Passwords suck. If they’re easy to remember, they’re the simplest to guess. If they’re difficult to crack, they’re the hardest to recall. Even if you use the strongest passwords possible, they’re ineffective if they become known.
Which is why I’ve stopped using them as much to log into my accounts. But I haven’t weakened my online security by doing so. In fact, I’ve improved it—and sped up my login times, too.
How? I set up passkeys for my accounts. It takes just a few minutes, doesn’t cost anything, and can be done using your smartphone or PC. Using them is equally painless. When logging in, you choose the passkey option, then approve the login request with your thumbprint, face scan, or PIN. It’s fast.
This authentication method is secure, too. A passkey improves on several password weaknesses:
- They can’t be guessed. Passkeys use an encryption method that uses two different kinds of keys as part of the verification process. The website gets the public key, while your smartphone, PC, security hardware key, or compatible password manager keeps and protects the private key. A private key can’t be determined from a public key, so a website hack won’t compromise your corresponding passkey.
- Copies shouldn’t work. Passkeys are specific to the smartphone, PC, or security hardware key that created them. If a copy of the private key is somehow stolen from your device, it won’t register as valid. This is true for password managers that support passkeys, too—so long as they’re configured to verify that a passkey was used from the password manager’s platform.
- Phony sites can’t use them. Passkeys are tied to not just to the device that generated them, but the specific website they were created for, too. A spoofed site won’t pass the verification check. So even as phishing sites and scams get more sophisticated, you’ll be better protected against them.
The best part is the ever-widening support for passkeys. It’s not just the big names like Google, Microsoft, Apple, and Amazon. I’ve started spotting them elsewhere, like on Target.com and other shopping sites—even WhatsApp. Even sites with passkeys continue to expand their reach. In honor of World Password Day 2024, Google broadened its passkey program to include its Advanced Protection Program participants.
If you still like passwords, you don’t have to drop them entirely. Sites generally let you have multiple sign in methods. Just follow our tips for how quickly to shore up your online security—especially the part about adding two-factor authentication to your accounts. If you have a password + 2FA active, that combo can serve a backup method of login if you ever lose the device or security key with your passkeys.
(That’s the only real drawback of using passkeys exclusively—you need to have multiple devices with them, in case one becomes lost, stolen, or unusable.)
The less online security interests you, the quicker you should make the move to passkeys. Most people treat passwords like the nuisance they are, reusing them or creating weak ones as often as possible. Bitwarden’s latest survey proves this point, with over 30 percent of U.S.-based respondents reusing passwords across 11 to 20+ (!) sites or apps. Yikes.
With passkeys, there’s nothing to remember. No software to manage. And again—they’re free.