{"id":9174,"date":"2025-05-02T14:01:16","date_gmt":"2025-05-02T18:01:16","guid":{"rendered":"https:\/\/tcn.tidbits.com\/?p=11002"},"modified":"2025-05-02T16:24:21","modified_gmt":"2025-05-02T20:24:21","slug":"why-passkeys-are-better-than-passwords-and-how-to-use-them","status":"publish","type":"post","link":"https:\/\/www.macworks.com\/blog\/why-passkeys-are-better-than-passwords-and-how-to-use-them\/","title":{"rendered":"Why Passkeys Are Better than Passwords (And How to Use Them)"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">No one likes passwords. Users find managing them annoying, and website managers worry about login credentials being stolen in a data breach. The industry has developed a better solution: passkeys.<\/span><\/p>\n<h3><b>Passwords versus Passkeys<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Traditional multi-factor authentication involves three methods of authentication, at least two of which are required for protection. They include <\/span><i><span style=\"font-weight: 400;\">something you know<\/span><\/i><span style=\"font-weight: 400;\"> (a password), <\/span><i><span style=\"font-weight: 400;\">something you have<\/span><\/i><span style=\"font-weight: 400;\"> (usually a code from an authenticator app or text message), and <\/span><i><span style=\"font-weight: 400;\">something you are<\/span><\/i><span style=\"font-weight: 400;\"> (biometric authentication). Most systems primarily use the first two, but that leaves room for attack because someone could acquire your password and an authentication code through nefarious means.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Passkeys change the model. Instead of how passwords and codes use words and numbers that can be copied and shared, passkeys are pairs of cryptographic keys: a public key and a private key. Websites keep the public key, and the private key is stored securely within a device or encrypted vault, such as in the Secure Enclave in Apple\u2019s chips or a 1Password vault. Authenticating with a website requires providing the private key that matches the account\u2019s public key, something that Apple users with modern devices can usually initiate with Touch ID or Face ID.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Instead of generating security with something you have and something you know, passkeys rely on <\/span><i><span style=\"font-weight: 400;\">possession<\/span><\/i><span style=\"font-weight: 400;\"> (do you have the device?) and <\/span><i><span style=\"font-weight: 400;\">presence<\/span><\/i><span style=\"font-weight: 400;\"> (are you physically in front of the device?). This approach is fundamentally more secure than passwords because the private key can\u2019t be phished, copied, or used remotely, and you must be physically present to unlock your device. Nor can you be tricked into providing a passkey to a malicious website. (Neither approach protects against<\/span><a href=\"https:\/\/xkcd.com\/538\/\" rel=\"noopener\"> <span style=\"font-weight: 400;\">physical coercion<\/span><\/a><span style=\"font-weight: 400;\">.)<\/span><\/p>\n<h3><b>Where Can You Use Passkeys?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">In practice, since you use passkeys primarily to sign into websites, passkeys are stored alongside account details in your password manager. For Apple users, Safari (in iOS 16 or macOS 13 Ventura and later) with Apple\u2019s Passwords app provides the most integrated passkey experience. However, most independent password managers, such as <\/span><a href=\"https:\/\/1password.com\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">1Password<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/bitwarden.com\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">Bitwarden<\/span><\/a><span style=\"font-weight: 400;\">, and <\/span><a href=\"https:\/\/www.dashlane.com\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">Dashlane,<\/span><\/a><span style=\"font-weight: 400;\"> also enable you to store, share, and enter passkeys and can take over for or work alongside Apple\u2019s Passwords. They provide consistent passkey functionality across all major Web browsers, although experiences may vary slightly due to differences in how they handle authentication prompts and platform integration.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You\u2019ll also find robust support in the Password Manager built into Google Chrome and other Chromium-based browsers, including Arc, Brave, Edge, Opera, and Vivaldi. Firefox\u2019s native passkey support is more limited, but third-party password managers work well with Firefox.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Although website support for passkeys was initially slow, an increasing number of sites now support them. That includes the big three of Apple, Google, and Microsoft, of course, as well as Amazon, Best Buy, Discord, eBay, GitHub, Intuit, Netflix, Notion, PayPal, Robinhood, Stripe, Target, Walmart, and WhatsApp.<\/span><\/p>\n<h3><b>Setting Up Passkeys<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The process of setting up passkeys varies a little by website, but is generally remarkably easy. You may be prompted to create a passkey while signing in, or you may need to navigate to the security options associated with your account.