SMSOnline
What is a Passkey? The Most Secure Way to Manage Website Accounts

What is a Passkey? The Most Secure Way to Manage Website Accounts

Learn what passkeys are, along with their benefits and challenges. This guide provides a step-by-step explanation on how to use passkeys, helping you understand this secure and convenient authentication method.

2025-03-160 minute readTips

Share

What is a Passkey?

https://str995b5dba52a0.smsonline.cloud/uploads/chrome_B_Of_Wo7cc_Si_eb6636d23c.png

A passkey is an authentication method that takes a completely different approach from traditional ID/password-based logins, allowing users to authenticate to websites without entering any passwords at all.
Users log in using a private key stored on their device, and authentication is performed simply by using fingerprint recognition, facial recognition, or a device PIN code.
This provides users with several benefits:

Convenience

With passkeys, there is no longer a need to remember ID and password combinations.
The common issue of "forgetting passwords" is eliminated entirely when using passkeys.

Security

Compared to passwords, passkeys offer robustness in two key aspects.
First, since passkeys combine public-key authentication with biometric authentication, they are effective against brute-force attacks and rainbow table attacks—common vulnerabilities of traditional password-based methods.
Second, passkeys differ fundamentally from the traditional approach of users setting their own passwords. This eliminates the need for users to create "easy-to-remember" or "easy-to-enter" passwords, which are often weak and easy for attackers to guess.

Comparison with Traditional Security Methods

Before passkeys, various authentication methods were introduced as alternatives to the ID/password system. How do passkeys compare to these?

SMS Authentication

Using SMS to send one-time passwords for user authentication has been widely used since the 2010s.
In some countries, such as China, ID/password authentication is not supported at all, and services are accessible only through SMS verification. This is because acquiring a phone number typically requires identity verification, allowing telecom operators to provide an additional layer of authentication.

SMS-based login services have been widely adopted, particularly in sectors like fintech, where strong identity verification is required. However, their vulnerabilities are increasingly being pointed out.
For example, if a mobile carrier is susceptible to SIM swap attacks, an attacker could take control of a victim’s SIM card, leading to a complete loss of account access and even financial damage.

Due to such security concerns, many web services, including Google, are phasing out SMS authentication as a security measure.
(However, since SMS remains useful for identity verification, more services are likely to continue requiring phone number registration during account creation.)

OTP Authentication

Many web services use one-time password (OTP) authentication, such as Google Authenticator, to complement the weaknesses of ID/password systems.
While both OTP and passkeys enhance security, their underlying mechanisms differ.
OTP is part of two-factor authentication (2FA), requiring users to enter a one-time code in addition to their password.
In contrast, passkeys completely eliminate the need for passwords. Since authentication is done using a private key stored on the device, the risk of phishing attacks is greatly reduced.
Moreover, by combining passkeys with biometric or device authentication, stronger security is achieved compared to OTP authentication.

Are Passkeys Widely Adopted?

https://str995b5dba52a0.smsonline.cloud/uploads/pl1_6f69472694.jpg

Despite being a significantly superior authentication method compared to traditional passwords, passkeys have yet to achieve widespread adoption.
There are several reasons for this, but the biggest challenge is the complexity of implementation.

With password-based authentication, developers can easily implement secure authentication using built-in cryptographic functions in programming languages (e.g., password_hash() and password_verify() in PHP).
Moreover, services like Firebase Authentication allow developers to set up authentication without writing any code at all.

On the other hand, passkeys are a relatively new technology that requires implementation across both the front end (browser) and back end (server).
Developers need expertise in APIs like WebAuthn, which are relatively new and have complex documentation, leading to increased development costs.

Nonetheless, software solutions such as Passkeys for Firebase are being developed to help integrate passkeys into existing authentication systems, and their adoption is expected to grow over time.

Challenges in Using Passkeys

https://str995b5dba52a0.smsonline.cloud/uploads/pk_c4a596d304.jpg

While passkeys provide a highly secure and convenient authentication method, there are a few potential hurdles when using them for the first time.

