Old-school login credentials came about decades ago, long before app stores, streaming services, and online shopping existed. That’s given cyber crooks plenty of time to figure out how to steal passwords, break into accounts, and even hijack identities. Now, major tech companies are rolling out something designed to be both easier and more secure: passkeys.
Pop quiz: What’s celebrated on May 1? Here’s a hint: it’s not the return of spring.
In the tech world, May 1 is recognized as “World Passkey Day.” But just what are passkeys, and why should they be something to cheer about?
What are passkeys?
Passkeys are the next generation of login credential tech designed to replace traditional passwords. It’s often described as a “passwordless login” method because you don’t have to create, remember, or type in a password.
In simple terms, a passkey lets your device prove it’s really you—using something like Face ID, Touch ID, or your device PIN—without ever sending a password over the internet.
How passkeys work
The word “passkey” is a bit of a misnomer because the term actually describes a pair of cryptographic keys that, when used together, unlock access to an account.
One half of the key set—considered “private”—is stored on your device and is personal to you. This device-specific key might be a passcode or PIN that unlocks your screen, or it might be biometric data that does the same. (Examples of biometric data include fingerprint mapping, like Touch ID on a Mac device, or facial recognition, like Face ID on an iOS device.)
The second half of a passkey is considered “public” and uniquely represents you to the company providing the service the passkey unlocks. To open any passkey-protected account, both the private and public passkeys must sync up.
On his YouTube channel, associate professor John Kundert-Gibbs at the University of Georgia uses an old-school example to explain passkey tech. Years ago, he says, bank security deposit boxes could only be opened with two different keys inserted and turned at the same time. One—let’s call it the public passkey—was kept by the bank. The second—like the private passkey—belonged to the customer. Put both keys in and voila: access to the deposit box was granted.
Are passkeys safe?
No security method is perfect, but passkeys remove many of the biggest weaknesses of passwords. They can’t be easily guessed, reused across sites, or phished through fake login pages.
They’re also typically easier for people to use correctly, which matters. The most secure system in the world doesn’t help if it’s so frustrating that people avoid it or take shortcuts.
Passkeys are going mainstream
Allstate Identity Protection will soon offer passkey technology for its members—and we’re in good company. Many of today’s biggest brands and platforms also support passkeys. (The Swedish group 2factorauth keeps a crowdsourced list of passkey-enabled organizations up to date.)
Passkeys vs. traditional passwords
Passkeys are typically tougher than traditional passwords to hack, and there are several reasons for that.
First, private passkey data is stored on your personal device, rather than on a server. Hacking individual devices is cumbersome at best, which makes this route unappealing for cyberthieves. Biometric logins are also considered to be some of the most robust protections in the world today. (Your average cyber crook can’t hack them at a scale that’s cost-effective.)
Add those turn-offs together and cyberthieves typically go for low-hanging fruit instead: classic passwords.
Just look at the numbers: In 2024, the Microsoft Digital Defense Report noted that more than 7,000 password attacks took place every second of the day—that’s more than 600 million attacks daily. Some reports note that the heat has been turned up because crooks know the days of traditional passwords are numbered thanks to passkey tech.
How to turn on a passkey
Turning on a passkey is usually quick. In many cases, you’ll be prompted at just the right time: when you’re signing into an account.
Typically, you’ll start by logging in the old-fashioned way (with a password), then heading to your account’s Security or Sign-in options settings. Look for words like “Passkeys”, “Create a passkey”, or “Passwordless login”, then follow the prompts to confirm it’s you using Face ID, Touch ID, or your device PIN.
Once your passkey is created, logging in becomes much simpler. Instead of typing a password or copying a one-time code, you’ll usually just scan your face or fingerprint—or enter your device PIN—and you’re in.
Passkeys are often stored in the “ecosystem” you already use, like Apple’s iCloud Keychain or Google Password Manager, so they can sync across devices you own. That means if you set up a passkey on your phone, you may be able to use it on your tablet or laptop, too.
And don’t worry: in most cases, turning on a passkey doesn’t delete your password. Many companies let you keep both options, so you can still sign in the traditional way if you ever need to.
What happens if you lose your device?
This is one of the most common concerns about passkeys. In many cases, your passkeys are securely synced through your cloud account (like Apple or Google), which means you can still access them from another trusted device.
Most services also offer account recovery options if you lose access to your primary device. Setting up passkeys on more than one trusted device can make recovery even easier.
The future of passkeys
Scanning your fingertip or face is often much easier than recalling a password, using a password hint, or requesting a one-time multifactor authentication passcode. That’s part of the appeal of passkeys.
Another appeal lies in device “ecosystems.” For example, say you set up a passkey on your iPhone. Your iPad can sync to that same passkey. While switching from one operating system to another—like Android versus iOS—can be more complicated, companies have gotten behind the FIDO Alliance, a tech industry consortium that aims to make passwords obsolete.
While passwords aren’t disappearing overnight, passkeys are clearly where things are headed. If you’re tired of juggling logins (and want stronger protection with less effort), enabling passkeys when you see the option is one small upgrade that can make a big difference.
Using passkeys is also one more way to reduce your risk of account takeover, alongside tools like dark web monitoring and identity monitoring that help you spot problems early.