Why passkeys are better than passwords

Maybe you’ve felt – or maybe you’ve imagined it. Feeling of your stomach sinking to the bottom of your belly. That panic you feel the very moment you realize that you have just entered your login credentials in a fake website. You might have realized it right away. Or maybe you just realized it’s because you went back the next day and couldn’t log in. Maybe you realize it because your bank account has been wiped out. However you felt – or imagined – it, it is not the kind of feeling you would ever want to have.

But imagine never worrying about it again.

That’s what passkey and passwordless authentication can bring you.

why passkeys are better

Every day we draw closer to a passwordless world. We all carry devices with us that can easily be used to declare who we are, usually through fingerprints or face scans. All new laptops have fingerprint readers. Passkey takes advantage of these new technologies to greatly enhance the security of your accounts. Apple has introduced passkey to its eco-system, Microsoft and Google are releasing their versions very soon.

I have written about why we should move beyond passwords and how the entire passkey system works. In this post, I will discuss why passkey is a better solution than password. There are many reasons why passkeys are the better solution, but it all boils down to two things.

passkey share no secret information

This is the biggest reason why passkeys are more secure than passwords. With passkeys, passwords are no longer just a threat vector.

Passwords account for 80% of all security breaches. Passkeys reduce this threat to almost nothing. You cannot reuse your passkey. You don’t need to remember them. They are generated and stored for you, so you don’t have to worry about creating and storing them yourself. You cannot be tempted to leave them as they are unique to a specific website and thus cannot be shared with a phishing website.

The sensitive data associated with each passkey never leaves your device. The information is stored on a special chip (a Trusted Platform Module) on your phone, which not even the NSA can crack. If you register with a website using a passwordless solution like Passage, that site receives nothing but a public key, which is useless for cracking your account. While Apple lets you share your account with others via AirDrop, you also can’t share the actual private key with a phishing site if you want.

Passkey is a better user experience

Registering for an account on a website can be a hassle. Often you have to think of a password that meets various criteria designed to make it difficult to guess. Often, users have to take the reference away from your site in order to receive a six-digit number from their phone or email. More than 30% of all online shopping carts are abandoned because of the hassle of registering for an account or because users can’t remember their passwords. Password managers can help with the situation, but using them can be complicated for many people. The whole experience needs improvement.

Multi-factor authentication (MFA) can improve the security of password-based systems but does so at the cost of reduced user experience. MFA requires the user to switch contexts, usually by moving to another application to grab a six-digit number. I know I often fail to find my phone to get a one-time password.

Instead, passkey registration requires biometric system verification – as simple as a fingerprint touch or a glance at the camera – and one-time device approval. After that, logging in is as simple as biometric verification. Instead of typing complex passwords and grabbing one-time password codes or checking email, your users can log in in seconds or less.

Passkeys actually use MFAs, which require you to supply your pass (your device) and something you (for example, your face or your fingerprint).

Passkeys are only getting better. Eventually, you’ll be able to log in without even entering your password or phone number. Instead, the login input box will simply know that your device has a passkey for the given domain and will auto-prompt you.

let’s do it

I remember the good feeling when my bank’s mobile application allowed me to log in with my fingerprint instead of typing my complicated (and ultimately not-so-secure, no matter how complex) password. It was definitely a free moment. You want that for your users when they visit your website or log in to your mobile application, right? Heck, you want it for yourself every time.

In the end, passkeys appear virtually inexcusable and a lot more convenient.

Leave a Comment