At the start of May, Google announced it was beginning a shift towards using passkeys to grant users access to its software. The tech giant describes passkeys as “the easiest and most secure way to sign into apps and websites” and hails the move as a step towards a “passwordless future”.


Sounds good. But what is a passkey and how will it make you and your devices more secure?

What’s wrong with passwords?

The very first digital passwords were invented by an MIT professor in the mid-1960s who needed to give multiple users private access to the same giant computer. Passwords soon became ubiquitous in our computers and it’s easy to see why – a simple, memorable word is quick and easy to input when you want to gain access to your computer.

But that’s also the problem with passwords. A simple, memorable word such as ‘password’ or ‘123456’ is very easy to guess, and when hackers ask their computers to guess millions of passwords a second, even quite complex words and codes can be broken instantly.

The best way to thwart this kind of hacking is to use long passwords, as the number of combinations (and difficulty of guessing) increases exponentially with length. For example, ‘My!_Garden_ShedWith13Daffodils#and17Tulips_Outside’ is considerably harder to guess than ‘MyPa55wo2d!xxx’.

Nevertheless, it’s recommended that you use a different password for every new app, so that if one is exposed by a hacker, none of your others will be at risk. Unfortunately, today this has become infeasible as everything from Netflix to your bank requires a password – it’s not possible for us to remember hundreds of different codes.

More like this

Our solution? We write the passwords down, often on sticky notes stuck to the monitor or keyboard, or on a pad kept in a nearby desk. Alternatively, we use password manager apps that remember everything for us but provide a one-stop-shop for hackers.

But it’s not just physical records that make you vulnerable. One of the most common ways for hackers to obtain your passwords is so-called ‘social engineering’. It might be as simple as a phone call to a company pretending to be a new employee who forgot their password. Or it might be a scammer who pretends to be your bank and asks you to download special software.

Sometimes ‘bait’ is left – a USB drive that looks as though it contains something interesting but actually contains malware that you inadvertently install on your computer. This will then monitor your device and record your passwords and send them to the fraudsters.

It may even be more brazen: a fraudster who sends a ‘scareware’ email, claiming they’ve taken over your computer and that they have videos of you that they intend to post publicly unless you give them what they want.

So passwords are a weak spot. Doesn’t two-factor authentication solve that?

To some extent, yes. But two-factor (or multi-factor) authentication (2FA/MFA) still relies on you remembering the relevant password.

MFA-enabled devices work by asking you for your password before they use another method of identifying you – sending a text or email, or asking for a response via a dedicated app. The theory is that even if hackers have your password, they’d still be unable to gain access because they’d need your phone or computer.

But 2FA is still vulnerable to hackers through various methods. For example, simply resetting a password can sometimes bypass the 2FA, or hackers could ‘SIM-jack’ your SIM card so that texts go to their device instead of yours.

So what do the experts recommend?

Security experts prefer methods that perform authentication of your identity instead of just authenticating your device. This is where biometric passkeys come in. Biometric authentication uses special sensors in your devices to measure features unique to you and uses those as a passkey.

Your fingerprint, 3D facial dimensions, iris, retina and palm vein can all be used to identify you. And today our smartphones, laptops and tablets are capable of reading fingerprints and faces, so they can perform accurate biometric authentication.

How do biometric passkeys work?

When your device knows it’s really you, then it has to send that approval securely to the application demanding authentication. Passkeys provide that mechanism. They use cryptographic security – the same kind of system used for Secure Socket Layer (SSL) websites to ensure that data transferred between sender and recipient cannot be intercepted and deciphered.

Your phone maintains a private cryptographic key stored on the device and releases a public key to the application. This enables your phone to send a private message to the application that can only be read by that application saying: “the biometric test has been passed”.

All you needed to do was look at the phone or put your finger on the fingerprint reader.

And passkeys are better because…

Once we have biometrics and passkeys, we no longer need passwords. And this looks like the next stage in the evolution of computer security. Google recently announced that it’s switching from passwords to passkeys, turning off passwords and 2FA altogether for those users who wish to switch.

It’s a better solution for everyone: no more passwords to remember, no codes sent to your phone that you have to type in. And should your phone be lost or stolen, it’s no problem: the authentication requires your face or your fingerprint. So it won’t work for anyone else.

Like all changes, this may take some getting used to – some of us have been using the (same) passwords for a very long time! But adoption is likely to be offered as a choice and given the alternatives, this is a considerable improvement. If you’re offered the option of a passkey with biometric authentication, it’s worth a try.

Read more about cybersecurity:



Dr Peter Bentley is a computer scientist and author who is based at University College London. He is the author of books including 10 Short Lessons in Artificial Intelligence and Robotics and Digital Biology: How nature is transforming our technology and our lives.