PIN instead. But provided you’re using a strong password or PIN – one that isn’t short or predictable like “password” or “1111” – attackers will find it difficult to unlock your phone and exploit your passkeys.
It’s also worth mentioning that most hackers won’t bother trying to steal your phone. It’s neither cheap nor time effective for them to figure out where you are, travel to your location, and then try to pickpocket you.
Instead, hackers are more likely to use other techniques that allow them to steal traditional passwords without leaving their computer. These techniques include phishing, smishing, and other forms of social engineering.
How will 1Password support passkeys?
1Password is excited by passkeys and their potential to be a simple, fast, and secure sign in solution for everyone. Our team is hard at work bringing passkey support to 1Password in two different ways:
– Creating, saving, and filling passkeys in 1Password
– Unlock 1Password using a passkey
We’ll have more to share on these updates soon!
We’re also supporting passkeys via Passage, which joined 1Password in November 2022. The Passage team is building solutions that make it easier for businesses to add passwordless authentication to their websites and apps.
Learn more about passkeys
If you want to learn more about passkeys and everything else related to passwordless authentication, check out:
- Beyond Passwords, our passwordless newsletter
- This special episode of the Random but Memorable podcast, which explores all things passwordless
- Our future of 1Password microsite
Subscribe to our passwordless newsletter
Read the latest passkey announcements by 1Password, as well as helpful guides, explainers, and community chatter about passwordless authentication.
Subscribe to Beyond PasswordsNick Summers
Content Marketing Manager
Tweet about this post