Passkeys

Have you noticed more of your favorite apps giving you the option to set up a passkey to sign in?  Our clients are asking if they should ditch their passwords now and create passkeys instead. The short answer is maybe.  Passkeys are more secure than passwords, but here’s what you should know before you jump in.

What is a passkey?

Passkeys have been described as digital secret handshakes.  In short, a passkey is a generated code consisting of two cryptographic keys: a public key for encryption and a private key for decryption. The public key is stored with the application or website, while the private key is stored locally on your device, which can be your phone, computer or tablet.

When you log in, you prove it’s you by your face scan, fingerprint, PIN, or however you’d usually unlock your device. The two keys communicate with each other and when they verify, you’re signed in!

How Passkeys Are More Secure Than Passwords

Creating and keeping track of secure passwords is challenging.  Passwords can be hacked, stolen, and sold, and we may not even know when or how.  Microsoft reported that last year it observed a staggering 7,000 password attacks per second.  Even using multifactor authentication, password authentication is still vulnerable to attack.

By contrast, passkeys are:

  • Phishing-Resistant: Since passkeys don’t involve typing anything in, there’s nothing for attackers to steal via fake login pages.
  • Unique Per Site: Each passkey works only with the site or app it was created for, so it can’t be used across multiple accounts and is useless even if it’s intercepted.
  • Securely Stored: The private key never leaves your device and is protected by biometrics or your device PIN. If the public key on the website or app is breached, it’s useless to cybercriminals without the accompanying private key, which would require the cybercriminal having physical access to your device.
  • Quicker to Use: Logins are at least 2x faster using passkeys than passwords with multifactor authentication.

Using passkeys increases protection against phishing attacks, reduces the risk of account takeovers, and can even improve regulatory compliance.  But there are a few drawbacks.

Current Passkey Challenges and Limitations

While there are clear benefits to passkeys, widespread adoption of the technology is moving slowly and is expected to take years.  We’ll all be learning as we go.

A few of the current challenges include:

  • Learning Curve: For non-technical users, the concept of a passkey and how it differs from a password might be confusing at first. Clearer education and user-friendly interfaces are still evolving.
  • Limited Compatibility: Because passkeys are tied to specific devices, managing them across different operating systems and device types can be complex. For example, if you use a Windows PC to generate a passkey and you want to log in to that account from your iPhone, you’ll need a service that enables you to sync your passkey across devices, such as a password manager. Without such a service, you’d still need to have the original device with you to authenticate.
  • Remembering Where They’re Stored: Since passkeys live on specific devices or within specific ecosystems (like iCloud, Google or Microsoft), it can be tricky to remember where you set them up, especially as you’re learning to use them. For example, you could have the Windows PC tied to your biometrics on your laptop and a separate passkey for the same site tied to your iPhone.
  • Device Loss or Upgrade: If you lose access to your primary device and haven’t synced your passkeys to the cloud, recovering them could be difficult. Ensuring your passkeys are backed up or accessible via a trusted service is crucial.
  • Challenging to Remove: Some sites do not allow you to name passkeys. If you try to “clean up” older passkeys you may have to guess which passkey is for which device. Be careful here because deleting the wrong one may lock you out.
  • Not for Shared or Public Devices: Avoid setting up passkeys on a machine you share with someone else. Since the passkey is bound to the device, anyone with access to the device can potentially use the passkey.
  • Limited Availability: Major players like Google, Apple, Microsoft and Amazon already encourage using passkeys. Still, while the number of passkey-friendly sites and apps is growing, there’s a long way to go.
  • Less-Secure Password Option May Remain: Even if you set up a passkey, most software will allow you to keep password authentication, too. Some still require the username and password and then use the passkey for MFA. Strictly speaking, it’s safest to disable the option for password authentication if your site or software allows it.

However, our advice is to not disable usernames and passwords right away, especially as you’re learning to use passkeys. If you remove the option to use a username and password and something goes wrong, you could be permanently locked out of your account.

A better approach is to increase your password length, enable MFA on the account, and only use your username and password as an “emergency unlock” to the account. Should you need to “break the glass”, setup a new passkey and then change your password again. This effectively makes your password one-time use only and less likely to be compromised.

How to Get Started Using Passkeys

 Start by setting up passkeys on one or two accounts as a test.

  1. Enable a Passkey-Compatible Account
    Some accounts will give you the option to set up a passkey after you sign in with your traditional username and password. Or, log in to your account settings and look for the “Passkey” or “Passwordless” option.
  2. Note Where Your Passkey is Stored and How It’s Synced
    Know which device your passkey is stored on and understand if it’s synced across your ecosystem (for example, iCloud Passwords & Keychain for Apple devices or Google Password Manager for Android and Chrome users). If it’s synced, you can log in on your laptop using a passkey stored on your phone, or vice versa, as long as you’re in the same ecosystem.
  3. Consider Using a Cross-Platform Password Manager
    If you use multiple platforms, a third-party password manager (like Keeper) can help you access your passkeys across devices and ecosystems. Generally, we suggest using a specialized password manager rather than a browser-based manager as an additional security layer. But nothing is foolproof, and all password managers come with their own risks.

Passkeys represent a major step forward in online security, offering a future where login credentials can’t be guessed, stolen, or phished. As passkeys become the new standard, expect increased pressure from cyberattackers on any accounts still protected by passwords or other phishable sign-in methods. Over time, passkeys are likely to replace traditional passwords, helping keep everyone safer.

If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.

 

By Janet Gehring
June 19, 2025