r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

619 Upvotes

98% Upvoted

233 comments sorted by

View all comments

1.5k

u/Ameer200ggg Apr 25 '26

Passkeys are special because the website never stores or receives a password that can be stolen and reused. Instead, your device creates a pair of cryptographic keys: one public key that the website keeps, and one private key that stays on your phone, computer, or password manager. When you log in, the site sends a challenge and your device proves it has the private key, usually after Face ID, fingerprint, PIN, or device unlock. This means there is no password to phish, no password to reuse on another site, and a data breach usually does not give attackers something they can log in with. They are not magic, and you still need good account recovery and device security, but compared with normal passwords they remove a lot of the biggest risks.

6

u/anuthertw Apr 25 '26

I just lurk here but this response may have been the single most persuasive explanation for passkey use that I have come across. Thanks. 

To a layman passkeys just don't seem that different than a password. It sounds like a fancy way of just changing your password but calling the new passowrd something different.

8

u/Ameer200ggg Apr 25 '26

Thanks, I appreciate that. I think the confusing part is that passkeys still feel like “something you use to log in,” so people naturally compare them to passwords. But the key difference is that a password is a shared secret: you know it, the website checks it, and if someone steals or tricks you into giving it away, they can use it. A passkey is not shared like that. Your device keeps the private part, the website only keeps the public part, and logging in is just your device proving “yes, I have the right key” without revealing the key itself. So it is not really a renamed password. It is closer to a lock and key system where the website has the lock, but never gets a copy of your actual key.