Skip to main content
Focustivity

What's the point of passkeys?


Passkeys were introduced fairly recently with the promise of no longer needing passwords. But the implementation of passkeys is still not mature.

The implementation of passkeys is not standardized. While many services have added passkeys as an option for authentication, it seems most still hang onto your password. They'll use a passkey as an alternative to your password, or even require your password and use your passkey as another form of MFA. Ideally, when we set up a passkey, our password should be completely removed from the service. Or, if we're creating a new account, we never have a password to begin with.

Passkeys are not easily transferable. If I create a passkey on my iPhone, I can't transfer it to another service, like 1Password. Hopefully, this problem will be solved soon.

Passkeys are simple, yet not widely understood. Ask my Dad to set up a passkey and he'll give me a blank stare. “But, where do I enter my password?” he'll say. It will take some time, and more consistent implementation, before the public are ready for passkeys.

I think the most important point of passkeys, if implemented correctly, is that the information needed to log into your account (your password) is never in the hands of the service you're trying to authenticate with. If the service still requires a password, then what's the point? Even if they still store your password, you're vulnerable to data breaches and phishing.

John Siracusa talks about Passkeys in the episode 609 of the ATP podcast and, as usual, explains how passkeys work and also brings up some of the same concerns.