Why Passkeys Are Becoming Essential for Online Security

ByJorge Pereira
Tags: , ,

AI Disclaimer I love exploring new technology, and that includes using AI to help with research and editing! My digital “team” includes tools like Google Gemini, Notebook LM, Microsoft Copilot, Perplexity.ai, Claude.ai, and others as needed. They help me gather insights and polish content—so you get the best, most up-to-date information possible.

Disclaimer:  I work for Dell Technology Services as a Workforce Transformation Solutions Principal.    It is my passion to help guide organizations through the current technology transition specifically as it relates to Workforce Transformation.  Visit Dell Technologies site for more information.  Opinions are my own and not the views of my employer.

Lately I have been noticing so many sites asking to move from passwords to passkeys. As our digital landscape evolves, the need for stronger authentication methods has never been more critical. Passkeys are emerging as a robust alternative to traditional passwords, promising enhanced security and a user-friendly experience.

Passkeys Replace “What You Know” with “What You Have”

Passkeys replace “what you know” (a password) with “what you have” (your device). By using encrypted digital keys instead of shared text, they eliminate the risk of credentials being stolen in a data breach or tricked away by a fake website.

Note: This post came about because Microsoft release a new feature for EntraID to store, manage and sync passkeys! FIDO2 support!

The Problem with Passwords

For decades, passwords have been the front line of defense, but they have inherent flaws:

  • Weakness to Hacking: Simple passwords can be easily guessed or “brute-forced.”
  • Phishing Vulnerabilities: Users are often tricked into typing passwords into fake sites.
  • Credential Stuffing: Hackers use stolen passwords from one breach to log into your other accounts.
  • AI-Enhanced Attacks: Hackers now use AI to automate and refine phishing tactics at an alarming scale.

Why Passkeys Are More Secure

Passkeys use cryptographic keys that are inherently resistant to these hacking techniques:

  • Phishing-Proof: A passkey is tied to the specific, legitimate domain of a website. It physically cannot be used on a “look-alike” phishing site.
  • No Shared Secrets: You never “send” a password. You only send a digital signature that proves you have the key.
  • Device-Specific: They leverage the hardware security of your device, making them nearly impossible to steal remotely.

Where Are Passkeys Stored?

  • Password Managers: Services like Bitwarden or 1Password store passkeys in an encrypted vault, allowing you to sync them across different operating systems.
  • Cloud Ecosystems: Apple (iCloud Keychain) and Google (Password Manager) store passkeys within the OS, syncing them across your personal devices.
  • Hardware Security Keys: For maximum security, devices like a YubiKey store “hardware-bound” keys that can never be copied or moved.

How It Works (The Technical Bit)

Passkeys use asymmetric cryptography. When you create an account, your device generates a Private Key (which stays on your device) and a Public Key (sent to the website).

To log in, the website sends a “challenge.” Your device uses the Private Key to “sign” it and sends the signature back. The website verifies it with the Public Key and grants access—without a single password ever being transmitted.

Accessing from a New Device

A common concern is: “What if I’m on a computer I’ve never used before?” Passkey standards are designed for this:

  • The QR Code Method: If you try to log in on a new computer, it will display a QR code. You scan this with your phone. Your phone uses Bluetooth to verify you are physically there and biometrics to authorize the login.
  • Cross-Platform Sync: If you use a password manager like Bitwarden, simply logging into your vault on the new device gives you instant access to your stored passkeys.
  • Physical Keys: If you use a hardware key (like a YubiKey), you can simply plug it into any device to authenticate.

Why Some People Might Hesitate

Despite the advantages, there are valid hurdles to adoption:

  • Device Compatibility: Older hardware may not support the latest passkey standards.
  • The Learning Curve: Moving away from the “username/password” habit takes a mental shift.
  • Recovery Concerns: Users worry about what happens if they lose their primary device (Pro-tip: always set up a “Recovery Key” or a second security device).

Passkeys represent a significant shift toward a more secure digital future. By addressing user concerns and providing clear guidance, we can move toward an era where “forgotten passwords” and “phishing” are things of the past.

Resources:

A couple of excellent resources: