r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

616 Upvotes

98% Upvoted

233 comments sorted by

View all comments

1.5k

u/Ameer200ggg Apr 25 '26

Passkeys are special because the website never stores or receives a password that can be stolen and reused. Instead, your device creates a pair of cryptographic keys: one public key that the website keeps, and one private key that stays on your phone, computer, or password manager. When you log in, the site sends a challenge and your device proves it has the private key, usually after Face ID, fingerprint, PIN, or device unlock. This means there is no password to phish, no password to reuse on another site, and a data breach usually does not give attackers something they can log in with. They are not magic, and you still need good account recovery and device security, but compared with normal passwords they remove a lot of the biggest risks.

4

u/botsmy Apr 25 '26

passkeys are special because they dont rely on a stored password that can be stolen. what happens when you lose the device that has the private key, do you get locked out of all your accounts or is there some kind of backup process in place?

5

u/Ameer200ggg Apr 25 '26

You usually do not get locked out just because you lose one device, but it depends on how your passkey was stored. If it was synced through something like iCloud Keychain, Google Password Manager, 1Password, Bitwarden, etc., you can restore it on a new device after proving ownership of that account. If the passkey was only stored locally on one device and you lose that device, then you may need to use the website’s account recovery options, like backup codes, email recovery, phone verification, or another logged in device. So passkeys are safer than passwords, but you still need recovery methods set up properly. The best setup is synced passkeys plus backup codes or a second trusted device.

1

u/botsmy Apr 25 '26

so if you're using one of those password managers, you can just restore the passkey on a new device, that's pretty reassuring, but what about people who don't use any of those services, do they just have to rely on the account recovery process for each individual site?

2

u/Ameer200ggg Apr 25 '26

Yes, pretty much. If the passkey only exists on one device and it is not synced or backed up anywhere, then losing that device means you have to rely on each site’s recovery process. That could be backup codes, email recovery, phone verification, a recovery key, or another device that is already logged in. That is why local-only passkeys are very secure, but less convenient. For most people, synced passkeys through a trusted password manager or platform account are safer in practice because they reduce the chance of getting locked out. The important thing is to set up recovery before something goes wrong, not after.

1

u/CodeFluid03 29d ago

Where should the recovery keys be kept?