Are Passkeys Ready for Prime Time? – The Security Perspective (Part 1)

Almost anytime you need to authenticate yourself on a website, you come across passwords. They are still the most common form of authentication — and also one of the most problematic.

With the rapid growth of computing power, fueled by more capable hardware and recent advances in AI and machine learning, cracking weak passwords has become significantly easier. What once took years can now be done in hours or even minutes. Studies already show how dramatically the time required to brute‑force passwords has decreased, especially for short or poorly chosen ones¹.

Security issues aside, passwords are also widely disliked. Most people would probably admit that they don't enjoy creating, remembering, and constantly resetting them.

This is where passkeys come into play. Passkeys were designed to address some of the fundamental problems of passwords by offering a more secure and significantly more user‑friendly way of authenticating users.

But are they really ready to replace passwords for good? Let's find out.

Working with passwords is usually a pain for users. This article is not meant to be pure password bashing, but before diving into the benefits of passkeys, it's important to understand the weaknesses they are meant to solve.

Almost everyone knows this situation: you're signing up for a new website and need to create yet another account. Before many people were introduced to password managers, they often relied on a small set of similar passwords — or even a single one — reused across countless services.

This behavior is far from uncommon. A survey by YouGov shows that around two thirds of users reuse the same password on multiple websites².

The problem becomes obvious once a single website is compromised. If attackers gain access to a leaked password database, they can try the same email‑password combinations on other platforms — a technique known as credential stuffing. A breach on an insignificant website can suddenly turn into access to far more sensitive accounts, such as email inboxes or even online banking.

On top of that, many users still choose passwords that are considered insecure — too short, too simple, or based on predictable patterns.

From a security perspective, reused and weak passwords are probably the worst combination you could think of. From a human perspective, however, this behavior is completely understandable. Given the sheer number of accounts people have to manage today, remembering a unique and complex password for each service is nearly impossible without help.

Businesses are well aware of these risks and try to compensate by enforcing password policies: minimum lengths, special characters, uppercase letters, regular password changes³, and so on. While these rules may improve security on paper, they often come at the cost of usability. Creating passwords that satisfy all requirements is tedious and frustrating — and frequently leads users right back to insecure coping strategies like reuse or predictable modifications.

While passwords rely on something you know, passkeys are based on something you have and something you are. This combination — a physical device paired with biometric authentication — provides a much stronger security foundation. Technically, passkeys are built on public-key cryptography: during registration, a unique key pair is generated, consisting of a private key that remains securely on the user's device and a corresponding public key that is stored by the service.

Authentication works by proving possession of the private key using a challenge-response mechanism. The server sends a random challenge, which the device signs with the private key after the user unlocks it — typically via Face ID, Touch ID, or a device PIN. The server then verifies the signature using the public key it has stored.

The crucial point is that the private key never leaves the device and is never shared. Even in the event of a server breach, attackers can only obtain public keys, which are useless for impersonation or future authentication attempts.

This approach eliminates many of the classic password problems at once:

• There is nothing to remember or reuse.
• Phishing attacks become ineffective, as passkeys are bound to a specific domain and due to the fact Passkeys are challenge-response based, the private key can never be obtained on some shady 3rd party website.
• Server breaches no longer expose sensitive authentication data.

Passkeys clearly address many of the fundamental security and usability issues of traditional passwords. By removing the need to transmit a shared secret — such as a password — during authentication processes, and relying on cryptographic proof instead, they fundamentally change how user authentication works.

However, security alone does not determine whether a technology succeeds in practice. This leaves a set of practical questions:

• How usable are passkeys for everyday users?
• Do they work smoothly across devices?
• What happens if you lose a phone?
• And are passkeys still a meaningful improvement if users already rely on password managers?

These questions are less about cryptography and more about real-world usage and user experience. In the next article, we'll take a closer look at how passkeys are created, stored, synced, and used in practice — and whether they are truly ready for mass adoption beyond security-savvy users. Stay tuned!