Trace Id is missing
Skip to main content
Microsoft Security

What is a passkey?

Learn what passkeys are, why they’re preferable to traditional passwords, and how they’re transforming cybersecurity.
Explore passwordless authentication

A new, more advanced way to authenticate


A passkey is a form of multifactor authentication that uses public key cryptography in combination with biometrics like fingerprint and facial recognition or a device PIN to verify an account owner’s identity. Passkeys act as a replacement for traditional passwords.

Key takeaways

  • Passkeys, which are unique to each person and device, offer individuals and organizations an easy, convenient way to securely sign in to online accounts.
  • Among other security benefits, passkeys increase protection against phishing attacks, reduce risk of account takeovers, and improve regulatory compliance.
  • Passkeys are compatible with multiple systems and devices and can be integrated into existing security infrastructures.
  • Passkey implementation involves five phases, from assessment and planning to training and awareness.
  • As passkeys grow in popularity, organizations are finding ways to overcome employee resistance to change, interoperability issues, and other associated adoption challenges.

Strengthening cybersecurity with passkeys


Prior to the introduction of passkeys, most forms of multifactor authentication were used in tandem with a password. One-time codes, for instance, are time-sensitive codes sent through authentication apps or SMS to verify your identity after you enter the password to an account. Passkey authentication allows you to securely sign in to online accounts without a password or additional authentication. Unlike passwords, passkeys are unique to each person and device, which makes them a much more difficult target for cyberattackers.

It's no wonder, then, that many organizations are transitioning from traditional passwords to passkeys to improve access control. Passkeys offer stronger security, help organizations meet compliance requirements, and have an extra layer of protection due to their physical possession requirement.

With cyberthreats like phishing and data breaches more prevalent than ever, the secure authentication offered by passkeys represents a significant advancement in cybersecurity.

Security benefits of passkeys


Even with robust password protection measures in place, passkeys offer several security benefits over traditional passwords. Here are some of the major security benefits of using passkeys.

Physical possession requirement

Because passkeys are unique to each user and device, it’s nearly impossible for hackers to guess or steal them. Even if they did somehow gain access to your passkey, they’d still need physical access to your device to use it.

Enhanced protection against phishing attacks

Passkeys are resistant to phishing attacks because they rely on physical possession of a device rather than passwords, which can be guessed and entered by anyone on any device. Even if you did fall victim to a phishing attempt when using a passkey, the attacker would still need the physical passkey (which is only stored on your device) to access your account. As a result, the use of passkeys can greatly improve login security, email security, and overall security.

Reduced risk of account takeover

Due to their physical possession requirement and strong security features, passkeys have a reduced risk of account takeover when compared with traditional password-based authentication methods. Even if a passkey is compromised, the attacker still needs physical access to the device it’s on to complete the authentication process.

Compliance with security standards

Passkeys often meet or exceed security standards and compliance requirements in regulated industries such as finance, healthcare, and government. Their robust security features make them well-suited for protecting sensitive data and complying with industry-specific regulations. Passkeys can also be used with OAuth to authorize access between apps and services without compromising sensitive information.

Recovery security

When you forget traditional signin credentials, regaining access to an account often requires a password reset and/or the use of some form of two-factor authentication. Passkeys, on the other hand, can be securely synced across your devices. If you lose a device that has your passkey synced to it, you can use another device to recover access to your accounts.

Passkey compatibility and integration

Passkeys are compatible with a wide and growing range of systems and devices. Microsoft, Google, and Apple have already begun to integrate passkeys into their products and services. That means you can use passkeys to secure your accounts on a variety of devices, including:

  • Windows devices.

  • iOS 16+ iPhones and iPads.

  • macOS 13+ computers.

  • Android devices.
In addition to being compatible with these systems and devices, passkeys can also be integrated into existing security infrastructure. This means organizations can adopt passkeys without making major changes to their existing security systems.

Implementing passkeys: From theory to practice

Many organizations are transitioning from traditional passwords to passkeys to gain improved security and convenience. The process of implementing passkeys can be broken down into five phases:

1. Assessment and planning. During this phase, you should evaluate your organization’s current password management practices, security needs, and compliance requirements to determine the requirements and objectives of implementing passkeys.

2. Selection of a passkey solution. Once you’ve determined your organization’s passkey needs, you should find a solution that aligns with them. Factors to consider could include security features, scalability, and compatibility with existing security systems.

3. Policy development around passkeys. Define passkey policies and guidelines that outline requirements for passkey creation, usage, protection, and storage at your organization.

