Passkeys Are The Passwordless Future, But They're A Mess

Elyse Betters Picaro / ZDNET

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Adoption of passkeys is fragmented crossed sites and devices.
• Users still request passwords for betterment and caller instrumentality setup.
• Phishing protection makes passkeys worthy adding, contempt confusion.

OK. Fine. I've yet decided to clasp passkeys. But why does it consciousness truthful icky?

As you astir apt know, passkeys are nan tech industry's reply to The Password Problem. Unlike password data, which tin beryllium breached, phished, quished, vished, and smished, passkeys require an encrypted backstage cardinal that (at slightest theoretically) only you have.

They are nan pinnacle of modern credential security, and we each should beryllium utilizing them. Or astatine least, that's nan connection our favourite sites are nagging america pinch constantly.

But not truthful much. The reality is way, waaaay messier than it should be.

I'm moving to passkeys

Slow down, bucko. You apparently don't move to passkeys. Most of nan clip you conscionable adhd them. Stick pinch maine here. I'm going to effort to deconstruct immoderate of nan hype and stock my knowing of wherever these overreaching beasties fresh into our credential information infrastructure.

Let's commencement pinch a small integer escapade I had recently.

After being nagged 1 excessively galore times by a number of sites I usage daily, I precocious decided to springiness in. I decided to "move" to passkeys. At that point, I mistakenly believed passkeys are replacements for nan username/password paradigm we've been utilizing for decades.

Also: What are passkeys? How going passwordless tin simplify your life successful 2025

Actually, astir 2 years ago, I concisely tried passkeys only to wantonness them almost immediately. That was conscionable arsenic they were gaining early adoption, and I, arsenic a master early adopter, figured I should jump connected nan bandwagon. The acquisition was a convoluted mess. I quickly gave up connected nan effort.

Now, though, it's been a fewer years since that attempt. My sites person started perpetually nagging maine astir passkeys. I naively thought astir of nan worst challenges must person been flooded since my earlier, ill-fated attempt. Surely, pinch truthful galore consumer-facing sites pushing muggles to passkey use, nan exertion must beryllium fresh for primetime.

I started pinch a well-known financial institution. My erstwhile login method had been username and password, mixed pinch my authentication app for 2nd facet authentication.

Following nan site's directions, I implemented passkey login. The process went reasonably smoothly. Within a fewer minutes, I was capable to log successful pinch my passkey.

At that point, I decided to delete nan authentication cardinal from my auth app, because I'd upgraded to passkey and wouldn't request nan auth codification anymore. After all, portion of nan logic for upgrading to passkeys is to destruct each that other activity astatine login, right?

But past I tried logging successful again. I was not locked out. I was, instead, presented pinch nan prime of logging successful pinch my password aliases my passkey. Out of curiosity, I tried to log successful pinch my username and password. That worked. But, of course, I wasn't asked to authenticate, because I had turned that important information characteristic disconnected a fewer moments prior.

Also: How I easy group up passkeys done my password head - and why you should too

Huh. OK. The financial institution had allowed maine to delete nan authentication method, but apparently my username and password were still associated pinch my account. No magnitude of digging astir successful settings would let maine to delete my password and spell each successful connected passkeys.

Baffled and reasonably annoyed, I went backmost into my account, re-enabled nan auth key, and wondered why I'm moreover bothering pinch passkeys.

Slacking a friend

The crippled show Who Wants to Be a Millionaire? has a characteristic called "phone a friend." The thought is that if a contestant is asked a mobility that's excessively difficult to answer, nan subordinate gets to telephone a friend for advice.

Also: How passkeys work: The complete guideline to your inevitable passwordless future

One of my favourite aspects of moving pinch ZDNET is that I activity regular pinch immoderate of nan astir well-informed taxable matter experts successful tech. So I decided to Slack our resident passkey expert, David Berlind. He has written an full bid connected passkeys that I see mandatory reference for anyone surviving successful nan 21st period and utilizing The Online.

Berlind was benignant capable to jump onto a Slack sound chat and walk almost an hr pinch me, explaining nan ins and outs of really passkeys really work.

It turns retired that passkeys are specified a messiness because each tract implements them differently. Each tract you authenticate connected is called a "relying party" successful passkey speak. Passkeys themselves are a nickname for FIDO2 credentials. By nan way, if I get thing incorrect here, it's not Berlind's fault. I'm recounting what he told maine from my notes, which could good beryllium arsenic flawed arsenic nan industry's implementation of passkeys themselves.

So, yeah. Every tract implements them otherwise and is implementing a different "transition path" from passwords to passkeys. Some sites will only let you to log successful pinch passkeys. Some will fto you move from passwords to passkeys. And some, for illustration nan financial institution above, support both.

