Why Passkeys Are Safer Than Passwords: Expert Insights on Cybersecurity
Why Passkeys Are Safer Than Passwords: Expert Insights

In a recent discussion on personal cybersecurity, readers have raised questions about the safety of passkeys compared to traditional passwords. The UK's National Cyber Security Centre and other experts advocate for passkeys, but some users remain skeptical. Martin Avis from Chester asks: how can a smartphone PIN or facial recognition be safer than a complex password with two-factor authentication?

Understanding Passkeys

Passkeys are a form of authentication that relies on something unique to your device, such as a PIN or biometric data like facial recognition. Unlike passwords, passkeys are not stored on a company's server, making them unphishable and less vulnerable to hacking. They use cryptographic keys that are generated and stored locally on your device.

Why Are Passkeys Considered Safer?

Experts highlight several reasons why passkeys are more secure:

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list
  • Unphishable: Since passkeys are tied to your device, cybercriminals cannot trick you into revealing them through phishing attacks.
  • No Server Storage: Passkeys are not stored on company servers, reducing the risk of data breaches compromising your credentials.
  • Device-Specific: Even if a hacker obtains your passkey, they would need physical access to your device to use it.

Addressing Concerns: Phone Theft and Loss

One common concern is what happens if your phone is stolen or lost. If a thief guesses your PIN or bypasses facial recognition, they could potentially access your accounts. However, passkeys are designed with additional safeguards:

  1. Device Lock: Your phone's lock screen provides a first layer of defense. Most devices require the correct PIN or biometric match before the passkey can be used.
  2. Remote Wipe: Many services allow you to remotely erase your device or revoke passkeys if it is lost or stolen.
  3. Multi-Device Support: Passkeys can be synced across multiple devices (e.g., via iCloud Keychain or Google Password Manager), so losing one device does not lock you out of your accounts.

Real-World Experience

Users who have adopted passkeys report a smoother and more secure experience. For example, logging into websites or apps with a fingerprint or face scan is faster and eliminates the need to remember complex passwords. Additionally, passkeys reduce the risk of password reuse across multiple sites, a common security flaw.

In summary, while no system is perfect, passkeys offer significant advantages over traditional passwords and two-factor authentication. They are designed to be both user-friendly and resilient against common cyber threats. As technology evolves, passkeys are likely to become the standard for secure authentication.

This article is part of a series where readers answer each other's questions. Submit your own questions or answers to nq@theguardian.com.

Pickt after-article banner — collaborative shopping lists app with family illustration