We have received compensation to create this article. Pricing and availability subject to change.

Passwords vs. passkeys: What you need to know

Sick of keeping track of dozens of passwords? Switching to passkeys may be just the ticket.

Passkeys consist of a public and private key that digitally interlock.
Passkeys consist of a public and private key that digitally interlock. (1Password)

It’s hard to believe, but the first iPhone didn’t have any default security. You could just grab someone’s phone and swipe the homescreen to unlock – and you were in. Of course, as the smartphones became the nexus of your digital life, Apple and other manufacturers made sure to add a layer of security to lock all your private info behind PIN codes and passwords. But people keep opting for simplicity over security, making those codes and passwords as simple and easy to remember as possible – if your PIN was 0000 or your password was “password,” we’re looking at you.

But there’s finally an alternative to passwords: Passkeys. This new method of authentication and verification is backed by the biggest tech companies on the planet, and more and more sites are starting to support them.

So, what are passkeys – and how do they differ from passwords? Here’s what you need to know.

We all know what passwords are. These strings of characters have protected our important digital information and accounts for decades – just watch the proto-technothrillers of the eighties like WarGames or Tron to get a flavor of what passed for digital security in those early days.

Many years and countless data breaches later, it sometimes feels like nothing’s changed: There are still too many people using their kid’s birthday or dog’s name as their password for anything and everything – and writing it on a Post-It note next to their monitor.

As those hacks and leaks have become more severe, IT administrators and service providers have started to drag users, often kicking and screaming, into a more secure environment. Most websites will now force you to create stronger (i.e. more complicated) passwords when you make an account – longer character counts comprised of upper and lowercase letters, numbers and special characters. And more of them (though, frustratingly, not nearly enough) are adding more serious encryption to the back end, so that if and when breaches do occur, hackers are getting little more than a giant blob of encoded data that would take decades to crack.

As an added layer of security, smart users are also opting to enable two-factor authentication (2FA), which pings your phone or email with a secondary code after inputting your password – thus ensuring that it’s really you trying to gain access to your account.

Of course, none of these password improvements are foolproof. 2FA assumes you have full control of your messaging accounts, which anyone who’s been SIM-jacked can tell you is no guarantee. And even wrapping yourself in a digital cloak of VPNs, anti-malware tools and 18-character randomly generated passwords is moot if you fall for a phishing scam (entering your credentials into a fake website) or succumb to a social engineering attack (beware the apparent kindness of strangers).

A passkey is a sort of digital identification that's interlocked to your account on a given app or website. While that sounds like a password, there’s an important distinction: Passkeys are bilateral authenticators that have two separate components: a private key stored locally on your device and a public key belonging to the website or application. When logging in with a passkey, these two keys pair and give you access to your account.

A diagram of a passkey's workflow, from the FIDO Alliance.
A diagram of a passkey's workflow, from the FIDO Alliance. (FIDO Alliance)

Passkeys are more secure than traditional passwords because they are never stored on any server and instead reside as an encrypted key on your personal device. And, like passwords, they can be paired to biometrics, like facial recognition or fingerprint authentication, to initiate the login process. Even if a hacker got a hold of your device, they’d need your biometrics to access any accounts, which is significantly harder than brute forcing a poor-quality traditional password.

To recap, here are the major differences between passwords and passkeys:

  • A password is a phrase that users (or password managers—see below) generate. A passkey is a locally stored, system-generated cryptographic key.

  • Passwords are only as complex as the user makes them, whereas passkeys are completely unique.

  • Based on their strength (or lack thereof), passwords are susceptible to breaches and hacks. Passkeys are infinitely more difficult for bad actors to exploit.

  • Where passwords are universal, passkeys are currently supported by a smaller (but growing) number of websites and applications.

  • Users can, and are encouraged to, change their passwords as often as they like. Passkeys are less flexible in this regard.

  • Passkeys are phishing-resistant, whereas there is always a threat with traditional passwords.

Although the major tech corporations like Apple, Google and Microsoft have largely jumped onto the passkey bandwagon, millions of websites don’t have the means to implement passkey authentication methods. Although the FIDO Alliance – a tech industry consortium aiming to “reduce the world’s reliance on passwords” – is trying to make passkeys the standard, it’s hard to see them becoming the first-choice option over traditional passwords anytime soon.

Our advice: assuming you have a current smartphone that supports biometric logins, experiment with passkeys on a small handful of non-critical accounts to start – not your bank, but maybe a retailer (Amazon, Walmart or Target) or gaming destination (Nintendo or Sony). If you’re comfortable with how that goes, you can start moving to passkeys across the rest of your digital services where they’re supported. And if not, there’s no shame in heading back to passwords while the industry continues to work out the kinks.

Whether you switch to passkeys, stay with passwords or – more likely – use a mixture of the two in the near future, you’ll also want a password manager to help smooth your path. These services can store both passwords and passkeys in a safe, encrypted space for you to access whenever you need them.

While all of the services on Engadget’s list of best password managers support passkeys and strong password generation, 1Password remains our top password manager choice. It implements AES-256 encryption, which government agencies and all the top corporations use for their data security needs, and is easy to use.

1Password can create complex and hard-to-crack passwords and store them in its encrypted databases for easy access across your full panoply of devices. It autofills these passwords or passkeys with browser extensions to make logging in to websites easier and faster. And it makes sharing and managing passwords among family members far simpler and manageable than whatever workaround you may be using right now. (Pro tip: a shared Google doc or hardcopy list is basically an identity theft or security breach waiting to happen.)

Now through September 15, 1Password is offering 25% off first year subscriptions of its family plan, too. That’s $45 for a year of making logins easier, whether you’re using passkeys or passwords, or a mixture of the two, for up to 5 family members with unlimited devices. (If you only need a single user account, those start at $35 per year.) Even better, you can try it free for 14 days before you commit.