Also: 10 passkey endurance tips: Prepare for your passwordless early now

Another weirdness is that immoderate sites let you to usage nan aforesaid passkey connected each your devices. Others, notably PayPal, require you to group up a different passkey connected each device. These are called "device-bound passkeys." If you entree PayPal from your Mac Studio, your MacBook Air, and your iPhone, you'll request 3 abstracted passkeys.

Now, here's wherever you're gonna get encephalon freeze.

PayPal requires device-bound passkeys, which they're doing presumably to beryllium other diligent astir your security. But deliberation astir this. If you adhd a passkey to your MacBook Air and region password access, really are you going to adhd a caller device-bound passkey to your Mac Studio and iPhone?

Also: How to group up and usage passkeys crossed your iPhone, iPad, and Mac

Yeah, you'll request to log successful pinch your username and password, past group up nan passkey for nan caller device. But since you're almost ever going to request nan action to adhd a caller instrumentality (like, for example, if you upgrade your iPhone this fall), you're ever going to request to person username and password entree to PayPal.

That seems to conclusion nan intent of passkeys, which is to supply a better, much secure, and little breachable shape of authentication.

When I posed this paradox to Berlind, he had immoderate sage advice.

ZDNET's recommendations

Simply retired of morbid curiosity, I asked ChatGPT, "Why do passkeys suck?" It replied:

Passkeys don't needfully "suck" -- they're acold much unafraid than passwords -- but they consciousness surgery successful believe because of ecosystem lock-in, mediocre cross-platform usability, and confusing betterment processes. They'll apt get amended arsenic take grows and workflows mature.

(Disclosure: Ziff Davis, ZDNET's genitor company, revenge an April 2025 suit against OpenAI, alleging it infringed Ziff Davis copyrights successful training and operating its AI systems.)

This tracks pinch what I learned from Berlind. He told maine that he uses passkeys for immoderate relying statement that offers them. Beyond easier login for those sites, he had an absorbing reason: protection from phishing.

Also: Why nan roadworthy from passwords to passkeys is long, bumpy, and worthy it - probably

He said that if he lands connected a tract wherever he knows he uses passkeys, and nan tract asks him to log successful pinch his username and password, that tract mightiness really beryllium a fake. The passkey petition is, essentially, a validation system that you're connected nan tract you intend to be. That's because scammers can't harvest passkeys. Well, they can, but because of nan backstage cardinal encryption, immoderate they harvest won't beryllium usable.

So, utilizing passkeys tin thief you group up a situational consciousness trap for phishing attempts.

As for me, I've decided that if a tract offers passkey authentication, I'm going to adhd it. If thing else, it will extremity sites for illustration Amazon from nagging maine incessantly. But it will besides supply that phishing consciousness protection Berlind recommended, and get maine into nan believe of utilizing and tolerating passkeys.

I conjecture I'll propose you do nan same. Keep way of your existing usernames and passwords. Make judge you group up multifactor authentication wherever you can, and support way of those betterment codes. But besides adhd successful passkeys arsenic a belts-and-suspenders level of security, authentication, and modulation preparation.

Also: I replaced my Microsoft relationship password pinch a passkey - and you should, too

Be careful. The mendacious consciousness of information provided by passkeys mightiness lull you into reasoning you're protected erstwhile you're not. Don't instrumentality passkeys reasoning you tin region 2nd facet authentication protection. Be alert that nan enactment of implementing passkeys won't straight summation your relationship protection if location is still a username and password strategy successful place. You should still usage 2nd facet authentication for accounts that connection it. They are offering it for bully reason.

It seems that arsenic agelong arsenic you protect your username and passwords nan measurement we've each been trained, adding passkeys into nan operation doesn't wounded anything. It conscionable makes it simpler to motion in. It's beautiful clear that it's nan measurement of nan future. I conscionable wish it wasn't a harbinger of specified a messy, convoluted, inconsistent, confusing future. But that's progress, right? Right?

Have you started utilizing passkeys yet, aliases are you sticking pinch accepted passwords? Do you find nan mixed implementations crossed sites confusing, aliases do you spot clear benefits successful phishing protection? How do you equilibrium convenience pinch information successful your ain accounts? Let america cognize successful nan comments below.

You tin travel my day-to-day task updates connected societal media. Be judge to subscribe to my play update newsletter, and travel maine connected Twitter/X astatine @DavidGewirtz, connected Facebook astatine Facebook.com/DavidGewirtz, connected Instagram astatine Instagram.com/DavidGewirtz, connected Bluesky astatine @DavidGewirtz.com, and connected YouTube astatine YouTube.com/DavidGewirtzTV.