Description: Here we consider passkeys in the crypto industry: what are these, how they work, and the benefits do they give to users. Find the answers in this article.
For years passwords have been the standard way to protect our digital lives, but now they are far from effective due to weak combinations (often used), reuse of the same password across several sites, phishing, and data breaches. A new and much more secure way of logging has emerged in reaction to these weaknesses: passkeys. Backed by several of the largest tech companies and standards groups, passkeys would eliminate traditional passwords, replacing them with cryptographic keys that fall off a truck less often, are more resistant to cracking, and are nearly impossible for phishers to phish.
So, here we’re explaining what passkeys are, how they work behind the scenes, and what you can do right now to start using them to secure your accounts with something that’s not only stronger than your average password but also a lot more convenient.
Passkeys are a more intuitive and secure way to log in compared to the old-world passwords and secret recovery phrases. They make it easy to navigate to websites and apps on a lot of different devices, and they save time as well. These are, for example, Face ID and fingerprinting authentication. The FIDO Alliance (founded by tech giants like Google, Apple, and Microsoft), along with the W3C, developed the standards upon which passkeys are built. They use cryptographic key pairs.
Your private key remains safely on the browser or in a password manager, and your public key is shared with the website or app in order to prove to them who you are. This is an easy and quick way to sign in to your accounts.
For example, in Nonbank Wallet, Face ID and fingerprinting replace the requirement for a password or 12-word seed recovery phrase. This means that there are no complex passwords or credentials that users must manage or memorize and later lose or forget. The outcome is a simpler and more secure experience, which makes access and recovery safer and easier.
So, let us consider the comparison of passkey vs password in detail. Passkeys are implemented using cryptographic keys (public and private keys) and biometric authentication, instead of remembering and typing the sequence of symbols in a password. Passwords, on the other hand, are subject to multiple attacks, and users remember very complex strings of characters.
Here's a more detailed breakdown:
| Passwords |
Passkeys |
|---|---|
|
|
When you register for a service with a passkey, the device you’re using creates two cryptographic keys: a private key and a public one. A public key is stored on servers, while the private key is saved on your device in a secure hardware element. Examples of such include Apple’s Secure Enclave, Windows and Android’s Trusted Platform Module (TPM) and Samsung Knox on Galaxy devices. These parts are compartmentalized away from the rest of the operating system and essentially act as digital vaults, securing your private key even if malware or other risks infect the device.
The passkeys are meant to transition across your devices too. Secure cloud sync via accounts such as iCloud or Google means that your private key can be safely and securely accessed across all of your devices, enabling never-ending, password-less logins wherever you're signed in.
When you log in, it’s not a password you enter, but a device you unlock with biometrics or PIN. The device then signs a login challenge with your private key and returns this signature to the service. The stored public key is used by the service to authenticate the signature. Every login tries a nonce, a time-based signature that has a very short shelf life and is resistant to interception and replay attacks.
What is better: a password or a passkey? Passkeys are a safer, easier, and more updated way to log in to apps and sites with several noticeable benefits over old-school passwords:
Thus, we can say that in general passkeys are a great password replacement.
So, now let's discuss how a passkey works. You usually create a passkey within your device’s security settings (such as fingerprint or face unlock), and then you select to use it when you log into your account on a service or app that has added the login option. You can usually find these passkey settings on your device in your security or account settings or under a heading called "Passwords & Accounts" or "Sign-in & Security."
Once you opt to set up a passkey, your device will walk you through a process that could include establishing your identity through biometrics (like fingerprint or facial recognition) or using a PIN.
Generated passkeys are then usually saved in a secure location on your device or in the web’s password manager (usually iCloud Keychain or Google Password Manager).
The newfound use of passkeys may have the potential to promise even safer and smoother authentication, but there are several issues surfacing as far as user experience (UX) and compatibility are concerned.
