In an ironic turn of events, Google announced its rollout of passkeys on World Password Day (May 3, 2023), proclaiming the “beginning of the end of the password.” But when it comes to the passkey vs password debate, were they right?
In a word: probably.
Whether it’s because of passkeys or another form of passwordless authentication, experts tend to agree that apps on the Internet need to move away from passwords. To understand what this means for apps and websites, their developers, and their end users, it’s important to grasp the key differences between passkeys and their predecessor, along with why passkeys are considered superior.
What are passwords?
Password-based authentication is the oldest and historically most used form of auth. Typically, users create a unique string of characters that they have to memorize, then provide it alongside a username to access their account. Unless it’s paired with other requirements in a multi-factor authentication (MFA) system, that is all a user (or cyber-attacker) needs to know to access sensitive data.
The main advantage of passwords over other, newer forms of authentication is simple: familiarity. People are accustomed to them, and almost everyone knows how they work.
But that advantage is counterbalanced by the significant security weaknesses and user inconveniences inherent to password-based authentication. In part because users have had to memorize so many passwords for so many years, many default to using weak passwords or re-using the same credentials for multiple accounts. This makes them vulnerable to guessing or cracking. And even strong passwords can be stolen, which can lead to broken authentication.
What are passkeys?
Passkey-based authentication utilizes public key cryptography techniques where a matched set of public and private keys, rather than a password or passphrase, is used to authenticate a user’s identity. This allows for greater security, makes phishing virtually impossible, and improves the user experience.
To gain access to an account, app, website, or other digital environment, the user must first establish the private key on their device. Usually, the key can only be associated with a single user and a single device. A corresponding public key is then stored on an account server of the authoritative body (e.g., Apple, Google, etc.). Critically, this means there is no shared secret that cybercriminals can exploit, making passkeys phishing-resistant.
At login, an app or website will send a request to your device that can only be completed by matching its private key against the public key. This almost always requires unlocking the device or otherwise inputting a biometric factor, like a fingerprint, or full-facial scan. Once that is satisfied, access is granted—there’s no need to remember or input any additional credentials.
Passkeys vs passwords
Passkeys and passwords are similar in that they provide the same end goal of authentication. Despite their similar names, however, they couldn’t be more different in how they achieve that end goal.
Across all the most important factors for developers and end users, passkeys are superior:
Relies on public cryptography and biometrics/screen lock data on the user's device.
Involves users entering a string of characters to verify identity.
More secure, resistant to phishing and impersonation.
More vulnerable to attacks and password-related breaches.
Faster and simpler sign-in process.
Cumbersome to remember and manage, potentially slower sign-in process.
Relatively complex to implement, but becoming easier with enablement and dev resources.
Widely supported with built-in mechanisms in most systems and applications.
Aiming for standardization across different platforms and systems.
Generally compatible with various systems and platforms.
Biometric data remains on the user's device.
Stored in databases, vulnerable to data breaches if not properly protected.
Login Success Rate
Higher success rate.
Lower success rate.
Passkeys: Passkeys are a passwordless authentication method that relies on public cryptography and biometrics, or other screen lock data on the user's device. When using a passkey, the user's data is not sent to external servers. Instead, only cryptographic proof that the user has correctly provided the authentication data is sent, ensuring that sensitive information remains on the user's device.
Passwords: Passwords are a traditional authentication method that involves users entering a string of characters (letters, numbers, symbols) to verify their identity. When a user enters their password, it is typically sent to the server for verification. The server compares the entered password with the stored password (usually in a hashed form) to authenticate the user.
Passkeys: Passkeys are designed to be more secure than passwords. They utilize biometric data or other methods, which are difficult to replicate or forge, making it challenging for attackers to impersonate users. Since the passkey authentication process does not involve entering a password or sensitive information that can be intercepted, it mitigates the risk of falling victim to phishing attempts.
Passwords: Passwords are more susceptible to various types of cyber attacks, like brute force or phishing. Additionally, users often reuse passwords across multiple accounts, which can lead to a domino effect when a data breach is followed by credential stuffing. If one account's password is compromised, it can be used to gain unauthorized access to other accounts, posing a significant security risk.
Passkeys: Passkeys offer a convenient authentication experience as they eliminate the need for users to remember and enter complex passwords. They provide a faster and simpler sign-in process – users set up the private key once for an account and don’t have to memorize or do anything else thereafter.
