Whether you’re attending a business conference or a music festival, nothing beats an all-access pass. Instead of managing multiple reservations or buying a series of tickets, a simple scan of a badge or wristband lets you in everywhere.
Keep this concept in mind when you try to understand the passkey vs. password differences – there are similar pros and cons to weigh in terms of IT security.
What Is a Passkey?
Google and Amazon are just a few examples of major companies that have introduced passkeys to help people authenticate themselves when using its services. For many, though, it’s still a novel approach to logging onto a digital experience.
Definition and explanation of passkeys
Based on standards developed by the FIDO Alliance (short for “Fast Identity Online), passkeys are generated for users by those running apps and websites using cryptographic techniques. The data underlying passkeys are encrypted and stored on the devices you use to access services, such as your laptop or smartphone.
Passkeys only unlock apps and digital services when users verify them using a predetermined method. In some cases, users could be provided with a PIN, similar to those they use with their bank card. In other cases, a biometric identifier, such as fingerprint scan or a face scan, could put passkeys into action.
How passkeys are generated
You can add a passkey to an app or service you’re already using, or when you set up an account for the first time. In either scenario, the firm hosting the app or service will ask for your consent before initiating the process.
The firm then requests a random challenge from the server that is incorporated into what’s called a key pair. This is stored on the “Authenticator” or device you’ll be using. The key pair includes the private key that “signs” the challenge and a public key that matches it, as well as a credential ID.
Once the user has been assigned a PIN or added a biometric credential, the keypair gets sent back to the server. The passkey can now be used to authenticate the user to the app or service.
Benefits of using a passkey
Passkeys are considered safe, easy to use, and they take one big burden off of users that has led to countless cybersecurity incidents: the need to remember their credentials.
Given that each passkey is unique, meanwhile, it becomes very difficult for rogue actors to somehow guess them and use them to break into applications and services.
The growing number of firms offering passkeys, meanwhile, suggests they will become increasingly familiar to users and offer them (and the organizations they work for) greater confidence that data will remain protected.
What Is a Password?
The passkey vs. password debate puts a spotlight on the many problems that have traditionally been associated with the latter form of logging into apps and services.
Definition and explanation of passwords
The notion of password predates the Internet – everyone from secret agents to small children have agreed upon a designated term that will admit the person who says it.
Passwords have been coupled with user names for a host of digital experiences. You probably have one to log onto your e-mail, your bank account, your streaming media services, your employee portal at work and countless other platforms.
Entering the wrong password is like getting a door slammed in your face. The app or service you want to use will not let you (or anyone else guessing the wrong password) any further.
How passwords are created
Some organizations will have strict policies over how passwords are created, and how often they are changed. These policies might ask passwords to be of a certain length, for instance, and to incorporate numbers and symbols in addition to letters. Sometimes a platform will automatically generate a suggested password with these kinds of attributes.
There are many apps and services, though, where users have considerable leniency in how they create passwords. They could opt for their birth date, the name of their spouse or something else that’s easy for them to remember.
Common password security risks
While passwords can be an effective way to secure apps and data, they have well-known disadvantages. Many of them are associated with people rather than the technology that supports them.
People may easily forget their passwords, for example, forcing IT departments to do a reset so the user can create a new one. It may be tempting to write passwords down – or even leave it on a sticky-note attached to a monitor – in order to get around having to remember one.
When passwords are easy to guess based on the personal context of the user, meanwhile, cybercriminals may have an easier time getting past corporate IT defenses.
Phishing schemes – whereby threat actors try and dupe users into handing over their credentials – also lead to passwords falling into the wrong hands. Depending on how directories are secured, cybercriminals may harvest files filled with passwords that allow them to steal data or cause damage.
Key Differences Between Passkeys and Passwords
The passkey vs. password discussion needs to take into account a variety of factors in order to determine what’s best for a particular organization, app or service.
Different approaches to authentication
Passwords really offer only one way to authenticate a user, which makes them particularly valuable to would-be data thieves. Once it’s in their control, they can use passwords however they choose, and as often as they choose.
Passkeys go several steps further by using both the key pair as well as a PIN or biometric identifier. This makes them an example of multi-factor authentication (MFA), which creates additional hurdles for cybercriminals to jump.
Strengths and weaknesses of passkeys
Since they’re not user-generated, passkeys take away many of the traditional downsides of passwords. There’s no concern about users using something easy to guess, or that they’ll have to remember anything. This also means passkeys are a solid defense against phishing attempts.
