What are Passkeys?

Google has officially made passkeys the default sign-in method for all personal accounts on its network and they’re not the only ones embracing the technology.

Microsoft, Apple, Uber and eBay are among the big names also said to be supporting their use.

But what are passkeys? And why is everyone talking about them?


Keeping safe online

The world has gone digital and that means we’re now carrying out more and more of our daily activities online – from working to shopping, banking, catching up with friends, sharing photos on social media, and entertainment.

To put this in perspective, the average person now spends around six hours and 40 minutes online every day (but for some this figure is way higher). And with all the apps and websites we’re now active on, it’s estimated we’re typically juggling around 200 passwords, which act as the first line of defence against cybercriminals.

Read our blog How to tackle employee password fatigue for tips on managing this, and reach out to our expert team here at Dragon IS if you’d like advice on using tools such as Password Managers that can help make life easier.

As the online world has grown, so too has the number of cybercriminals and they continue to launch increasingly sophisticated attacks, ranging from data breaches and ransomware attacks, to phishing campaigns.

With cybercriminals upping the ante, so too is big tech, and they continue to look at new ways to keep us safe online – Passkeys being one such innovation.


What Are Passkeys?

Passkeys – also sometimes referred to alongside terms such as security keys or hardware tokens – are a new way to sign-in to apps and websites. (If you use mobile banking, then you’re probably already familiar with them).

Passkeys work differently to passwords. Rather than being based on a string of letters, numbers and characters, with a passkey there is a physical element involved that is unique to the user. For example, you might need to provide a fingerprint, a face scan, or to use a pin or pattern to unlock your device.


What is so great about Passkeys?

According to Google, passkeys are ‘40% faster than passwords’ and as they rely on a type of cryptography are more secure, also being phishing and data harvesting resistant.

In contrast to traditional passwords that are susceptible to compromise, forgetfulness, or theft, passkeys introduce an additional layer of security by requiring a physical element for user verification.

And as for the problem of password overload, writing on its blog, Google explains: “We’ve found that one of the most immediate benefits of passkeys is that they spare people the headache of remembering all those numbers and special characters in passwords.”


How do Passkeys work?


Physical Tokens:

Passkeys can be physical, for example taking the form of a USB devices or smart card. One organisation using this method is Barclays, who provide their banking customers with a card reader that generates a unique passkey each time they try to log in, or to carry out key tasks within their account.

Biometric Measures:

Some passkeys utilise biometric data, such as fingerprints, facial recognition or even iris scans, for identity verification. This method ensures that only the authorised user can access the protected account or system.

Multi-Factor Authentication (MFA):

Passkeys are often integrated within multi-factor authentication systems, combining something the user knows (a password) with something they have (a physical token) or something they are (their biometric data). This multi-layered approach can significantly enhance security.


Advantages of passkeys

As we’ve already touched on, there are many potential benefits to using passkeys.

Enhanced Security

Passkeys provide a higher level of security compared to traditional passwords. The physical presence of the key or biometric data adds an extra layer of protection, making it significantly more challenging for cybercriminals to gain unauthorised access.

Phishing Protection

Passkeys are highly effective in countering phishing attacks. Even if a user accidentally gives their password over to a phishing site, the attackers will still require the physical token or biometric data to be able to gain access.

User Experience:

Passkeys are quick and simple to use and could help create a more user-friendly experience – one which doesn’t involve needing to remember lots of complex passwords.


Disadvantages of passkeys

But it’s still early days and the tech isn’t quite there yet.


Passkeys are not yet widely adopted and that means most websites and apps don’t yet support their use (so we’re not going to be saying goodbye to passwords any time soon).

Difficulty for multiple devices

Most people use multiple devices – typically a laptop and a smart phone – and this could pose a problem in the case of passkeys. Unlike password managers, they can’t just automatically sync across multiple devices.

Site recovery

There could also be implications for site access recovery. For example, if you set up passkeys on a smart phone and it’s then lost or broken.


Which tech companies are moving to Passkeys?

Recognising the need for strong authentication, several tech giants are already embracing passkeys and support them within in their products, including:


Microsoft continues to be a trailblazer when it comes to passwordless authentication. Its Azure Active Directory supports passwordless sign-ins using security keys.


Apple has long been a fan of biometric-driven authentication and has incorporated Face ID and Touch ID as passkey alternatives.

Major banks

Within the financial sector, major banks are increasingly adopting passkeys to add to the security of online banking and financial transactions.


In summary, are passwords on the way out?

Passkeys are an exciting area of development and their potential is clear. However, there is still a lot of work to be done to iron out some of the core issues we’ve mentioned above.

Definitely a technology to watch though!


To find out more about safeguards for your business IT systems and our comprehensive cybersecurity services, please contact Dragon on 0330 363 0055, or email lionel@dragon-is.com.