Many companies are switching to passkeys, a much-discussed alternative to passwords, but they don’t seem to have caught on yet. Why is that?
Passkeys should be perfect for logging into accounts securely and reliably. Passkeys would become obsolete in no time. Yet after nearly two years of widespread availability, practice is proving more complex than expected.
The promise of passkeys
Passkeys offer a secure alternative to traditional passwords by using unique cryptographic keys. These keys are stored locally on a device and are linked to biometric data such as a fingerprint or facial recognition. In theory, passkeys offer unparalleled security against phishing and other hacks.
The advantages are obvious: no more remembering passwords, not being able to use the same password everywhere, no risk of passwords being stolen, and easy login with biometrics or a PIN. Yet in practice, passkeys are less user-friendly than expected.
Still too complex
Passkeys, meanwhile, are supported on hundreds of websites and platforms, including your Google and Microsoft accounts, but implementing them remains confusing. The process varies by operating system, browser and even device. For example, logging into PayPal with a passkey works differently on Windows than on iOS, and Firefox is not supported by PayPal at all. This lack of uniformity hinders a seamless user experience.
Another example is the use of passkeys on LinkedIn. If you create a passkey through Firefox on macOS, LinkedIn indicates that it is specifically associated with that platform. In reality, when managed through a password manager, the passkey also works on other devices and browsers. This makes it unnecessarily complicated and confusing for users.
In addition, large tech companies such as Apple, Google and Microsoft often try to push users toward their own ecosystem. This means that passkeys are synchronized by default via iCloud, Google Password Manager or Windows Hello, while alternative solutions, such as physical security keys, are often hidden behind multiple clicks.
Security versus ease of use
As mentioned earlier, passkeys would promise to replace passwords, though that promise remains incomplete. Most websites still offer passwords as a second option. Some platforms, such as PayPal and Amazon, still rely on SMS-based authentication, one of the least secure forms of multi-factor authentication (MFA). They can be intercepted and you depend on a mobile network.
Another drawback is the dependence on password managers for cross-platform use. Although password managers simplify the synchronization of passkeys, they contribute virtually nothing to a simpler authentication system without additional apps. For many users, a password manager remains a barrier, often because they think it requires extra work or is not secure enough. That doesn’t help standardizing passkeys either.
What to do.
For some users, such as someone who uses only an iPhone and Mac and has only a few accounts, passkeys can already be a good solution. They offer simple security against phishing and MFA. But for anyone with a diverse device ecosystem or without access to a good password manager, traditional passwords combined with MFA, such as an authenticator app or security key, remain the best option.
Internet users should, in principle, increasingly switch to a password manager because it automatically generates unique, long passwords and normally stores them securely and encrypted. That’s a first step in better online security, the next logical step being passkeys.
The future of passkeys
While passkeys have the potential to replace passwords, they are not currently ready for the masses. The complexity of implementations, lack of uniformity and dependence on traditional passwords mean that, for now, they are mainly an adjunct to existing security methods.
With further development and wider adoption, passkeys may soon become the new standard in online security. Until then, strong passwords and MFA remain the best options.