Device and Platform Compatibility
Passkeys rely on modern operating systems and browsers with support for the FIDO2/WebAuthn standard. And support among Apple, Google, and Microsoft continues to grow, with, as I’ll explain, some older devices and platforms still not offering full functionality. This might create some friction for people working in hybrid or legacy tech environments.
Cross-Platform Synchronization
Passkeys are also meant to be shared between devices through cloud services like iCloud Keychain (on macOS devices) or Google Password Manager (in setting up a passkey in Google). But good luck getting things synced cross-platform, say between an Apple device and a Windows or Android phone, without a shared ecosystem or a third-party password manager that supports passkeys.
User Education & Trust
As for passkeys, education is everything, as they’re all new to over 90% of the user base. Average users are comfortable with passwords and might not even understand passkeys; they may also be wary of cryptographic keys and biometric log-in. The accounts are easy to follow, and the subject matter is easy to understand, the latter point being very important in order for people to feel confident and to feel enthusiastic.
Backup and Recovery
A frequent question is, what if I misplace my device? It’s true that cloud syncing allows users to back up their keys, but they would have to know or learn how to recover their passkeys or access their accounts on a new device. Services should provide simple recovery flows so that there are no lockouts and no need for users to fret.
Gradual Transition
Passwords remain the default way to log in for most apps and websites. An effective change to passkeys may also mean supporting both options through a gradual implementation. The ability to provide passkeys but in an optional (non-mandatory) use makes the transition into a new experience bearable.
Education is the key to unlocking the user's dependency on the old password. Developers and service providers need to ensure a good education program, as well as intuitive onboarding and cross-platform support to help users get off "traditional passwords."
Nudging in User Experience As mentioned earlier, nudging in UX design is the process of subtly redirecting users where they need to go to interact with a system by nudging them through design to take action, although ultimately still allowing them to make a decision on their own terms. Design guidelines for expectation-driven nudging include the aspect of making nudges subtle and transparent as well as the factor of taking the user into account, giving the users autonomy and reflecting their particular situation and the needs for nudging.
Nudges are design elements or features that "steer people to make certain decisions with ease, without forcing them. To provide a better user experience and keep users engaged, and to subtly nudge them in the "right" direction.
Best UX Practices for Nudges:
By using such best practices, designers can employ nudges such that they succeed in creating better user experiences while guiding users towards a given targeted or desired outcome, while nowhere interfering with or limiting their freedom or autonomy.
Passkeys offer a more secure and user-friendly alternative to passwords, but not without drawbacks and potential pitfalls. Some of these are device-specific, some of them are issues that arise with cross-platform compatibility, and some are just because we like our software to try and recover as best it can. User education and consistent support across the platforms are also very important.
No security system is absolutely foolproof, but passkeys are pretty tough to crack. No passwords to steal, no private key stays on the device, resistance to replay attacks, strong biometric protection, and end-to-end ecosystem security are the reasons why getting a passkey is much more difficult than breaking a password.
It is unlikely that your device will be stolen or compromised. If someone gets hold of your unlocked device or can find a way around your smartphone’s biometric key (e.g., with purpose-built malware or a physical bypass), they could potentially authenticate as you. But that way of thinking is far more difficult to pull off than traditional theft of passwords.
Despite all the vulnerabilities, when asking “are passkeys secure?” or “are passkeys secure?” we can definitely say “yes,” especially compared to passwords.
Passkeys, in short, are a big push towards better digital security that is both more secure and more user-friendly than traditional passwords. With the passkey security features embedded in the latest devices and browsers, passkeys make it easy to auto-fill complex passwords, just as Foreign Language II enables instantaneous password updates.
Backed by industry giants such as Google, Apple, and Microsoft through the FIDO Alliance, passkeys are rapidly becoming a platform-agnostic standard. Their use in apps is easy, and they enhance account security with device-based cryptographic keys.
As threats to cyberspace multiply in times of global unrest and accelerated developments in AI, passkeys can be a proactive solution to protect one's data from unauthorized access.