Passwords: Passwords are convenient mostly because they’re the oldest user authentication method, and users are most familiar with it. But they are cumbersome to remember and manage, leading to potential user frustration. Moreover, passwords require more time for users to enter and authenticate, resulting in a slower sign-in process.
Passkeys: Since passkeys are a newer authentication method, implementation can get relatively complex. However, this is poised to become easier with time as more companies invest in developer resources, templates, and enablement. For instance, developers can easily add passkeys to their Firebase, Auth0, and Amazon Cognito logins with Descope.
Passwords: Most systems, websites, and applications have built-in mechanisms for password-based authentication.
Passkeys: Passkeys aim for standardization to ensure compatibility across different browsers, operating systems, and devices. Standardization allows for a consistent passwordless experience for users, regardless of the specific platform or system they are using. As things stand, there is room for improvement in this regard.
Passwords: Passwords, being the traditional and widely used authentication method, are generally compatible with almost all systems, websites, and applications that support password-based authentication.
Data storage and privacy
Passkeys: By utilizing biometric authentication, passkeys prioritize user privacy. The user's biometric data remains securely stored on their personal device and is never sent to external servers. Only cryptographic proof of correct authentication is sent to servers. This ensures that biometric data cannot be intercepted or accessed by attackers. By keeping biometric data local, passkeys mitigate the risk of theft or misuse of this sensitive information.
Passwords: Passwords are stored in databases, often as hashed values, but can be vulnerable to data breaches if not properly protected. Since passwords are stored server-side, application owners also need to invest more resources and personnel on password storage, management, and fraud prevention.
The data collected by Google shows that the success rate of authentication using passkeys is significantly higher compared to traditional passwords. In the provided data from March to April 2023, the average authentication success rate was:
Passkeys: In contrast, the success rate for passkeys was 63.8%. This indicates that users have a much higher chance of successfully authenticating with passkeys.
Passkeys are better than passwords for all parties (except attackers) and in almost all situations. For these reasons, any app, website, or other project that can integrate passkey auth should do so. If there is some reason that passkeys aren’t applicable, seek out alternate passwordless methods before settling on passwords.
How are passkeys more secure than passwords?
Passwords are ripe with security vulnerabilities. As noted above, users often bypass security best practices and utilize passwords that are easy for attackers to guess or crack. For example, they may use personal information, like their name or birth year, making for fewer unique characters that attackers need to guess. But even when authentication systems require lengthy or complex passwords, they are susceptible to cybersecurity attacks. Lastly, passwords can be stolen or solicited in phishing.
In comparison, these vulnerabilities are simply not applicable to passkeys. There is no code to memorize and no credentials to steal. Even if a user’s device is lost or stolen, a would-be attacker needs their unique biometric identifier to gain access to accounts through the passkey system.
Passkeys are more secure because they negate many of passwords’ most prevalent weaknesses.
Will passkeys replace passwords?
In a perfect world where people used the most apt technology as soon as it became available, passkeys would have already replaced passwords. And although that hasn’t happened yet, at least completely, it is likely that passkeys will replace passwords at some point in the future.
One of the biggest reasons passkeys are likely to overtake passwords is their speed. According to Google, passkeys are significantly faster than passwords, averaging login times of about 14.9 seconds. In comparison, logging in with a password took users 30.4 seconds on average.
People see this as a major convenience – and one they’re likely already positioned to leverage from their phones or other devices.
In the leadup to Apple’s launch of passkeys in 2022, it was reported that 95% of users were ready for passkey adoption with MFA enabled in their iCloud keychains. This is a microcosm of the broader picture, where passkeys and other passwordless auth methods will take over as the new default.
It’s a matter of when, not if—and developers of all stripes should prepare accordingly.
Drag-and drop passkey and password auth
Passkeys are better than passwords in nearly every respect. While many users are familiar with the older tech, it’s well overdue for a replacement. And passkeys are an easy, obvious choice.
Whether you’re an app developer looking to implement passkeys or passwords for your project (we recommend the former), Descope can help. Descope makes passkeys and passwords easy to implement with drag-and-drop workflows and a few lines of code.
Sign up for a Free Forever account with Descope to simplify your authentication projects and save developer time.