Passkeys vs. passwords: What are the differences?

Humans have used different forms of passwords to guard secrets for centuries. These days, we use strings of characters to access everything from garage doors to digital documents.

The average person has over 100 passwords, all of which should be complex, random, and unique — a tall order if you don’t use a password manager like 1Password.

We can add more special characters and make them absurdly long (when apps and websites allow us to) but they’re still the same passwords with the same risks. It’s time for passkeys.

But what are passkeys and how do they differ from passwords? Can you use passkeys and passwords together? And are passkeys safer than traditional passwords?

Let’s find out.

On the surface

When you create an account today, you choose a password and enter (or fill) that password when you want to sign in. You’re given access if what you enter matches what you chose when you signed up.

Passkeys give the sign-up process a bit of a makeover. You use your biometrics (face or fingerprint) or local device password to secure your new account then prove your identity so you can sign in.

The password and passkey processes sound pretty similar on the surface. A specific piece of information protects your account, and you need to provide that same piece of information to log in.

So, what’s the difference? It’s a secret.

What lies beneath

Traditional passwords are known as shared secrets. While they’re often disguised on your screen as a series of asterisks or bullets, you have to type and submit them in plain text. When you create an online account, the website uses an algorithm – complex, predetermined math – to encrypt, or scramble, that text. The result, which is called a hash, is then saved by the website or app.

When you sign in, the website performs the same math on the password you enter or fill. If the resulting hash matches what was stored when you signed up, you’re in.

By contrast, passkeys are a form of passwordless authentication that use public key cryptography. That means each passkey is actually a pair of keys – a public key and private key – that are mathematically linked to one another. Your public key is meant to be shared, and is stored by the app or website when you create a new account. But your private key never leaves your device — it’s a true secret.

To sign in, your device sends a request and the website returns a challenge that can only be solved (or signed) with the corresponding private key. Your device uses the private key – that only it has – to complete the challenge. The completed challenge is sent back and the website verifies the answer.

The fundamental difference between passwords and passkeys is the presence of a true secret. Everything you need to log in to an online account is shared and stored by the app or website. But every passkey has a unique secret, and each one is yours to keep.

What passwordless means for your security

Imagine your favorite website supports passkeys. Exciting! You want to go passwordless and wonder if using a passkey over a password will really make your account safer.

It will — really. For a number of reasons:

  • Passkeys can’t be guessed because of their innate complexity. Weak and predictable passwords (and their hashes) are often hacked but there’s essentially an infinite number of passkey combinations.

  • Attackers who gain access to your public key during a data breach will discover it’s useless without its private counterpart. That’s the private key, which is always your secret, and never shared with the websites and apps you sign in to.

  • Passkeys leave hackers with nothing to intercept, phish, or socially engineer. It’s possible to view traditional passwords as they’re in transit, or trick people into sharing them (or information about them). Private keys, meanwhile, don’t leave your device, or contain text that can be guessed or shared.

Passwordless authentication also comes with its own multi-factor authentication (MFA). By definition, MFA consists of two or more factors of authentication: something you know (like a password), something you have (like a one-time code), or something you are (biometrics).

Passkeys require you to verify both your identity and private key — and it all happens in one quick, easy step. That makes signing in with a passkey faster and simpler than traditional multi-step MFA processes.

What passwordless means for your passwords

Passkeys offer a lot of advantages but it will take years for the entire internet to support them. That means the passwords we love (to hate) will be around for some time. You’ll need to manage a mixture of passwords and passkeys for a while, and doesn’t that sound like fun? The good news is that 1Password will be there for you.

In the near future, 1Password will introduce passkeys as an item type so you can store them right alongside your passwords and use them seamlessly (and easily) across your devices, no matter the operating system.

What passwordless means for you

New technology can be daunting and difficult to master — there’s no denying that — and we often perform internal cost-benefit analyses: we’ll weigh the time and energy it will take to learn and incorporate the technology against the payoff the new technology will offer.

The bottom line: Passkeys are worth it.

They’re more convenient and safer to use, and they offer better protection than traditional passwords. Passwordless technology is not only a vast improvement over the passwords we use today, it’s the future of authentication.

And the future looks bright.

If you want to learn more about our thoughts on passkeys and everything else related to passwordless authentication, check out:

Subscribe to our passwordless newsletter

Get our latest passkey updates delivered right to your inbox, as well as guides, interviews, and other interesting articles about the next generation of sign-in technology.
Subscribe to Beyond Passwords

Security Scribbler

Megan Barker - Security Scribbler Megan Barker - Security Scribbler

Tweet about this post