Passkeys Are Great, But They Won’t Kill Passwords

It seems that passkeys are the new security tech that everybody is talking about. This new passwordless technology is easy to use, fast, and, most importantly, secure. Still, though, I don’t think they’ll quite kill passwords completely—and I’m not the only one.

What’s a Passkey?

Passkeys are a bit complicated “under the hood,” but the short version is that they replace passwords with a kind of call-and-reply system. Normally, when you create an account with a service, you also create a set of credentials with the service, made up of your username (or email) and a password.

Passkeys do away with this. Instead, your credentials are a tiny bit of code, called a key—hence passkey. This key is split into two parts, with you (or rather, your password manager) holding one and the site holding the other. Now when you try to access the site, instead of asking for your credentials, it will ask for your half of the key. If you have it, you get access.

The tech behind passkeys can get pretty involved and it’s not quite as simple as described, but the biggest takeaway is this: none of this involves any action by you, everything is managed for you by software. This makes passkeys what the Silicon Valley crowd likes to call “seamless” and has given rise to many fanciful promises of a passwordless future.

What’s Great About Passkeys

All this seems good, but it left me with a nagging feeling that getting rid of passwords entirely may be a lot trickier than it’s made out to be. I spoke with two password experts and, while both are very enthusiastic about passkeys, neither denies there are limits to what they can do.

First let’s take a closer look at the good. Anders Åberg, director of passwordless at Bitwarden, a leading password manager, sees authentication as a delay before you get where you want to go. In his words, “passkeys remove friction” and thus create a much better user experience—something the service does well, as you can read in my Bitwarden review.

However, passkeys’ benefits extend far beyond convenience. Åberg sums up several security benefits that aren’t always mentioned. For example, with passkeys, there are no passwords for the service to lose, meaning massive breaches like the recent one from Dropbox Sign are no longer possible. Passkeys are also very phishing resistant, ensuring faked sites won’t be able to trick users into using their credentials; the list goes on.

The Limits of Passkeys

However, even as enthusiastic a proponent as Åberg will readily admit that passkeys won’t spell the end of passwords. For one, you’ll always have to have some kind of password to access the vault where you keep your passkeys.

In the words of Pete Membrey, Chief Engineering Officer at ExpressVPN, including its Keys password manager, this is because “you always have to trust something.” No matter how efficient your passkeys (or any other security system) are, there will always be an access point that’s vulnerable. There is no way to be completely secure and still have access.

On top of that, Membrey also sees more practical reasons passwords aren’t going anywhere: While passkeys may be the future, the past doesn’t just go away. Many critical services like banks are still using classic security measures like PINs, let alone passwords. Switching them over to something as new as passkeys won’t happen any time soon.

This sentiment is echoed by Åberg, who says that “while it’s hard to change the way we do things, many of us are so used to passwords that we may simply not step out of our comfort zone.” Still, he says, once people experience the advantages and convenience, there is no going back.

The Death of Passwords?

All that said, and as powerful as passkeys are, we likely will never be completely rid of passwords, even if only to secure the account where our passkeys are kept. At the same time, the benefits of passkeys, both in terms of security and ease of use, can’t be overstated. Passwords may not be dead, but that doesn’t mean we should bury passkeys, either.