How passkeys are replacing passwords and why they are safer

HostWe all have that list, either in our heads or on a messy scrap of paper, of all the passwords we have to remember. It feels like a constant battle against forgetting them or getting hacked, especially when every site wants twelve letters and a special symbol. Lately, every big app and phone maker is pushing us to switch to something called a passkey. So, what exactly are these things, and are they actually safer than the old way of doing things?

GuestThink of a passkey as a digital version of a physical key for your house. For years, we have used passwords, which are basically just secrets we try to keep in our heads. The problem is that humans aren't great at keeping secrets. We reuse them, we write them down, or we get tricked into typing them into fake websites. A passkey moves that secret away from your brain and puts it into your device, like your phone or your laptop. Instead of typing a long string of letters, you just use your face scan, your thumbprint, or the screen lock you already use to get into your phone. It's much faster, but the real magic is what's happening under the hood.

HostI get that it's faster, but I have to ask. If I'm not typing a secret code, how does the website know it's actually me? It feels like we're just moving the target.

GuestIt uses a bit of math that works like a lock and a key. When you set up a passkey for a site, your device creates two parts. One part is a public key, which is like a digital lock. You give that lock to the website. The other part is the private key, which stays hidden on your phone. It never leaves. When you try to sign in, the website sends a little digital puzzle to your phone. Your phone uses that private key to solve the puzzle and sends the answer back. The website checks the answer against the lock it has, and if they match, you're in. The best part is that the website never actually sees your private key. Even if that website gets hacked and all their data is stolen, the hackers only get the locks, not the keys. They can't use those locks to get into your account.

HostThat sounds solid, but here is the big worry. What if I lose my phone? If my key is stuck on that one device and I drop it in a lake, am I just locked out of my entire life forever?

GuestThat's the most common fear, and it's why this took a while to get right. You're not actually stuck with just one physical device. Most of the time, your passkeys are backed up in the cloud, like through your Apple or Google account. If you get a new phone, you just sign into your main account and all your passkeys show up there. It's a bit like how your contacts or photos move to a new phone. Also, most sites will still let you use an older way to get in, like an email link, if you really get stuck. But the idea is to make the passkey the main way you get in so you're not relying on a weak password that a hacker could guess.

HostOkay, so they're backed up. But what about the face scan or the fingerprint? I'm not sure I love the idea of giving my face data to every random shop I buy a pair of shoes from. That feels like a huge privacy risk.

GuestThat's a big misunderstanding about how this works. You're not actually giving your face scan to the website. When you scan your face to use a passkey, that stays entirely on your phone. Your phone just uses that scan to unlock the private key we talked about. It then tells the website, yes, the owner of this phone is here and they approved this. The website never sees your thumbprint or your face. They only get that mathematical answer to the puzzle. In many ways, it's much more private than a password, because with a password, you're literally handing your secret over to the site every time you type it in.

HostSo it protects my face data and it's harder to hack. But what about those fake emails? I get those all the time, pretending to be my bank and asking me to sign in to fix a problem. Does a passkey help if I accidentally click one of those links?

GuestThis is actually the strongest part of the whole system. Passkeys are basically immune to those fake websites, which we call phishing. With a password, if you get tricked into visiting a fake bank site, you might type your password in and give it right to the thief. But a passkey is tied to the real website. Your phone knows exactly which site created the lock. If you land on a fake site that looks like your bank, your phone will look at it and realize it doesn't have a key for that specific address. It simply won't offer to sign you in. There's no password for you to type in by mistake, so the thief walks away with nothing.

HostIt sounds like we're finally moving toward a world where I don't have to remember my childhood pet’s name plus three numbers. Is the password actually dead, or is this just another layer we have to deal with?

GuestWe're in a middle ground right now. Big companies like Google, Amazon, and Apple have already switched over, but smaller sites take longer to update their tech. You'll probably see passwords sticking around as a backup for a few more years. But the goal is to make the password something you almost never see, like the physical key for a car trunk that most people never use anymore.

HostThat scrap of paper on my desk is looking more and more like a relic of the past.

GuestThe most important shift is that your security no longer depends on how well you can remember a random string of characters, but on the device you already carry in your pocket.

HostThe old list of passwords in the kitchen drawer might finally be ready for the recycling bin.