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Google offers both approaches. Setting up a passkey for a Google Account can be as simple as agreeing to do so while logging in. If you\u2019re already logged in, Google\u2019s<\/span><a href=\"https:\/\/myaccount.google.com\/signinoptions\/passkeys?rapt=AEjHL4Orw94fAm9uTX04GZNGEzOItvCkhq8NpRzAb5l2ZkcjdH7JPm73SDYOHJ64eCL_gnjfQ9JG1xPi6WfmcyissfOPuWeGMrP7QfsC2RLvd_n4R5QZn0I&amp;continue=https:\/\/myaccount.google.com\/security\" rel=\"noopener\"> <span style=\"font-weight: 400;\">Passkeys and security keys<\/span><\/a><span style=\"font-weight: 400;\"> page lets you make one. Once you click Create a Passkey, you\u2019ll be prompted to save it in either Apple\u2019s Passwords or another password manager like 1Password. That\u2019s it.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-10999\" src=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2025\/05\/why-passkeys-are-better-than-passwords-and-how-to-use-them.png\" sizes=\"auto, (min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1024px, 100vw\" srcset=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2025\/05\/why-passkeys-are-better-than-passwords-and-how-to-use-them-4.png 980w, https:\/\/macworks.com\/blog\/wp-content\/uploads\/2025\/05\/why-passkeys-are-better-than-passwords-and-how-to-use-them-5.png 480w\" alt=\"\" width=\"1024\" height=\"649\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Note that if you use both Passwords and another password manager, you can save the passkey in only one, and only that one can use it to sign in later. However, most sites that support passkeys let you add multiple passkeys, so you could save separate passkeys in different password managers.<\/span><\/p>\n<h3><b>Signing in with Passkeys<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Similarly, using a passkey to sign in is trivially simple. You navigate to the website\u2019s login page, enter your username, choose the passkey sign-in option if necessary, and then authenticate.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-11001\" src=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2025\/05\/why-passkeys-are-better-than-passwords-and-how-to-use-them-1.png\" alt=\"\" width=\"976\" height=\"554\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Exactly how you authenticate depends on the device you\u2019re using and your password manager. On the Mac, Passwords will ask you to use Touch ID if available (above) or a dialog otherwise (below, left). 1Password, once unlocked for the session, presents a dialog with a Sign In button (below right).<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-11000\" src=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2025\/05\/why-passkeys-are-better-than-passwords-and-how-to-use-them-2.png\" alt=\"\" width=\"890\" height=\"266\" \/><\/p>\n<p><span style=\"font-weight: 400;\">On the iPhone and iPad, an authentication dialog appears at the bottom of the screen asking if you want to sign in with your passkey. Tap Continue and authenticate with Face ID or Touch ID (with a fallback to your passcode if necessary).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Unsurprisingly, Apple makes it particularly easy to sign in to Apple websites like iCloud.com using a passkey. As soon as you navigate to such a site in Safari, the device prompts you to sign in using your current Apple Account username and an implicit passkey.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When using other browsers or another Mac that lacks access to your passkey, selecting the passkey sign-in option displays a QR code that you need to scan with an iPhone or iPad that has the passkey stored on it.<\/span><\/p>\n<h3><b>Managing and Sharing Passkeys<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">As noted, passkeys are stored in accounts managed by a password manager. In fact, passkeys are currently stored alongside passwords in each account. There\u2019s nothing to see or edit, although you can delete passkeys like any other data. Although deleting the passkey on your device guarantees that it can\u2019t be used to sign in again, it\u2019s best to also delete the passkey at the website where you created it to avoid confusion.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-11003\" src=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2025\/05\/why-passkeys-are-better-than-passwords-and-how-to-use-them-3.png\" sizes=\"auto, (min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 981px, 100vw\" srcset=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2025\/05\/why-passkeys-are-better-than-passwords-and-how-to-use-them-6.png 980w, https:\/\/macworks.com\/blog\/wp-content\/uploads\/2025\/05\/why-passkeys-are-better-than-passwords-and-how-to-use-them-7.png 480w\" alt=\"\" width=\"981\" height=\"542\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Passkeys are automatically synced among all your devices by the password manager so you can take advantage of them everywhere, but note that syncing is specific to just one password manager\u2014for instance, iCloud Keychain doesn\u2019t sync with 1Password or other third-party managers. The authentication method varies by device, but the overall experience remains the same.