One major issue is device compatibility. As mentioned earlier, passkeys are a relatively new technology and do not work on older devices.
According to Google, the following minimum requirements must be met to create a passkey:

  • A laptop or PC running Windows 10, macOS Ventura, or ChromeOS 109 or later.
  • A smartphone running iOS 16 or Android 9 or later.
  • A hardware security key that supports the FIDO2 protocol.

Additionally, passkeys are device-dependent. If you lose the device where your passkey is stored, you could permanently lose access to your passkey.

To minimize these device requirements and dependencies, it is strongly recommended to use a password manager that supports passkeys.

For example, Proton Pass, developed by Swiss-based Proton AG, is a highly secure password manager that uses end-to-end encryption.
By using Proton Pass, users can share passkeys across multiple devices and avoid device limitations. Since all data is encrypted on the user’s device, even Proton AG cannot access the stored passkeys.

And that's not all. Proton Pass not only makes password management more effective but also enhances account privacy with the following features:

Dark Web Monitoring

It monitors for password leaks on the dark web and alerts users.

Encrypted Email Aliases

Instead of using your raw email address, you can use instantly generated email addresses as credentials.

https://str995b5dba52a0.smsonline.cloud/uploads/chrome_yt_W_Ya_K_Vxgk_d00af4422f.png

What does this mean? Instead of using your regular Gmail address ([email protected]), you can log in with a Proton-generated email address like [email protected]. These disposable email addresses are created instantly on demand. Of course, all emails sent to these addresses are instantly forwarded to your primary email, making it feel as though you're using your usual address.

Many people use temporary email services like 10minutesmail, but Proton Pass’s email addresses do not expire. Therefore, you won’t face the risk of losing access to two-factor authentication emails, which is a common downside of temporary email services.

Proton Pass Pricing

https://str995b5dba52a0.smsonline.cloud/uploads/chrome_Nf9_WM_5_TX_Fi_47a75030eb.png

Proton Pass is available for €1.99 / $1.99 / CHF 1.99 per month.
Additionally, if you purchase Proton Unlimited as a bundle, you get the following extra benefits along with Proton Pass:

  • Proton Mail: The world's most secure email service with end-to-end encryption. Includes 15 aliases and support for 3 custom domains.
  • Proton Drive: A fast and fully encrypted cloud storage service with up to 500GB capacity.
  • Proton VPN: A no-logs VPN service with access to servers in over 100 countries.
  • Other security features, including a secure calendar and Bitcoin wallet.

Since all these features are available for just €9.99 per month, Proton Unlimited is highly recommended for those who prioritize security.

Now, let's use Proton Pass to set up Passkeys!

Using Passkeys: Example with Google & Proton Pass

https://str995b5dba52a0.smsonline.cloud/uploads/chrome_a_IDY_Zrhty_F_6e005f6565.png

Let's set up a passkey for Google as an example.
Go to the account manager screen, open the "Passkeys and security keys" section, and click the "Create a passkey" button.

You will be asked to confirm the device where the passkey will be created. Click "Create a passkey" to proceed.

https://str995b5dba52a0.smsonline.cloud/uploads/chrome_CMRA_4_Ivb_Dn_28a404a4d0.png

If you have the Proton Pass browser extension installed, a passkey save prompt will appear at the top right of your browser.
Click "Save passkey" to store the passkey in Proton Pass.

Yes, that's it! In just two simple steps, you’ve successfully saved a passkey.
Once saved, passkeys in Proton Pass can be used on any device where Proton Pass is installed.

Even if you don't use a dedicated software like Proton Pass, passkeys work seamlessly with Windows Hello, Android, and other platforms. However, for securely sharing passkeys across multiple devices and mitigating risks like device loss, using dedicated software is highly recommended.

Proton Pass is available for €1.99 / $1.99 / CHF 1.99 per month.
Plus, it comes with a 30-day money-back guarantee, so we highly recommend trying it out!