Key takeaways
Passkeys are replacing passwords as a more secure method of authentication.
Passkeys use public-private cryptography for phishing-resistant authentication.
Passkeys do have some limitations that organizations should consider before deploying.
Passkeys are a component of centralized identity infrastructure.
Knowledge-based authentication
Knowledge-based authentication (KBA) is a method of verifying a user's identity by requiring input of information that only the real user should know, such as a password, the answer to a security question, or a personal identification number (PIN). This method of authentication is vulnerable to abuse because knowledge-based information can be stolen, guessed, or phished. Multi-factor authentication (MFA), requiring two or more methods of authentication, provides better security but is still vulnerable. Passwordless methods like passkeys replace knowledge-based credentials with cryptographic proof that does not require the user to remember or type anything.
Why passwords fail
The three components, or factors, used in digital authentication are: something you know like a password, something you have like a mobile phone, and something you are like a biometric characteristic. A password is a form of knowledge-based authentication. It is a string of characters that only the user knows, used to authenticate their identity to the service. It is easy to input, assuming the user can recall which password they used for which service. But that presents a problem, as today's average business user must log in to many applications and services every day. From a security standpoint, passwords have several serious problems. Here are a few of the most prominent issues.
Using strong passwords is a pain
With the need to access so many services, users have a tendency to choose simple passwords or reuse them across multiple services. A strong password makes it harder for attackers to figure out, while a weak or reused password gives them an easy path in. Despite years of awareness campaigns, simple and repeated passwords remain widespread, undermining one of the most basic layers of account security.
Passwords are vulnerable
In phishing, an attacker tricks the user into disclosing their username and password credentials. Phishing has become increasingly sophisticated and is one of the most common starting points for cyber attacks. Phishing-resistant MFA can help protect against phishing-based attacks. To learn more, see our guide to setting up phishing-resistant MFA. Passwords also leave organizations vulnerable to other attack methods, including credential stuffing, brute force attacks, and password spraying.
Breached passwords can be distributed or sold on the dark web
Security breaches that expose customer records and credentials happen regularly, and the stolen data often ends up posted or sold on the dark web. Once credentials leak, attackers can reuse them across other services where the same passwords are still in use, which is one of the reasons password reuse is so dangerous.
Password maintenance is costly
Because of these security issues, organizations spend significant IT time and money administering their password programs. Password resets are one of the most common reasons users contact the help desk, and the staff time required to handle them adds up across the year. Reducing reliance on passwords is one of the most direct ways to lower help desk volume and free IT teams to focus on higher-value work.
What are passkeys?
Passkeys are an alternative to passwords. Instead of using a secret that both the user and service know for verification, passkey authentication uses a pair of keys: a private key stored on the user's device, and a public key stored on the service being accessed. There is no password to be remembered or stolen. When you sign in, your device proves it holds the private key without ever sending it over the network. There is no shared secret that an attacker can intercept or steal from a server.
Passkeys are a form of phishing-resistant MFA because they combine two factors of authentication: something you have and something you are. Passkeys are built on the Fast Identity Online 2 (FIDO2) and Web Authentication (WebAuthn) standards, which define how browsers and devices handle public-key authentication.
Device-bound passkeys stay on one device. Synced passkeys replicate across a user's devices through an encrypted cloud backup. For enterprise IT teams, this distinction matters because device-bound passkeys offer tighter control but create recovery challenges if a device is lost. Synced passkeys improve usability but introduce questions about which cloud provider holds the backup.
How passkeys work
The first time you log in to a service, you set up a username and password that is stored in the service's database. The next time you visit the service's login page, you input your username and password. If the service recognizes your credentials it may log you in, or, more commonly today, challenge you with a second form of authentication, such as a security question or a one-time passcode.
The first time you log in to a service using a passkey, your device generates a public-private key pair. The private key is stored on your device, which acts as the authenticator. The public key is sent to the service, where it is stored on the service's server. When you actually log in, the service sends a challenge to the authenticator. Your device uses its stored private key to solve the challenge, verifying your identity. Authentication happens in much the same way as when you sign in to your device, typically with a fingerprint, facial scan, or PIN. No shared secret is communicated. The result is both a simpler user experience and stronger security.
Benefits of passwordless over passwords
Implementing a passwordless system can lead to significant benefits, including improved security over password-based authentication, reduced operating costs of administering password-related support, and a better user experience by removing the need to remember and enter passwords. For more details on what organizations gain by going passwordless, see the benefits of passwordless authentication.
What about using a password manager?
Passwords managed through a robust password manager eliminate the need to remember individual complex passwords. But password managers are only an interim mitigation to the password problem. Passkeys represent a structural fix, using advanced cryptography to secure authentication without a shared secret in the first place.
Passkeys vs. passwords at a glance
The table below summarizes how passkeys and passwords compare across the dimensions IT teams care about most.
Aspect | Passwords | Passkeys |
|---|---|---|
Authentication method | Shared secret known by both the user and the service. | Public-private key pair; the private key never leaves the user's device. |
Resistance to phishing | Vulnerable. Can be tricked out of users with fake login pages. | Phishing-resistant. The private key cannot be intercepted, reused, or shared. |
Vulnerability to data breaches | Exposed if a service's password database is breached. | Public keys are useless to attackers if a service is breached. Private keys remain on user devices. |
User experience | Users must remember, type, and reset many strings of characters. | Users authenticate with a biometric or device PIN. No memorization required. |
Recovery if device is lost | Reset via email or security questions. | Device-bound passkeys require a backup method. Synced passkeys recover through the cloud provider. |
Cross-platform support | Universal across virtually all systems. | Growing rapidly but not yet universal. Some legacy and enterprise systems lack support. |
IT support burden | High. Resets account for a large share of help desk volume. | Lower over time. Fewer resets, but new processes for device loss and onboarding. |
Limitations of passkeys
While passkeys are the next generation of authentication security, they are not a perfect solution yet. Here are some limitations organizations should be aware of before implementing passkeys.
Dependence on devices: The private key lives on the device used to establish the user's account. If that device is lost or otherwise unavailable, the user must rely on a backup method or recovery code.
Device compatibility: Passkey implementation depends on devices and platforms that support the technology. Coverage is broad but not yet universal.
Enterprise and legacy system gaps: Passkeys are relatively new, and many older applications cannot integrate them into existing security operations.
Cross-platform syncing: Major platforms actively support passkeys, but syncing across different platforms can still be inconsistent.
User adoption: People have used passwords for decades. Adopting passkeys requires a fundamental process shift. Users need to be educated on how passkeys work, the benefits they bring, and the risks of staying with passwords.
The journey to passwordless authentication
Passkeys are the most prominent passwordless authentication method. Deploying passwordless is a journey. It includes selecting the right technology to address current and anticipated security requirements, deploying authentication in a phased rollout to learn what needs to be adjusted, and communicating the change and its purpose to all stakeholders. For a detailed look at how to plan and execute, see our guide to passwordless authentication best practices
Future state: passkeys and identity management
Passkey solutions, such as Duo Passwordless, should be treated as more than just an authentication upgrade. As passkey adoption grows, organizations will need to consider passkeys as part of a broader central identity program, including zero-trust access, MFA, and lifecycle governance, that manages passkeys alongside other credentials. Duo Directory is a security-first identity hub that centralizes identity data for authentication, policy enforcement, lifecycle management, and access control.
Ready to evaluate passkeys for your organization? Start with a Duo pilot to test passkey authentication alongside your existing login methods, and explore our five-step path to passwordless for a practical guide to making the move.