We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.
A passkey is a security measure used to grant access to a protected system. This guide explains how it works, and provides more information on its uses and benefits.
A passkey is a specific authentication method that can be used as commonly as a password but to provide additional security. Passkeys differ from passwords as they combine private and public cryptographic keys to authenticate users, whereas a password relies on a specific number of characters.
According to Google, the most immediate benefits of passkeys are that they’re phishing-resistant and spare people the headache of remembering numbers and special characters in passwords.
As passwordless authentication continues to evolve — in response to phishing-related risks — consider using passkeys to implement an added layer of security to protect your online accounts and data.
This article will define passkey technology, explore how it works and discuss the added security benefits of using a passkey.
Featured Partners
TechRepublic is able to offer our services for free because some vendors may pay us for web traffic or other sales opportunities. Our mission is to help technology buyers make better purchasing decisions, so we provide you with information for all vendors — even those that don’t pay us.
A passkey refers to a code or a series of characters used to gain access to a secured system, device, network or service. Passkeys are often used in conjunction with usernames or user IDs to create two-factor authentication (2FA).
After you’ve established a passkey, all you need to do is log in to complete the authentication process, typically using biometric data such as a fingerprint or facial recognition. For those who utilize a passkey, logging in becomes a simple, nearly automatic process; for malicious actors, it becomes nearly impossible.
The implementation of passkeys is highly adaptable since they may be configured to be cloud-synced or hardware-bound, contingent on the user’s choices regarding the particular application, service or device.
How do passkeys work?
When logging in for the first time, a user who wants to access an app or website with passkey technology — such as NordPass — will be asked to generate an original passkey. This passkey, which will be required for authentication in the future, can be accessed using either biometrics or personal PINs based on the user’s selection and the capabilities of their preferred device.
Figure A
During this stage, two mathematically linked cryptographic keys are generated: a public key that stays with the website, service or application but is connected to the account, and a private key that stays on the user’s hardware or cloud account. The service or application will send a randomly generated “challenge” to the user’s device during successive logins, which the user must react to by signing in with the private key.
The app or website can confirm the legitimacy of the private key by utilizing the corresponding public key to confirm the response. Access is allowed, and authentication is validated if the user’s verified signature attached to the challenge’s response agrees with the original randomly generated challenge; if not, access is denied.
This authentication process is done in the background, making login on the user’s end seamless — with just the click of a button.
Figure B
Can passkeys be shared?
The implementation of passkey technology is still developing, but some companies have mentioned the potential for credential sharing amongst users — as long as the actual passkeys are kept safe in the cloud and out of the hands of potential hackers. Since sharing account access with family, friends and coworkers is a very simple and quick process, this feature may improve the overall user experience. However, it is still unclear how this function can be securely managed in a business setting.
Another crucial factor to consider is whether businesses should become even more dependent on cloud providers and give up even more ownership and control over credential management, given that a breach of those parties’ data would, without a doubt, have disastrous consequences.
Hardware-bound passkeys, as opposed to cloud-based passkeys, are stored on security keys, physical hardware authenticators or specialized hardware integrated into laptops and desktops. This means that the passkey is neither transferable nor duplicated. Hardware-bound passkeys can be an alternative for organizations wanting to prevent employees from copying or sharing keys across devices.
Are passkeys more secure than passwords?
In general, both passkeys and passwords can be secure if managed properly. However, security depends on various factors, including the complexity of authentication, implementation and how well users manage and protect their credentials. To be deemed secure by today’s standards, passkeys and passwords should have the following characteristics:
Complexity: The longer and more complex the passkey or password, the harder it is for bad actors to compromise.
2FA: A second factor of authentication can enhance security for both passkeys and passwords, making it more challenging for unauthorized users to gain access.
Encryption: Strong encryption methods are crucial for protecting stored credentials.
Ultimately, the security of passkeys and passwords isn’t inherently dependent upon the type of credential but instead how they are implemented and managed.
Subscribe to the Cloud Insider Newsletter
This is your go-to resource for the latest news and tips on the following topics and more, XaaS, AWS, Microsoft Azure, DevOps, virtualization, the hybrid cloud, and cloud security. Delivered Mondays and Wednesdays
Subscribe to the Cloud Insider Newsletter
This is your go-to resource for the latest news and tips on the following topics and more, XaaS, AWS, Microsoft Azure, DevOps, virtualization, the hybrid cloud, and cloud security. Delivered Mondays and Wednesdays
Share Article
Account Information
Share with Your Friends
What is a Passkey? Definition, How It Works and More
Jonathan Kalibbala is a technology professional and writer. Jonathan has worked in the enterprise technology space with both Fortune 100 companies and startups for close to twenty years in a variety of roles as an engineer, architect, project manager, customer success and consultant. Jonathan writes about cloud, data center and their ecosystem of solutions and tools.