Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, and how does it work?
What are passkeys?
A passkey is a form of identification you can use to gain access to an account. Passkeys replace the need for passwords and two-factor authentication (2FA) by using your device to identify you. Since you no longer have a password to steal, passkeys protect against phishing. Passkeys are also less susceptible to brute-force attacks as they work by creating cryptographic keys.
Passkey vs. password
The definition above probably sounds vague, so the best way to explain is by comparing passkeys to something you’re more familiar with, namely passwords. Normally, you gain access to an account by entering the credentials you gave when you created it: your username (often your email address) and password.
Not so with passkeys. When you create an account with a service that supports passkeys, your password manager generates a set of encryption keys. The next time you try to access the site, it will recognize the keys you hold and log you in without the need to enter your password.
How passkeys work
Passkeys use the principle of asymmetric or public-key cryptography. We go into more detail about this in our article on how encryption works, but the short version is that when you create a passkey, your password manager generates two mathematically connected numeric keys: one public, one private.
The service you’re signing up for holds the public key, while you as the user hold the private one, which is stored on your password manager. When logging into the service, the public key sends a challenge to your device which can only be answered correctly by your private key, identifying you as the account owner.
The system is very secure and practically impervious to brute force attacks. To crack the kind of numbers used in public-key cryptography would take a combination of the world’s supercomputers billions of years.
Advantages of using passkeys vs. passwords
For you, the user, the whole login procedure is entirely seamless: All the above happens automatically and virtually instantly. The only real downside to using passkeys is that few sites use them at time of writing, adoption is slow as implementation can pose problems. Supporting passkeys can get very technical, and since passwords and passphrases are highly secure there’s not always a direct need to bother with it. On top of this, there are moments when using a passphrase can be more useful as they can be more easily memorized.
Even if more sites used them, another issue is that many devices don’t support passkeys. For example, Android users can only use them if they’re using Android 14, and even then only if they have enabled some specific options — read more about this in our article on enabling passkeys.
Passkeys and Proton Pass
To use passkeys, you need to use a program that can send and receive the keys that make up the passkey. For most people this will be a password manager, a program that stores and manages passwords and, more recently, passkeys. Currently, not all password managers support passkeys, across all devices, but Proton Pass does.
As secure as passkeys are, they do create a single point of failure: if somehow somebody gets access to your passkeys, you’re in trouble. To prevent this from happening, Proton Pass uses end-to-end encryption to make sure your passkeys are always stored safely on our servers; nobody can access them, not even us.
On top of that, we are also platform agnostic: You can use passkeys on any site that supports them, using any of your devices as long as they are compatible.
Add to this our acclaimed interface, and you have a convenient way to implement this modern security tool. If you’re interested in knowing more about how Proton works, create a free Proton account today or check out our guide on how you can get started using passkeys.
FAQ
Can I log in to Proton Pass with Passkeys?
No, you can’t log into Proton Pass apps using passkeys, but with passwords or passphrases, or via biometrics.
Do passkeys mask a password?
No, they replace passwords completely as they work entirely of keypairs.
Where are passkeys stored?
An encrypted version of your private key is stored on Proton’s servers, while the public key is held by the service you have an account with.
What happens to my passkeys if my device is stolen?
Nothing, they will still be on your device, making it imperative that you secure your Proton Pass app with a PIN or biometric scan.