The drawbacks of passkeys include the fact they are not yet supported by the majority of organizations and services. Unless they support syncing, passkeys may also be device-specific, which can be an issue when you’re logging in from a different piece of hardware. If you lose your device, meanwhile, there may be challenges in regaining access to apps and services you’ve protected via passkeys.
Strengths and weaknesses of passwords
Passwords may have their faults, such as those we discussed above. But the passkey vs. password debate shouldn’t end there.
Remember that passwords are relatively easy to set up and administer. With appropriate training and the help of a password generator, employees and customers can learn how to create stronger, more effective passwords. And with a password manager like LastPass, they can overcome the issues of remembering all their passwords and have their data kept secure.
Are Passkeys More Secure Than Passwords?
The cryptographic nature of passkeys and the lack of reliance on human effort to manage them means passkeys are a more secure alternative to traditional passwords for many apps and digital services.
Exploring the security advantages of passkeys
If the passkey vs. password question is creating any uncertainty, remember this: passkeys not only offer strong security but support a great user experience and are scalable for even the largest organizations, or which have an installed user base of millions.
Factors that contribute to passkey security
Passkeys not only have built-in MFA, but they are also supported by entire ecosystems of security technologies offered by some of the world’s biggest tech companies. This includes Microsoft and its Windows Hello service, Apple’s iCloud Keychain and many other firms.
These companies are also sharing knowledge with the wider community, such as offering resources for developers in organizations that want to offer passkeys for their own apps and platforms.
Comparing passkey security to traditional passwords
One stolen password can lead to a domino effect, whereby cybercriminals can access an application or platform and can compromise the data of every other person who uses it.
Traditional passwords are also at risk of cyber threats such as credential harvesting, brute force attacks or credential stuffing and other forms of attack.
Benefits of Using a Strong Password or Passkey
Regardless of how you resolve the passkey vs. password conundrum, it’s essential to have a trusted approach to accessing critical data. This could include an organization’s internal-facing apps and portals, or digital experience it offers to consumers, such as an online retailer that lets people log into their individual account.
Having a secure password or passkey mechanism in place reduces the risk of a data breach and provides a faster way for IT security teams to investigate incidents when they do happen.
Importance of strong authentication methods
Fortunately, authenticating users is no longer limited to using passwords alone.
Besides MFA, some organizations are exploring the use of single sign-on (SSO), which allows users to apply the same credential to multiple applications and services.
Again, the choice of how you authenticate will vary based on many different factors, but ultimately the method should be as secure as possible.
Best practices for creating strong passwords
The most secure passwords often don’t look like traditional words at all. They are twelve or more characters. They mix up letters, numbers and symbols.
Most importantly, securely designed passwords don’t contain an “easter egg” or some kind of detail that can be associated with the life or personality of the person using it.
Best practices for using passkeys effectively
There may be situations where employees will benefit from being able to create multiple passkeys to secure different devices or ecosystems of applications and services. They should be able to distinguish their passkeys, so offering the ability to rename them will help.
If you’re offering passkeys as a replacement to passwords, think about how you can educate people on what’s happening. Beyond a button or link asking them to generate a passkey, use this post or your own material to provide a simple backgrounder to ease the transition.
Given how well entrenched they are, it’s also best to ensure any passwords in your organizations are properly secured. With that in mind, start your LastPass trial today.
FAQ
Are passkeys really better than passwords?
Unlike passwords, passkeys are phishing-resistant, have built-in MFA, and are immune to brute force and other types of credential-based attacks.
Due to their reliance on public key or asymmetric cryptography (the use of public and private key pairs), passkeys can’t be stolen remotely or hacked. They’re also resistant against replay attacks, as each authentication session involves a unique cryptographic challenge that ensures previous data can’t be reused or replicated by the attacker.
Ultimately, passkeys are a more secure alternative to traditional passwords.
What are the disadvantages of passkeys?
The main disadvantage of passkeys is that they aren’t universally supported by the majority of brands and platforms. And unless they’re synchronized across multiple devices, passkeys are usually device specific. So, if you lose access to your device, you may experience challenges accessing the apps and services you’ve secured with your passkey.
Where is the best place to store a passkey?
The best place to store a passkey is on your device such as a tablet or smartphone. You can also store them securely in FIDO2 hardware security keys like YubiKey. For example, the YubiKey 5 Series can store up to 25 passkeys.
Can I still use a password if I have a passkey?
Yes, you can still use a password, even if you have a passkey. Password managers like LastPass support both passwords and passkeys, so you have flexibility in how you access your vault.
