Passkeys: What are they and how do they work?

Passwords have been around for about as long as computers. There’s a reason for their longevity: Consumers intuitively know how to use them — in spite of their security shortcomings. Businesses keen to offer a low-friction way for customers to secure their online accounts have had little option but to persist with passwords. That is, until now.

The most common password challenges faced by businesses

There’s one big challenge with passwords. They may be easy for us all to use, but they can also be easy for criminals to steal or guess. The problem is scale. A typical computer user may have scores of websites and apps they regularly need to access. Remembering unique credentials across all of these can be extremely challenging — especially when security best practices say they must be “strong and long” to beat the automated software hackers use to crack easy-to-guess passwords.

The rising threat of data breaches

Fraud is evolving to incorporate new technologies and methods, leading to large-scale password data breaches. In the U.S. alone there were over 1,800 data breaches last year affecting 422 million individuals.¹ Passwords can also be phished individually from victims by criminals posing as legitimate entities like banks or streaming providers. According to the FBI’s Internet Crime Report, there were nearly 300,000 reports of phishing in 2023 — more than double the number of reports in 2019.²

Stolen usernames and passwords have become a valuable commodity

Stolen usernames and passwords are often traded in bulk on dark web marketplaces, where they’re bought up in large quantities. Hackers can feed this data into credential stuffing tools to see if the same logins have been reused across other websites and apps. If they have, the hackers may be able to unlock accounts on those other platforms, too.

The password problem has gone unresolved for far too long. Consumers are sick of having their accounts hijacked and their money and data stolen. Businesses also suffer from the repercussions, such as reduced consumer confidence and reputational damage. Previous attempts to mitigate the problem — including password managers and two-factor authentication apps or one-time passcodes — have so far failed to gain widespread adoption.

That's where passwordless authentication tools like passkeys can help.

What are passkeys and how are they going to replace passwords?

First, what are passkeys? Passkeys are a common login standard created by the FIDO Alliance and the World Wide Web Consortium. Passkeys enable customers to seamlessly gain access to their online accounts without needing to use a password. Instead, they can use the same biometrics (like Apple’s TouchID or FaceID), PIN, or swipe pattern they use to unlock their device.

Passkeys are designed to replace traditional passwords since they are more user-friendly and secure. Users don't have to remember them and create them anew for each of their accounts and devices. Instead, they can go through a one-time setup process and then proceed to use their passkey across devices. Even if the user loses their device or gets a new one, they can still access and recover their passkey by logging into the cloud.

How do passkeys work?

Here’s how Passkeys work:

• The passkey replaces the user’s password with a hidden cryptographic key pair.
• Among that pair, one key is public and registered with each app or website in use. The other key is private and stored only on the user’s device.
• Each time the user logs into a passkey-enabled device or account, the key pair seamlessly handles the authentication process between their device and app or website.

How to use passkeys

This step-by-step guide provides a quick overview of how to use passkeys:

• A user sets up and enables a passkey on their device. They might choose to set up a facial recognition or fingerprint scan, or PIN code.
• The user logs into an app. They select the option to enable and log in with their passkey.
• Now, the user can simply log into the app with their facial or fingerprint ID, or PIN — just as they would unlock their device.
• If the device with the passkey is lost, stolen, or broken, alternative login methods are still available. For instance, the passkey can be recovered by logging into the cloud or accessing a one-time passcode.

Learn more about how to use PayPal passkeys.

Pros and cons of passkeys vs. passwords

As passkeys become more prevalent, it’s important to understand passwords vs. passkeys pros and cons. Most notably, businesses should understand how passkeys can help them reduce risk and improve payment security across platforms.

Here’s a closer look at how passkeys are different from passwords:

Passkeys enable a better security user experience

The user experience is seamless, familiar, and consistent. Passkeys can also be securely synced across devices and computers, making them more convenient to use than unique passwords created for each site or app.

Passkeys are more secure than passwords

Passkey security is based on industry-specific FIDO Authentication. Passkeys are more secure than passwords because they are stored using a pair of encrypted keys, for example. They are also stored through the user's operating system instead of a remote server, making them less vulnerable to phishing, credential stuffing, and other remote attacks.

Passkeys also can't be guessed or stolen like passwords can. And they don't require the user to take any extra steps to log in, such as accessing a confirmation email or SMS message — additional communications that can be intercepted.

Passkeys improve scalability in security

Passkeys ensure scalability and security, since users do not need to create a new key from scratch on each new device or service. Instead, their passkeys will be available wherever and whenever they need them.

Potential disadvantages of passkeys

Passkeys are becoming the new standard for login security, but may still pose some implementation challenges. As such, businesses should be aware of potential passkey disadvantages and obstacles, including:

• Costs. Passkey authentication solutions may come with added costs. However, implementing passkeys at scale can ultimately improve operational efficiency and increase security, yielding safer and smoother customer experiences.
• Adoption. Customers may have to go through a learning curve before they’re fully comfortable enabling and using passkeys. Once they do, however, they’ll enjoy quicker and easier login processes.
• Integration. Businesses may have trouble syncing passkey providers with legacy platforms. That's why it's important to partner with a comprehensive platform that offers end-to-end solutions for managing customer experiences and data.

Making passkeys part of your long-term security strategy

Traditional passwords remain vulnerable to data breaches and phishing attacks. As fraud continues to grow and evolve, passkeys have emerged as a new standard to help businesses improve data security and create a frictionless login process for customers.

As a founding member of the FIDO Alliance and a strong advocate for user security, PayPal is leading from the front as one of the first firms to offer support for passkey implementation. Our website and app offer customers in the U.S. on supported devices and browsers a glimpse into a password-less future.

As businesses seek more advanced authentication methods, passkeys can play a vital part in their security strategy. They can also be paired with other cutting-edge security solutions like fraud detection powered by machine learning.

Looking forward, passkeys and passwordless authentication represent a fantastic opportunity to enhance security and scalability across the internet. That’s something both consumers and businesses should be excited about.

Learn more about PayPal and passkeys.