Why Passkeys Are Better Than Passwords and Why We'll All Be Using Them ... Some Day

Question

Passkeys are difficult to explain because they use very complicated technology. But I'll give it a shot.

Passwords must die. No matter how complex and lengthy your password is, it can be exposed in a data breach, intercepted in transmission, stolen by malware, and kidnapped by social engineering. The cybersecurity community has an expression: Hackers don't hack in - they log in.

Basically, any method of authentication - proving who you are - that relies on 'shared secrets' - like passwords and verification codes - is no longer secure. What's needed is a method of authentication that proves who you are while sharing nothing. That's what passkeys do.

Passkeys rely on a very complicated technology known as public key cryptography. You can read about that on the internet, but let me put it this way: It's what the military uses.

With that kind of complexity, passkeys would be a complete non-starter for you and me. So an industry group called FIDO - Fast IDentity Online, who coined the term 'passkeys' - came up with a way to hide all that complexity so we don't have to deal with it. To sign in to a website or an app that uses passkeys, you only need to authenticate to your own PC (or your own phone) as you normally would, then the technology takes over and you're in.

It sounds like a good idea, but wait ... there is a problem. Companies haven't decided on a set of common procedures or interfaces or even common terminology. That's what is preventing passkeys from being widely adopted ... for now. But they are the future of authentication.

Have you had experience with passkeys, whether good or bad? If so, tell us about it below.

My work here is done.

Answer 1

Passkeys (passwordless authentication) are a replacement for passwords based on Fast IDentity Online (FIDO) standards which allow you to sign into your Microsoft personal (or work/school) account much faster and more securely without a password or additional authentication. A passkey has no username or password so it cannot be exposed or stolen. A passkey can only be used with the account on which it was set up and they are linked to a specific device (computer, tablets or smartphone). 
 
Unlike passwords which you have to remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism such as Windows Hello biometrics (fingerprint or facial recognition) or PIN sign-In options to authenticate them before signing in. Passkeys can be used without the need for other sign-in challenges, making the authentication process faster, secure, and more convenient. A passkey is invisible, virtual and based on public-key cryptography (keypair concept: a private key stored securely with the user and a public key). The passkey is purposely hidden from access inside the TPM (Trusted Platform Module) and the remote third-party website you are attempting to access. 
 
Since passkeys are unique to each website or application you don't have to worry about someone else using your passkey to access them. Passkeys are also resistant to and helps protect against phishing attacks. These features make passkeys a more secure option than a password.
 
Microsoft has long been a proponent of passwordless authentication for years and other industries have been moving in that direction too. Use of passkeys are "strongly recommended" by Microsoft along with a single biometric and PIN option.

• Microsoft introduces passkeys for consumer account

These security enhancements are the new norm in today's world due to the number of data breaches reported where extensive amounts of personal/financial/business information (including usernames and passwords) is stolen by hackers, then leaked or published for sale on the Dark Web. Criminals can then use that information for identity theft, hacking, extortion and any number of other nefarious purposes. We as users of this technology must take steps to minimize the risk of all sorts of threats, not just Microsoft sign-in attempts.

Answer 2

Hello,

Thanks for posting in the Microsoft Community Support!

As I have seen your description, I got to know that you want to educate about Passkey and Password and to make it clearer I am providing some more information here.

Passkeys represent the next generation of authentication technology, designed to eliminate the vulnerabilities associated with passwords. Unlike traditional passwords, passkeys rely on public key cryptography, ensuring secure authentication without the need to share sensitive information. This makes them resistant to data breaches, malware, and phishing attempts—common threats to password-based security.

The concept of passkeys has been developed and refined by FIDO (Fast IDentity Online), an industry alliance committed to simplifying authentication while maintaining the highest security standards. When using passkeys, users authenticate directly to their personal devices—such as their phone or computer—without needing to enter a password manually. This seamless process significantly reduces the risk of unauthorized access.

While passkeys are undeniably the future of authentication, widespread adoption faces challenges due to the lack of standardized implementation across companies. However, as organizations work towards a unified approach, we anticipate passkeys becoming the standard method for secure authentication in the near future.

We appreciate your interest in this evolving technology. If you have any personal experiences or thoughts on passkeys, we would love to hear them.

Best Regards, Van Johnson | Microsoft Community Moderator

Answer 3

I am a bookkeeper for several small businesses, some of which are remote only. In the course of my work, I am expected by some of my clients to log into their bank and credit card accounts, download statements, make payments, and other tasks as needed. I don't see how this would work with passkeys instead of passwords.