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can also share passkeys with other people in your family or workgroup, just as you would with password-only accounts. They can log in to your passkey-protected accounts because they can prove possession (they have the passkey) and presence (they\u2019re authenticating). In essence, you\u2019re saying, \u201cThis person is authorized to act as the account holder.\u201d<\/span><\/p>\n<h3><b>Passkey Concerns<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Although passkeys are a big step forward in usability and security compared to passwords, they\u2019re not without limitations or concerns, which have slowed adoption:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Account recoverability:<\/b><span style=\"font-weight: 400;\"> Because passkeys are tied to devices, if a user loses all their devices and doesn\u2019t have a cloud backup option (such as registering a new iPhone to an existing Apple Account or adding a new device to a 1Password account), it\u2019s impossible to recover an account. This is primarily a concern for those who have only a single device and no one with whom to share.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Sharing hurdles:<\/b><span style=\"font-weight: 400;\"> If you want to give someone else passkey access to an account\u2014perhaps a shared bank account\u2014you must log in on their device and then create an additional passkey that is stored on their device.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Lack of portability:<\/b><span style=\"font-weight: 400;\"> Although passkeys can be synced between devices using the same platform (iCloud Keychain, 1Password account, etc.), there\u2019s no way to export a passkey from one platform and import it into another. You have to recreate passkeys from scratch for each platform. Vendors are working on the problem, but as you can imagine, enabling export\/import opens up security concerns.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>User confusion:<\/b><span style=\"font-weight: 400;\"> People are, understandably, still unfamiliar with passkeys, leading many to avoid them on principle. It hasn\u2019t helped that using passkeys is slightly different on every website. The industry is working to standardize the user experience, but we\u2019re not there yet.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Passwords still exist:<\/b><span style=\"font-weight: 400;\"> No major websites allow passkey-only accounts. Since all accounts still have passwords that can be stolen, passkeys aren\u2019t increasing security nearly as much as they could.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Enterprise support:<\/b><span style=\"font-weight: 400;\"> Large organizations want to know if a passkey was generated on a secure device, if it can be revoked or rotated, and if the user employing the passkey has truly been verified. Support for these requirements is still evolving.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Digital inheritance:<\/b><span style=\"font-weight: 400;\"> When passkey-only accounts become commonplace in the future, passkeys may be more challenging to manage in situations involving the user\u2019s death. For now, the solution is to share passkey-protected accounts with family members in advance using a password manager. The industry would do well to establish standards around this inevitability.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Nonetheless, the perfect shouldn\u2019t be the enemy of the good. Passkeys improve on passwords in both usability and security, and the best way to get to an easier, more secure future is to start using passkeys wherever possible today.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(Featured image by iStock.com\/tanit boonruen)<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>No one likes passwords. Users find managing them annoying, and website managers worry about login credentials being stolen in a data breach. The industry has developed a better solution: passkeys. Passwords versus Passkeys Traditional multi-factor authentication involves three methods of authentication, at least two of which are required for protection. They include something you know [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":9175,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,69,106,112,185,104],"tags":[],"class_list":["post-9174","post","type-post","status-publish","format-standard","has-post-thumbnail","category-apple","category-apple-consulting-ct","category-apple-support-ct","category-mac-support-ct","category-mactech","category-security"],"_links":{"self":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/9174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/comments?post=9174"}],"version-history":[{"count":1,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/9174\/revisions"}],"predecessor-version":[{"id":9177,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/9174\/revisions\/9177"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/media\/9175"}],"wp:attachment":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/media?parent=9174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/categories?post=9174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/tags?post=9174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}