Passkeys vs. passwords — which is better?

It’s not if but how you authenticate

Most online services and applications require you to log in before using them. There's no way around it, as our identity and your right to access digital products must be verified. The methods for this verification can vary though: You might enter a PIN or password, use biometrics like a fingerprint or facial recognition, click on a link sent to your email, and more.

The most commonly used authentication method remains the traditional password. However, a new kid on the block called ‘passkeys’ has recently emerged, sparking discussions about its superiority to passwords. We will now delve into and share our perspective on this debate. But first….

What is a password, really?

Passwords have existed for hundreds, perhaps thousands, of years. However, in the pre-digital age, they were primarily verbal phrases you had to say aloud to gain access to restricted areas. If this gives you the 'Open Sesame’ vibes, you're right on target.

These days, however, passwords inhabit the virtual realm as combinations of letters, numbers, and symbols that we use to authenticate and secure access to online accounts or systems. Their purpose is to protect our digital privacy and security, a role they have effectively fulfilled over time.

But the problem with many passwords is that they can be cracked. This is to say, if a password lacks enough complexity, cybercriminals can use modern hacking technologies to breach it, gaining unauthorized access to your accounts. For this very reason, many organizations have been searching for a successor to passwords for quite some time now—and it appears they've found one in passkeys.

‘Sorry, what is a passkey?’

It’s difficult to come up with a simple definition of passkeys, but we will do our best to explain this term in the easiest way possible. Basically, passkeys are a new type of credential consisting of two separate cryptography keys: a public key registered with the website or application and a private key stored locally on your device. During login, these keys must be paired to grant access.

What makes passkeys great is that biometric authentication tools on your device, such as fingerprint scanners or face ID, can initiate this pairing process, eliminating the need for passwords or other authentication factors.

As a result, using passkeys can not only enhance convenience but also significantly boost security by minimizing the risk of password theft. In other words, users can log into their online accounts much faster and with greater peace of mind regarding their cybersecurity.

The difference between passkeys and passwords

At this point, you should be able to distinguish between the two solutions, but we’ll still break down the key differences between passwords and passkeys to make sure it’s all clear. These are:

• Passwords are user-created strings of characters, whereas passkeys are system-generated cryptographic keys.

• Passkeys are unique by default, while passwords are as complex as the user makes them.

• Passwords are stored on servers or databases, while passkeys consist of a public key stored on servers and a private key stored on a device.

• Passkeys enhance cybersecurity through their dual-key authentication system, unlike passwords, which depend on their complexity.

• Passwords are authenticated only via servers, whereas passkeys require pairing public and private keys, stored on the servers and the user’s device, respectively.

• Users can change passwords, but managing passkeys usually requires specialized software.

• Passkeys provide strong protection against phishing and brute-force attacks, whereas passwords are inherently more vulnerable to such threats.

Are passkeys safer than passwords?

Although we briefly answered this question in the previous section, we would like to discuss the security aspect in more detail.

Passkeys are generally considered more secure than passwords, and there are several reasons for this claim. Firstly, passkeys do not need to be remembered or manually created, unlike passwords, which require you to come up with complex combinations of letters, numbers, and symbols and then try to memorize them.

Moreover, passkeys are generated automatically using cryptography, which splits credentials into two parts. So, in case of a data breach where an attacker accesses your public key, that key alone remains useless without the corresponding private key.

We also need to mention that major companies like Google, Microsoft, and Apple already support passkeys and are collaborating with organizations like the FIDO Alliance to ensure passkey implementation across platforms. This widespread adoption by industry leaders underscores their trust in passkeys as a safer alternative to passwords, enhancing overall security for their users.

When should you use passkeys, and when passwords?

Once you start adapting passkeys into your daily life, you might face a dilemma each time you create a new account. Should you opt for a passkey here? And should you, perhaps, update your login preferences on your older accounts to use passkeys?

The simple approach is this: if a website or an app allows you to set up a passkey, you can consider using it. However, there are some cases where using a passkey over a password is not just recommended, but actively encouraged.

Think financial operations: logging in to your banking account, PayPal, Stripe, or a similar service. Although such services encourage the use of multi-factor authentication, it might not be enforced. So, if a user’s password is breached, their financial details can be at risk. Setting up a passkey ensures that access to your sensitive banking information is limited to you only and protects your account from direct breach attempts.

If you find the login process irritating—as many do, especially when that “Wrong password” error message pops up—passkeys bypass it altogether, creating a much smoother experience. Passkeys keep it quick and simple without the mental load of remembering each password.

However, there are some instances where using a password may be the only option you can use. For example, although biometric support seems like a no-brainer, older devices don’t offer sufficient technology to create and store passkeys. iOS only added third-party passkey support in 2023 with the release of iOS 17. So, if you carry an older phone model in your pocket, check its compatibility.

Some users don’t feel comfortable with biometric verification. It’s understandable—you can’t replace your fingerprint the way you can reset your password. For these users, a password with multi-factor authentication may be a preferred way to keep their login details secure.

Another limitation is down to the service providers themselves. The list of websites and apps that support passkeys grows daily, but it’s far from endless. If you don’t see an “Add passkey” option, chances are it hasn’t been added yet, limiting you to password login (for now). In this case, periodically check the platform’s security settings to see when passkeys are introduced.

With all that said, keep in mind that creating a passkey doesn’t mean your password is automatically erased. Passwords and passkeys are substitutes for each other, but the existence of one doesn’t cancel out the other. If you don’t have access to biometric verification, you can switch to your old password as an alternative login method. Likewise, if you want to simplify your login steps, you can easily select passkey as your primary authentication method, given that the platform supports it.

Store your passkeys and passwords in a secure password manager

Being one of the first password managers to support passkey technology, NordPass offers a cybersecurity solution that combines the best of both worlds, allowing you to securely and efficiently use passkeys and passwords.

With NordPass, encryption goes beyond just passkeys—stored in its encrypted vault, your passwords are protected from unauthorized access. Additionally, features such as autosave and autofill make storing and filling in passwords quick and easy. NordPass also includes a Password Generator that can create complex passwords on the spot, preventing you from using weak or previously used passwords in the future.

NordPass effectively addresses common password challenges, empowering its customers to adopt more sophisticated security practices. Whether you prefer using passwords or aim to transition to a passwordless future, NordPass provides the flexibility and tools to support both choices. Which way you will go is up to you.

Frequently asked questions