Pete McPherson

Written by Pete McPherson

Pete McPherson

Updated: 2024-06-01

passkeys authentication security

Passkeys, explained.

Passwords are terrible...and 2-factor auth is somehow WORSE.

If you've ever seen a website offer to let you use a "passkey" to log in instead of a password...and wondered, "the heck..."

This is for you.

STICKY NOTE - Passkeys 👇

Passkeys Sticky Note

Here's a link to the hi-res Sticky Note image

What exactly is a passkey?

  • 🔑 Passkeys are a new, safer way to log in to websites and apps.
  • đŸšĢ You don't need a password...OR 2FA
  • đŸ’ģ Your DEVICE logs you in. It holds a "private key" (super random string of numbers, letters, etc) that stays local and a "public key" stored on the website.
  • ☚ī¸ Still, few companies support passkeys boooooooo

How they work:

1 - The Setup

"I HATE PASSWORDS & STUPID 2FA TEXT MESSAGES," you say.

"I got you, fam. Here's a passkey."

You enable passkeys.

A "private key" is stored on your local device, and the website keeps a "public key."

Private key 👉 Never leaves your device, and is therefore protected by face ID, fingerprint, a PIN, etc.

2 - The Request

"I WANNA LOG IN,"

"PROVE YOU'RE YOU,"

The website server sends a "challenge" to your device.

3 - The Authentication

"CHALLENGE ACCEPTED."

...but then it whispers to you...

"psst! hey! Can you gimme Face ID really quick? Just need to make sure it's actually you--and not somebody that stole your laptop--like your 7yr-old..."

You unlock with Face ID.

Your device uses the private key to "sign" the challenge--and sends the challenge back to the server.

"BOOMSHAKALAKA,"

4 - The Magic

"Welcome back, King. Never doubted you for a moment,"

"until next time..."

The server verifies you without ever seeing your private key.

Done.

⚾ A CURVEBALL - Password Managers

Some password managers store private keys.

You'll still AUTHENTICATE on your DEVICE (Face ID, PIN, etc)--but your private key is available across all devices with the password manager.

NOTE: Lastpass does NOT support passkeys yet, because they're lame.

Use Bitwarden (what I recommend), Dashlane, or 1password.

Why are passkeys better?

  • Easier: No need to remember complex passwords, and you don't need 2FA(!)
  • Safer: Phishing & hacking resistant. Can't steal em. Secured by your local device!
  • Faster: Logging in is EZ-PZ.

One downside...

Only a handful of apps and websites support them, and switching to passkeys can be a bit tricky.

Which websites have passkey support?

Here's a handy-dandy resource that lists them all!

https://passkeys.directory/

Big ones include...

  • Amazon
  • Apple
  • Bitwarden
  • Coinbase
  • Discord
  • Ebay
  • GitHub
  • Google
  • Link
  • LinkedIn
  • Microsoft / Live
  • OnlyFans (lol)
  • PayPal
  • Robinhood
  • Shop
  • Snapchat
  • Stripe
  • TikTok
  • Twitter
  • Uber
  • WhatsApp
  • Yahoo

So there it is, folks!

Hope you learned something today ;)

Love you, and thanks for sticking around on my email list.

Steal this website template for free.