Passwords are the weakest point of our security. They are hard to remember, easy to leak and fraudsters chase them with phishing. The solution gradually replacing them is passkeys, that is logging in completely without a password. Let us explain how they work and why they are safer.

What a passkey is

A passkey is a way to log in without a classic password. Instead, you log in with what you use to unlock your phone or computer, that is a fingerprint, face or PIN. The device confirms that it really is you, and you do not worry about anything else.

How it works

Passkeys are built on the open FIDO2 (WebAuthn) standard, jointly developed by technology firms and browsers, so it is not a single-brand solution. When a passkey is created, a pair of keys is generated: the private key stays on your device (and never leaves it), while only its public part stays with the service. At login, the device cryptographically signs a challenge from the service, proving it holds the private key. Nothing that could be stolen or observed is transmitted, unlike a password, which you send at login.

Why they are safer than passwords

  • They cannot be guessed or made up, there is no password to crack.
  • They do not leak in a database breach, because the service does not have your secret at all.
  • They resist phishing, because they are tied to a specific site and do not work on a fake one.
  • You do not have to remember or write anything down.

How to start using them

Passkeys are already supported by Google, Apple, Microsoft, many banks and other services. At login you simply choose the passkey option and confirm with a fingerprint or face. Passkeys usually sync through your account between devices (Apple via iCloud Keychain, Google via Password Manager, Microsoft via your account), so you have them handy on both phone and computer. A separate password manager that can store and sync passkeys across different brands also helps.

A practical tip: you can use a passkey from your phone on someone else’s computer too. The page shows a QR code, you scan it with your phone and confirm the login with a fingerprint or face right there. The private key stays safely on the phone the whole time.

What to watch out for

  • If you lose a device, rely on syncing through your account, or keep a backup login method.
  • Passkeys are not everywhere yet, so they do not fully replace passwords and two-factor authentication for now.

Passwords will not disappear overnight

We are in a transition period when passwords and passkeys work together. We do recommend enabling passkeys wherever possible, especially on important accounts like email and banking. It is one of the most effective steps against phishing.

Want to secure your accounts in a more modern and convenient way? Get in touch, we will advise on setting up passkeys and overall protection.