Passkeys Explained: Will Passwords Ever Go Away?

Is secure authentication possible?

With phishing implicated in 50% of all attacks, the FIDO Alliance is calling for universal adoption of passkeys as a secure authentication method. In response, Microsoft (a FIDO Alliance board member) has made passkeys mandatory for all new accounts.

BUT many of us still rely on the trusty username-password combo to sign into our online accounts. Are passkeys really safer than passwords?

If you’re skeptical of passkeys, you aren’t alone. Stay with us as we talk about modern authentication solutions, frictionless logins – and the elephant in the room: a world where frictionless security is not only possible but also the standard for every digital interaction.

What’s a passkey?

Google, Target, Walmart, and Amazon are just a few examples of major companies that have introduced passkeys for logins.

But what are passkeys?

Think about the last time you attended a business conference or music festival. Did you purchase an all-access pass? If so, you probably enjoyed unlimited access to all events with a simple scan of your badge or wristband.   

Take for example Disney’s Lightning Lane All-Access Pass. It grants you physical entry to all eligible attractions in a single Disney Park for one day.

In contrast, passkeys grant secure access to digital accounts.

So, both all-access passes and passkeys serve as “keys” for entry - but with an important difference: all-access passes grant physical entry, while passkeys enable digital access.

The secret behind passkeys: How your device replaces the humble keyword

Based on standards developed by the FIDO Alliance (Fast Identity Online Alliance), passkeys are created by generating a pair of cryptographic keys – a public key and private key – using asymmetric cryptography.

When you create an account using passkeys, your device creates a public-private key pair.

The public key is stored on the server of your favorite platform, such as Walmart, Nintendo, Roblox, Amazon, or Target. Meanwhile, the private key is stored on your device, such as your laptop or smartphone.  

Instead of using a password to access your account, you’ll select passkeys on the sign-in screen and then unlock your device to prove your identity. This unlocking can be done using the method you’ve set for unlocking your device, such as a PIN, pattern, or biometrics (fingerprint or facial scan).

Your device will then sign a time-based signature with your private key, which the platform will verify with your public key - this completes the login process. Passkeys are safer than SMS-based MFA and one of the best forms of phishing-resistant authentication you can implement.

Meet the password - same as the old password: How a little-known Roman cipher was tied to malicious scripts used in 890,000 phishing attacks

The notion of a password predates the Internet and dates back to ancient civilizations like the Greeks, Romans, Egyptians, and Mesopotamians.

In fact, the Romans were famous for using one of the earliest known ciphers, the Caesar Cipher (brainchild of Julius Caesar). This simplistic cipher works by shifting each word’s plain-text letter three (3) places to the right. For example, an “A” becomes a “D” and so on.

Members of the Roman Frumentarii (ancient Rome’s secret agents) used this cipher to create special code words – and surprisingly, these code words were never cracked by their enemies.

Meanwhile, the Greeks created the earliest known form of stenography – the practice of hiding messages in plain sight.

The historian Herodotus describes how Histiaeus sent a message to his son-in-law Aristagoras (who revolted against King Darius of Persia), by tattooing the message onto the bald scalp of his most trusted servant. Histiaeus then let the slave’s hair regrow. When the slave came face-to-face with Aristagoras, he had to shave his head to reveal the message.

In 2025, hackers actually used the Caesar Cipher to hide malicious scripts in 890,000 phishing attacks from security experts.

Are you guilty of these password habits? - we won’t tell but there’s something you need to know

While passwords can be effective, they also come with a clear disadvantage.

For one, they’re easy to forget. So, you may be tempted to scribble them on Post-it notes and stick them to your monitor.

And if you practice password recycling – you’re in good company:

• Over 60% of Americans reuse passwords.
• CyberNews researchers found that only 6% of passwords are unique: the “1234” sequence was found in 700+ million passwords.
• The default “password" and “admin” were used by 56 million and 53 million users respectively.
• CyberNews researchers also found that users often resorted to popular names, curse words, pop culture terms, and positive concepts like love (87 million) to come up with login credentials.
• 24 million users believe “God” will make their password secure, while 20 million users bet on “Hell” to do the trick.

When passwords are easy to guess, hackers will have an easier time cracking them – and taking over your accounts. In 2024, 94% of brands and businesses reported that identity-related attacks compromised millions of consumer accounts.

Key differences between passkeys and passwords 

Are passkeys really more secure than passwords? The shortcut to phishing resistant authentication

Passwords offer only one way to authenticate a user, which makes them particularly vulnerable to data thieves.   

In contrast, passkeys use cryptographic credentials tied to your device and a biometric identifier to grant access. It’s one of the most secure authentication methods you can use as it creates additional hurdles for attackers to overcome. 

In the world of finance, 42% of global financial institutions report experiencing a 75% decline in payment fraud after adopting biometrics.

I love thee, I love thee not: The rocky transition to frictionless security

Since they aren’t user-generated, passkeys don’t share many of the downsides of passwords. Their main advantages are that they eliminate the need for password recycling, a top factor in account takeovers, and they make phishing nearly impossible.

However, their #1 drawback is that they aren’t yet supported by most businesses. Although world leaders and cybersecurity experts called for a bold transition to frictionless security on World Passkey Day, airlines and hotels (high-value targets for attackers) have yet to ramp up adoption.

Currently, the only players in the hospitality industry to have implemented passkeys are Hyatt, British Airways, Kayak, and Air New Zealand.

