All you wanted to know about passkeys but were afraid to ask

Yesterday's coverage of World Password Day sparked some discussion among the BetaNews team about passkeys and how they work.

We figured that if we're confused about them then some of you probably are too, so here's a FAQ look at passkeys, how they work and why you should consider using them.

What are passkeys?

Difficult questions first, eh? Passkeys are based on public key cryptography. For each account you have there are two cryptographic keys, one is public and stored on the system you're logging into, the other is private and stored on your authenticator device -- we'll talk more about those later. Put the two together and -- like fitting a key into a lock -- you gain access.

Passkeys are generated using the WebAuthn API which is part of all modern operating systems and browsers.

Why is a passkey better than a password?

One big benefit is there’s no need to think one up and remember it. Logging in is therefore much easier. Another is phishing resistance, because a passkey is linked to the site it's used for it won't work on a malicious copy however convincing it may look to the human eye.

What's an authenticator device?

Passkeys are typically managed by your device, either using the operating system or a separate password manager like Dashlane or LastPass. They can be synced between devices so they're available in different places. The password manager is effectively the authenticator device.

You can also store keys on an iPhone or Android phone which will act as the authenticator device.

Passkeys can also work via a dedicated hardware key like a YubiKey or Google's Titan Key. These use a secure chip to set up the passkey. If you're on a trusted device you don't need the key connected all the time. You will need it to set up new account.

At this point you're thinking what if I lose my device, right?

Don't worry. Your password manager will be protected by another form of authentication, either an old-school password or biometrics like a fingerprint so your passkey won't be easily accessible. If you upgrade to a new device your passkey data can be transferred across. If you're using a password manager your keys will be stored in your cloud vault.

If you lose a hardware key it's pretty useless to anyone else as they don't know what it's been used to access. Using a trusted device where you've already set up a passkey you can remove a lost hardware key from your account and set up a new one.

How do I create a passkey?

We'll take Google as an example here but other sites will have similar methods. Go to g.co/passkeys and log in to your account verify your identity. From there click 'Create a passkey' You can then choose the authentication method you want to use, pick 'Use another device' if you have a hardware key.

If you choose to use a smartphone a QR code will be displayed on screen which you need to scan to allow Google to connect to your phone. Next time you log in via passkey a notification will be sent to your phone and you can verify your ID with biometrics or a PIN.

Where can I use passkeys?

More and more sites are starting to support passkeys. Passkeys.directory has a searchable list of sites where they can be used.

So, now you know what they are and how they work what's stopping you?

Image credit: Sashkin7/depositphotos.com