Whether you use one of the best password managers or just scribble your details on a crumpled sticky note, the days of having to remember a million different security phrases may soon be over. That's because of passkeys, which are quickly emerging as the authentication method of choice for Silicon Valley heavyweights like Apple, Google, Microsoft and now Amazon.
From offering a slicker login experience to greater cybersecurity protection against threats like malware and phishing scams, the benefits of passkeys are clear. Yet despite their flaws, traditional passwords aren't going away overnight, giving many users agency over how they'd like to protect their accounts.
Whether you're a password traditionalist or a biometric backer, we put the two authentication methods head-to-head, comparing their security, convenience, login success rate, and more. Read on to see how the passkey vs password battle is shaping up and discover what it means for your online life.
What is a Password?
A password is a unique string of characters typically comprised of upper and lower case letters, numbers, and symbols used to confirm a user's identity. They were designed to be memorized or logged down manually, but can now be stored online securely using password managers like NordPass.
First invented by an MIT computer science professor in 1961, passwords became the most popular form of digital authentication to date due to their simplicity.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this Tech.co Black Friday offer.
However, their unsophisticated nature also makes them vulnerable to being guessed, shared, stolen, or forgotten, making them a pretty poor security mechanism overall.
What is a Passkey?
Enter passkeys – the cooler, more tech-savvy younger bro of passwords. Passkeys rely on PINs, swipe patterns, or biometric information – like fingerprints or facial scans – to verify a user's identities.
Passkeys use the WebAuthn standard for public-key cryptography, which generates a public-private key pair on user devices. As a result, they can't be stolen or forgotten like a password or physical key.
Passkey vs Password: Which is More Secure?
Passkey and password security fundamentally differ in their design, approach, and effectiveness. We break down some of the key differences between the authentication measures below.
Passkey cybersecurity is in a different league
It's no secret that passwords are easy to hack. According to research from Hive Systems, simple passwords under 10 characters can be guessed within 24 hours, and those with six or fewer characters can be cracked instantly.
This wouldn't be a major issue if password hygiene was consistently high, but it's not. In fact, the most common password continues to be ‘password' year after year, and 85% of people have admitted to reusing passwords across multiple sites.
Fortunately, by utilizing biometric data and cryptographic methods that are almost impossible to forge, passkeys are able to rectify many of these cybersecurity concerns.
Only hackers with access to your authenticator device and your biometric information will be able to breach your account, making instances of breached passkeys almost unheard of. This also makes passkeys completely immune to phishing attacks as passkeys can't be typed out or written down, and stolen credentials are only valid when used on specific, user-owned devices.
With research from Deloitte attributing 91% of cyberattacks to phishing, the advantages passkeys can bring to businesses and individual users is clear.
Passkeys are more convenient
No one enjoys creating, remembering, and using clunky, complex passwords. It's tedious, time-consuming, and inconvenient. A phrase has even been coined to describe the anguish people feel when having to remember an excessive amount of passwords as part of their daily routine: password fatigue.
Passkeys, on the other hand, only require users to set up a private key once initially, allowing them to authenticate themselves seamlessly and quickly after this point. Not only does this speed up the sign-in process, it also means that users no longer need to remember several different passwords at once.
Passkeys have higher login success
Unless you're using a password manager, or have an Einstein-like photographic memory, you're going to occasionally forget your password. Forgetting your password will make it harder for you to enter your account, and could even lead to your account being blocked if you enter in the wrong credentials too many times.
In contrast, passkeys have a much higher login success rate because while it's easy to forget a complex code, it's harder to misplace your own biometric material. This distinction is backed up by recent data from Google, which revealed that while passwords have an average success rate of 13.8% on the platform, passkeys were successful 63.8% of the time.
Passwords still remain more popular overall
Passkeys are becoming a lot more common, but they're still not supported universally.
WebAuthn authentication is compatible with most platforms, but there are a number of reasons why websites are slow to make the transition away from passwords. First, passwords are familiar. Everyone knows what they are and how they work, so sticking with them curtails the need for staff training or customer explainers.
Secondly, with the verification method still in its infancy, many websites have complained about its ability to handle errors consistently across platforms. Specifically, its error handling on Chrome and Firefox browsers isn't as comprehensive as it appears to be on Safari, deterring many sites from making the switch.
Also, while cryptography is largely regarded to be very secure, concerns over biometric privacy are also preventing many employees and consumers from warming to the method. You can use the passkeys-directory to learn more about which websites do and don't support passkeys with the passkeys.
The Death of the Password Will Be a Slow One
When it comes to the battle of passwords vs passkeys, there really is no debate – passkeys are more streamlined, user-friendly, and of course much more secure.
However, while Google may be correct about it being the “beginning of the end of the password,” we shouldn't expect the change to happen overnight, or even in the next few years. It's now easy to set up Google Passkeys, sure, but replacing a computer security system that has been dominant for over half a century is going to take time.
Passkeys are still a relatively new concept, and lots of aspects of the technology need to be smoothed out before they can be deployed universally. Moreover, humans are creatures of habit that have been relying on passwords since PCs were first created, so we need to account for the pace of behavioral change too.
Currently, the use of passkeys is very rarely obligatory, as most servers using passkeys will still let you choose which verification measure you'd like to use. And for websites that only support password protection, we'd definitely recommend outsourcing password creation and storage, especially as there are loads of great ways to test your password strength for free.