Passkeys vs. Passwords: Why Passkeys are the New Standard

The Problem with Passwords

How often did you have to reset your password in the last 90 days? According to a recent study, 78% of the respondents had to reset a password at least once. Do you use a different, strong password for each online service you use? 66% of users reuse the same password on different services. By having a look at these questions, it is obvious that the concept of passwords which dates back to the 1960s as the primary method for authentication is outdated. This is a common view, not only from a user perspective, but also from major tech corporations including Apple, Google and Microsoft. Thats why they introduced the concept of passkeys.

What Are Passkeys?

Passkeys replace passwords and allow users to login with Face ID or fingerprint instead of coming up with and remembering complex passwords. They are a form of passwordless authentication embedded into Android, iOS, macOS and Windows.

How Do Passkeys Work?

Passkeys are based on a cryptographic public-private-key pair which is used in two ceremonies:

1. Registration

During registration the key pair is generated in the background and verified via the users biometrics (e.g. Face ID, Touch ID or Windows Hello). The public key is sent to the server and linked to the website / app.

2. Login

To login, the server sends a challenge to the users device. Biometrics are used to access the private key which is stored inside the users device. The challenge is signed with the private key and sent back to server which verifies the authentication request (so neither the private key nor the biometric data ever leaves the device).

Passkeys are a form of disguised two-factor authentication, as the device (first factor) and the users biometric verification (second factor) is needed.

To be usable in practice, passkeys can be shared between nearby devices (even from different platforms) by scanning a QR code and using Bluetooth between the two devices.

Moreover, passkeys are synced inside an ecosystem via iCloud Keychain, Google Password Manager or Microsoft account (soon). Therefore, they are available on all devices using the same account which prevents the repeated creation of a passkey for each device.

Passkeys vs. Passwords: A Direct Comparison

• Enhanced Security: By leveraging cryptographic keys and biometric verification, passkeys offer a much higher security level than traditional passwords.
• Simplicity and Convenience: The need for memorizing or managing multiple passwords is eliminated, streamlining the user experience.
• Cross-Platform Compatibility: Passkeys work on all modern devices and platforms, ensuring a wide acceptance.
• Reduced Phishing Risks: Since passkeys are unique to each service, they're less susceptible to phishing and other common password-related attacks.

Why Are Passkeys the New Standard for Logins?

The technology of passkeys is based on the FIDO2 / WebAuthn standard which allowed a secure and convenient biometric login from one device and has been developed for several years. Now, Apple, Google and Microsoft created a solution for one of the main obstacles for further adoption of this standard: the secure portability between devices and synchronization within an account.

If the three major tech giants, where almost all consumers and business obtain their devices, operating systems and browsers from, agree on a new standard (that does not happen very often), it is quite obvious that this will have a big impact. The development of passkeys started with the foundation of the FIDO alliance back in 2012. Over the course of the past years, the engineers worked collaboratively on this solution to assure compatibility across devices and operating systems, which is another strong indication that passkeys are the new standard.

Currently, they push this feature on their platforms and users start getting used to it. Digital-first companies like TikTok, Amazon or Facebook make their logins passkey-ready and are perceived as digital leaders. Other online services that do not yet offer this functionality need to keep up. It should be in any digital and customer centric companys mind to offer passkeys for logins. With increased adoption customers will demand this functionality from service providers.

As Developer or Product Managers: How to Start with Passkeys?

As software developers and product managers, integrating passkeys into your systems is a forward-thinking move. It's not just about enhancing security but also about improving user experience and staying ahead in a digital world where convenience and safety are paramount. Passkeys represent a significant leap towards a passwordless future, and being at the forefront of this shift can set your services apart.

As a product manager, a good first starting point is to track the passkey- readiness of your users by using the free Passkeys Analyzer.

As a developer, you can sign-up to Corbado and play for free with our examples.

To stay updated about all things regarding, passkeys subscribe to our Passkeys Substack or join our passkeys community on Slack.