back arrowBack to Blog

Auth Thoughts

Are Passkeys Secure?

Are Passkeys Secure thumbnail

Passkeys are poised to become a popular and widely adopted form of passwordless authentication. Utilizing public key cryptography, passkeys turn users’ devices into authenticators for any app, website, or other environment that allows for the auth method. 

So, are passkeys secure? According to tech giants such as Google, Apple, and Microsoft: Yes. 

The aforementioned companies (among others) have already launched passkey systems in order to provide greater security than older, password-based authentication systems. Not to mention, passkey systems make logging in to an iPhone, Windows laptop, or Google account significantly more convenient. 

Below, we’ll explain how and why passkeys are secure.

How passkeys work

Although the underlying technology is complex, the way passkeys work is relatively simple. They use public key cryptography to create a key pair, matching a private key on a user’s device with a public key stored on the application’s servers.

Once the keypair is established, the device becomes something like a user’s “key” into various other apps and websites. Upon trying to log in to them, users will be prompted with a unique check that utilizes the device—usually an unlock attempt using an iris, fingerprint, or other biometric method. If it’s successful, the user gains access to the digital location without needing to input a password or other credentials. For the end user, passkeys are incredibly simple to use.

That simplicity means passkeys are much faster and more accurate than password-based systems. Google’s testing found that passkeys have a 50% higher success rate and allow logins twice as fast as password-based systems. And these figures should only improve over time.

But are passkeys secure?

Passkeys are one of the most secure authentication methods available. As long as users have a device that can utilize the technology, such as a current smartphone with a biometric scanner, they provide significantly better protection from broken authentication than many other password-based or passwordless authentication methods. The private keys are never shared with third parties, so there’s no “shared secret” vulnerability. Even if the device storing the passkey is lost or stolen, a would-be cybercriminal will not be able to break authentication.

Although some users may harbor feelings of mistrust about the underlying tech—or the veracity of claims made by monoliths like Google or Apple—experts are in agreement that passkeys are secure. The biggest reason? Passkeys are completely immune to phishing.

This makes them significantly more secure than their near-namesake: passwords.

Are passkeys safer than passwords?

Convenience isn’t the only reason passkeys are expected to replace passwords. Another major factor is the fact that passkeys do away with many of the security vulnerabilities that plague traditional passwords.

Consider the following threats and weaknesses that are present in any password-based authentication system:

  • Weak passwords: Although many login systems require minimums for password length and complexity, users still tend to incorporate details that make their passwords easy to guess, such as a birthdate or pet’s name.

  • Brute-force attacks: Even if users have strong passwords, such as randomly generated strings of characters, an attacker can automate login attempts until one succeeds.

  • Credential theft: Likewise, even the strongest password or passphrase can’t do much to prevent broken authentication if it is stolen as part of a multi-pronged cyberattack.

  • Social engineering: Attackers can also trick users into providing their login credentials unwittingly through phishing, man-in-the-middle attacks, and other fraudulent schemes.

None of these can impact passkeys, making them much more secure and a better alternative to passwords.

Can passkeys be stolen or hacked?

The private key portion of the key pair used in passkey authentication cannot possibly be stolen or hacked. It doesn’t exist anywhere on a server, and it requires a biometric scan to be accessed, so even stealing the device on which it’s stored would not amount to stealing the key outright.

In fact, the extent to which passkeys cannot be stolen has led some people to question whether they’d be able to recover their own passkey (and accounts) in the event that their device is lost. However, most passkey systems have methods for rightful owners to transfer and recover their keys. For example, an Apple support note on passkey security explains that recovery, after a device is lost, requires meeting several security criteria, such as inputting the device’s security code. If a would-be attacker fails at this ten times, the record of the passkey data is irrevocably destroyed.

What this all amounts to is an auth method virtually invulnerable to theft and hacking.

Drag-and-drop passkey auth with Descope

Passkeys are among the most secure approaches to authentication that everyday end-users can access. And the added security doesn’t come with any costs of inconvenience or extensive setup, as passkeys use devices and accounts users already have. 

However, implementing passkeys in-house can get complicated quickly. Descope’s no-code workflows help developers easily add passkeys to their apps – even if they use existing identity providers such as Amazon Cognito, Auth0, or Firebase.

Passkeys Flow GIF
Fig: Drag-and-drop passkey auth with Descope

Sign up for a Free Forever Descope account today to modernize your auth with passkeys.