Passwordless authentication is becoming more mainstream as more people and platforms recognize how it improves security over traditional passwords. Big-name players like Microsoft, Google, and Apple are among those leading the charge. Bringing them all together is the FIDO (Fast IDentity Online) Alliance, an organization that works on passwordless technology and establishes standards for organizations to follow.

What is a passkey?

As simple as they are to use, passkeys can be difficult to understand. That’s why we’re breaking it down into varying concepts and levels, so you can leave this blog post knowing what a passkey is and how it’s different from a password.

Explain it like I’m 5

Passwords are a common way to log in to accounts, but if they get stolen (which they often do), anyone can use them to gain access. Passkeys are a way to log in without a password. They use your phone or another supported device to prove that you are who you say you are before letting you into your account. A lot of security happens behind the scenes, but the main benefit of passkeys is that they can’t be stolen like passwords. Plus, there’s nothing to remember, so you’ll never forget them!

Explain the technical stuff

In order for passkeys to work, an authenticator, such as a mobile device or password manager that supports passkeys, generates two cryptographic keys for each account you create. One key is public and stored on the site where you create the account, and the other is private and stored in your authenticator. When you sign in to your passkey-enabled account, your authenticator and the website communicate to authenticate your login without exchanging any actual secrets that a hacker could exploit.

Passkeys are created using the WebAuthn API that’s widely implemented in all modern browsers and operating systems. Most of the complexity is hidden in the software. The user only needs to approve the creation or use of the passkey.

Will passkeys replace passwords?

In short, yes—eventually. Passkeys are simply a better option, and we’ve already seen more widespread adoption and advancements in the last six months.

The FIDO Alliance has been working on passwordless authentication standards for some time. The most important development, however, came somewhat recently when the technology consortium announced it had proposed a method to store cryptographic keys so they can sync between devices. (In fact, FIDO calls passkeys multi-device FIDO credentials.) This paves the way for the wider adoption of passkeys that we’re already beginning to see.