So, why is the road to frictionless security paved with good intentions but hindered by obstacles? According to the 2025 FIDO Alliance report on passkey deployment:

• 76% of organizations say passkeys are too complex and costly to implement.
• 24% say it would require intensive resources to integrate passkeys with their legacy systems.
• 56% admit they don’t have the resources or technical skills to handle the change.
• Meanwhile, 24% say they already use other forms of secure authentication.

On the consumer side, 75% are aware of passkeys, but only 23% use them with all accounts. According to a 2024 FIDO Alliance survey, at least 20% of respondents are still asking, “What’s a passkey?” This suggests that some confusion remains about this seamless authentication method, which may explain its slow adoption across the world.

Types of passkeys in 2025

Yet, despite the hiccups, passkeys are here to stay. According to the 2025 FIDO Alliance passkey deployment report, organizations that deploy them are realizing high levels of ROI:

• 90% increase in authentication security
• 77% reduction in help desk calls
• 73% increase in employee productivity
• 83% positive impact on achieving digital transformation
• 82% positive impact on user login experience

If you’re still on the fence about passkeys, this table breaks down the passkey types you’ll encounter – arming you with the knowledge to choose the most secure authentication method for your lifestyle.

Passkey type	Description	Where it’s used	Key benefit
Single device passkeys	Cryptographic keys stored on your device	Smartphones, tablets, laptops, desktops	· Biometric or PIN login
Hardware security keys	· Physical USB and NFC enabled devices that store passkeys offline · Example: Google Titan supports up to 250 passkeys.	Enterprise, high-security environments in sensitive industries like healthcare, defense, and banking	· Phishing-resistant authentication with the highest security assurance (Level 3 AAL3) · 99% reduction in risk of credential theft and account takeovers & 203% ROI
Brand-implemented passkeys	Passkeys tied to specific brands	Airlines (Air New Zealand), hotel chains (Hyatt), travel apps (Kayak)	· Air New Zealand login abandonment rates decreased 50% after passkey adoption. · Kayak reduced sign-in times by 50% after passkey adoption.
Cloud-based passkeys	Passkeys synced across devices via cloud services	Apple iCloud Keychain, Google Password Manager, Microsoft Authenticator	Seamless cross-device logins

Best practices for creating strong passwords - and the easiest way to do so

The most secure passwords aren’t based on common phrases, previous passwords, or personally identifiable details. Both CISA and NIST recommend that passwords be at least 16 characters in length and contain a mix of letters, numbers, and symbols.

But who has time to create passwords?

Fortunately, there’s an easy, safe solution.

LastPass can generate strong, random passwords, which you can customize according to NIST and CISA rules – in less time than it takes to reset a forgotten password.

Best practices for how to implement frictionless security

If you’re ready to jump into passkeys, these best practices can keep you safe:

• Make the switch gradual: Switching from passwords to passkeys can be overwhelming. So, starting out with one or two accounts lets you get comfortable without putting a kink in your daily flow. In fact, a Kaizen principle states that small, incremental changes can lead to bigger results over time: 1% improvement daily = 37X success in a year.
• Use biometrics to enjoy faster, safer access: Using your face or fingerprint eliminates the burden of remembering passwords. Biometrics also makes it harder for your accounts to be hacked – as it’s almost impossible to duplicate or steal.
• Resister passkeys on multiple devices to avoid lockouts: If your phone is lost or misplaced, having your passkeys on other devices means you won’t lose access to your accounts. So, when you set up passkeys on one device, look for an option to add or sync it to your other devices.

The one simple step that turns any device into an ironclad digital fortress

As the drumbeat for secure, frictionless authentication intensifies, many say it’s a matter of time before passwords become largely obsolete.

Yet, if you’re still using passwords, it probably has nothing to do with the tech. It’s likely you aren’t quite ready to give up on them. Perhaps you like the idea of fallback options – in case passkeys fail.

That said, juggling passwords on Post-it notes or a notebook can put your financial security at risk.

With an advanced password manager like LastPass, you can take control by keeping your passwords secure, organized, and instantly accessible. As G2’s Spring 2025 Global Leader in frictionless authentication and platinum Business Titan winner, we’re trusted by millions across the world.

And we’re so confident you’ll love LastPass that we want you to enjoy a free trial – no credit card or commitment required. Try these incredible Premium features for 30 days and see how you like them - you get to keep LastPass free even after your trial ends.

FAQs

Are seamless authentication methods like passkeys safe?

Unlike passwords, passkeys eliminate risks associated with AiTM (adversary-in-the-middle), credential stuffing, replay, brute force, and phishing attacks. Users must be physically present, usually by performing an action on their device, to gain access to accounts. 

Passkeys are also URL specific, which means they won’t work for logins on a phishing site.

Ultimately, passkeys are a secure alternative to traditional passwords.

What are the disadvantages of passkeys?

The main disadvantage of passkeys is that they aren’t universally supported by the majority of brands and platforms. And unless they’re synced across multiple devices, you may be locked out of apps and services you’ve secured with passkeys.

Where is the best place to store a passkey?

The best place to store a passkey is on your device such as a smartphone. You can also store it securely in FIDO2 hardware keys like YubiKey. For example, the latest YubiKey 5 Series can store up to 100 passkeys.

Can I still use a password if I have a passkey?

Yes, you can still use a password, even if you have a passkey. Many platforms such as Amazon and PayPal support both, allowing you to sign in with a passkey or fall back on a password if needed.