Passkeys

Jason Brown, Information Technology Security Manager, The Shyft Group

Of the estimated 8.2 billion people in the world, approximately 5.6 billion are email users and 4.5 billion are social media users. We started protecting these online identities with passwords back in the 1970s, and surprisingly, not much has changed. Sure, we have had different forms of authentication over the years, such as simple passwords, multifactor authentication, and even smart cards. However, the password is widely used throughout the authentication process today.

Back in May 2025, Microsoft began enforcing passwordless authentication for all new online accounts. Passwordless authentication is a new way of proving an identity before allowing access to a service. The password is replaced by a public/private key pair, known as a passkey, where the private secret is generated and stored on your local machine, and the public key is then shared with your SaaS provider. Are you concerned about someone gaining access to the private key? Do not worry; the key is further protected by facial recognition, fingerprint scanning, or entering a 

secure code that is dynamically generated on a smart device. Several passkey providers will hook into Microsoft Windows Hello or Apple’s Touch ID to easily authenticate as well.

Passkeys are meant to be phishing-resistant as they are tied to a specific web service. For example, let’s say you generated a passkey for your PayPal.com account. A few weeks go by, and you receive a phishing email stating that you owe $550 for a previous order with a link to PayPal. When you click the link to authenticate, you are denied because there is no passkey for PayPal. XYZ. This safeguards the secret as there is no valid site to authenticate against.

“While passkeys are the future for authenticating an identity, there is no easy button. To protect our online identities, we must evangelize their adoption and use. We must make technology and the security controls around it simple to use”

Now let’s use a password instead of a passkey in the previous example. The user clicks the phishing link and is then presented with a web page that looks identical to PayPal. The user then begins to enter their username and password to the site… Game over!

Microsoft is not the only online service provider promoting the use of passkeys and passwordless authentication. Companies such as Apple, Google, Coinbase, and GitHub have all adopted the use of passkeys. These services also have extensive online tutorials on how to get your account switched from passwords to passkeys.

There are plenty of reasons to begin using passkeys across all your accounts; however, there are a few things to keep in mind. Many service providers will only allow one passkey to be registered to an account at one time. While this may seem obvious, this would prevent users with multiple computers from leveraging different passkeys to log into a single site. Some password vaulting solutions, such as 1Password, allow for roaming passkeys, where a single passkey is shared among multiple devices; however, that requires the purchase of a service to do this.

In contrast, to meet today’s standards of password usage, which require no repeating passwords and nothing easily guessable, a password vaulting solution would also be required. It is nearly impossible to remember the plethora of unique passwords that one uses throughout the day. An average user could have 10 to 20 services with which they do business, all requiring a different password.

While passkeys are the future for authenticating an identity, there is no easy button for this. To protect our online identities, we must evangelize their adoption and use. We must make technology and the security controls we place around it simple to use. Manufacturers of this technology and its service providers should also work with customers to teach the masses how to effectively use this new technology. Otherwise, I am afraid passkeys will be another great invention that will never get adopted.