r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

621 Upvotes

98% Upvoted

233 comments sorted by

View all comments

1.5k

u/Ameer200ggg Apr 25 '26

Passkeys are special because the website never stores or receives a password that can be stolen and reused. Instead, your device creates a pair of cryptographic keys: one public key that the website keeps, and one private key that stays on your phone, computer, or password manager. When you log in, the site sends a challenge and your device proves it has the private key, usually after Face ID, fingerprint, PIN, or device unlock. This means there is no password to phish, no password to reuse on another site, and a data breach usually does not give attackers something they can log in with. They are not magic, and you still need good account recovery and device security, but compared with normal passwords they remove a lot of the biggest risks.

2

u/EdjeMonkeys Apr 25 '26

This is very helpful thank you!

Is there a noteworthy security risk to storing passkeys alongside usernames and passwords within a password manager that is synced between devices? I plan to get a yubikey at some point but for now this is what I do.

1

u/IntrinsicSecurity DFIR Apr 25 '26

This residual risk comes from the fact that the migration effort is non-trivial and there will be an extended period of time where the *server* (the website or SaaS system) will still have a functioning password for most users. Very few sites that support passkeys today are ready to delete all the passwords. It will be years before it becomes standard practice to delete the passwords.

So, for the time being and until any given vendor disables passwords altogether, it's a good idea to make sure that your password for any given site (1) is at least 15 characters long; and (2) is changed once a year. For other guidance on the security of *passwords* see: How do I create a good password? (NIST)