Why Passkeys are the Future of Security

Passwords are the weakest link in modern account security, and Microsoft, Google and others are actively trying to get rid of them.

Microsoft blocks 7,000 password attacks per second. That’s more than 600 million attacks each day.

Imagine a world where you’d never have to type in another password that could be stolen.

Sounds too good to be true, right?

Microsoft is trying to convince its more than one billion users that passwords will become a thing of the past. Instead of passwords, Microsoft (and some other big corporations like Google, eBay and PayPal) are utilizing passkeys and encouraging users to use them whenever possible.

It’s an arduous task as passwords — or some iteration of them — have dated back to the Roman empire. Fast forward to modern times, password usage has been the default way to secure accounts for decades. Asking people to change that process is going to result in pushback and confusion.

But passkeys are more secure, faster and easier to use than passwords, and they aren’t susceptible to the same kinds of attacks.

What are Passkeys?

Before we get into the intricacies of why passkeys are superior to passwords, let’s dive into what a passkey is.

Technically, passkeys are a pair of cryptographic keys — one public, one private. The private key never leaves your device.

You can think of passkeys as a form of multifactor authentication, but instead of using them in combination with a username and password, passkeys are the two forms of authentication needed to gain access. No password is needed when you have a passkey.

Passkeys consist of two separate keys: One key is public and registered with the app or website you’re using, and the other is private and stored on your device, whether it’s a laptop, tablet or phone. So, even if an attacker were to somehow gain access to the public one (which would be unlikely as they are built to resist hacking attempts), they would still need the key stored on your device to access your account.

The key stored on your device uses biometric credentials (like fingerprints or facial recognition) or a device PIN to verify an account owner’s identity. PINs, unlike passwords, are tied to a specific device, so they can’t be used remotely like a username and password combination can.

Instead of typing in a username and password to access your account, you would simply use whatever biometric credential or PIN you have set up on your device, which could be a fingerprint ID on your laptop or facial recognition on your phone.

Why are Passkeys Better Than Passwords?

There are a few reasons why passkeys are slowly gaining popularity:

• Security: Passkeys are phishing resistant, can’t be guessed or stolen, making them more secure than passwords. Even if an attacker tricks you into visiting a fake login page, your passkey can’t be stolen because they only work on the legitimate site.

• Speed: According to Microsoft, Passkeys are three times faster than traditional passwords and eight times faster than a password combined with multifactor authentication.

• Ease of use: Passkeys eliminate the frustration of forgotten passwords and reduce the need for one-time codes and support calls.

Phasing Out Passwords

Of course, asking billions of people to stop using passwords isn’t going to happen overnight. Passkeys are relatively new technology, so it will take time and education before people switch.

Additionally, an account still is at risk of a phishing attack if you have both a passkey and a password. Only when the password is removed will it be resistant to phishing attempts.

Microsoft, for example, made it possible for users to remove their passwords in 2022 and sign in with alternative methods.

This was just the start of Microsoft’s plan to eventually phase out passwords and offer only phishing-resistant credentials.

Microsoft has laid out a multistep roadmap to eliminate passwords entirely. Right now, in 2025, we’re at the “Support passkeys” stage — users can set up passkeys, but passwords are still the default.

Over time, Microsoft plans to move toward requiring passkeys by default, then removing password support entirely, until only phishing-resistant options remain.

The ultimate goal is to remove passwords completely and only support phishing-resistant credentials.

Do I Need to Change to Passkeys Now?

You don’t need to make a full switch today.

Most services still rely on passwords, and passkey support is still growing. But now is a good time to start experimenting. Try enabling passkeys on a personal Microsoft or Google account so you’re familiar when they become more common.

Another issue is there is no uniformity with passkey implementation. Currently, how one company implements passkeys could be vastly different from how another company implements them.

For example, Microsoft said passkeys will sync across devices. So, if you create a passkey on your laptop, you won’t need to create a separate passkey on your phone to access your Microsoft account.

However, other companies can’t sync passkeys across devices, so you would have to create a separate passkey for each device.

Additionally, there still is no uniform solution when it comes to getting a new device. Do you need to delete the passkey on your old phone before you get a new device? What if you drop your phone in the lake or lose it some other way: How does the passkey get transferred to the new device?

Companies will have to answer these questions and figure out a consistent way to implement them, or it will only frustrate their users.

Learn More About Passkeys

Want to learn more about passkeys and how they work? We’re here to help!

While there is no rush to implement passkeys, it’s important to note passkeys aren’t just a fad: They are the future of online security. You can contact us to schedule a meeting if you want to discuss passkeys and how they’ll affect the security of your organization.

Stay updated! Get tips and insights delivered to your inbox weekly by subscribing to our newsletter.