4. Implementation and integration. After you’ve clearly outlined passkey policies, it’s time to deploy your chosen passkey solution across your organization. You should then configure the security settings to align with your organization’s requirements and conduct tests to ensure proper integration with your existing systems.

5. Training and awareness. As soon as you’ve integrated passkeys into your organization’s security systems, you should provide comprehensive training to help employees securely create, use, and store their passkeys.

Effective passkey management

It’s a good idea to create a list of best practices around passkey use. Here are a few best practices to get you started:

  • Facilitate passkey creation so that employees can easily generate and start using passkeys.

  • Ensure all passkeys are discoverable so that employees can easily find their source. Clearly indicate the original source of each passkey.

  • Encourage the use of passkeys across multiple devices to create redundancy and avoid manual resets.

  • If an employee signs in using a fallback method like a password, consider prompting them to create a new passkey.

How does a passkey work?


Passkeys rely on a technology called public key cryptography that has long been used to authenticate websites. Public key cryptography works through a pair of keys: a public key for encryption and a private key for decryption. This allows for secure communication and authentication between systems without the need for the exchange of a secret key beforehand. Passkeys authenticate personal accounts with the same public key cryptology used to authenticate websites. They confirm that a user’s device has the passkey needed to sign in to an account, and biometrics or a device PIN confirm that the device is in the user’s possession.

The role of the FIDO Alliance in advancing passkeys


The Fast Identity Online (FIDO) Alliance is an open industry association founded to help advance the adoption of passwordless authentication. Since 2013, the FIDO Alliance has worked to reduce the world’s reliance on passwords by developing standards and specifications around new forms of authentication. The standards and interoperability protocols developed by the FIDO Alliance allow users to authenticate securely across various devices and services using passkeys.

Overcoming obstacles in passkey adoption

While many organizations are transitioning from traditional passwords to passkeys to improve their security, there are some obstacles and concerns around implementing passkeys.
Here are a few common obstacles and potential solutions to adopting passkeys:

Obstacle: Employees may be resistant to change, especially if they are accustomed to traditional password-based authentication methods. They may not fully understand the benefits of passkeys or how to use them effectively, leading to low adoption rates.
Solution: Provide comprehensive education and training programs to help employees understand the benefits of passkeys and how to use them securely.

Obstacle: Passkey systems may not be compatible with all devices, platforms, or applications, leading to interoperability issues.
Solution: Work with device manufacturers and software developers to ensure passkey systems are compatible with a wide range of devices, platforms, and applications.

Obstacle: Employees may have concerns about the security of passkey systems, particularly regarding the protection of their biometric data or the integrity of their passkey storage.
Solution: Implement robust security measures, such as encryption, multifactor authentication, and secure storage practices, to address your employee’s security concerns and protect their data.

While there are challenges in implementing any new technology, the strengthened security posture, convenience, and user-friendly authentication offered by passkeys makes overcoming these and other obstacles to their implementation well worth the effort.
A computer screen with a key and a window
Video

Passkeys explained in under four minutes

Learn more about how passkeys work, including how they increase your protection against data breaches and phishing scams.
Watch the video

Driving innovation in cybersecurity


Leading tech companies are already integrating passkeys into their products and services. This trend is likely to continue as more organizations recognize the security benefits of using passkeys. This widespread adoption of passkeys has and will continue to drive innovation in cybersecurity by making it easier for individuals and organizations to protect their accounts and data.

As passkeys grow in popularity, a passwordless future will come closer to being a reality. Organizations looking to strengthen their security posture, improve user experiences, and stay ready for the future may want to consider switching from traditional passwords to forms of passwordless authentication like passkeys. Microsoft Security offers several services and solutions to help organizations begin their transition to passwordless authentication.
RESOURCES

Learn more about Microsoft Security

A person in a black sweaterwatching his mobile
Product capability

Manage passwordless authentication with Microsoft Entra

Deny entry to bad actors with industry-leading authentication technology from Microsoft.
Learn more
A person looking at a phone
Product capability

Explore multifactor authentication in Microsoft Entra

Help protect your organization against breaches due to lost or stolen credentials.
Learn more

Frequently asked questions

  • A password uses a string of characters for authentication, while a passkey uses public key cryptography for secure authentication without the need for a shared secret.
  • Passkeys work through a pair of cryptogenic keys: a public key for encryption and a private key for decryption. Passkeys are stored on a user’s devices to verify their identity through biometrics or a device PIN.
  • Creating a passkey typically entails creating a pair of cryptographic keys. This can be done using cryptographic software libraries or tools provided by authentication platforms.
  • Passkey offers more secure and user-friendly authentication than traditional passwords. If you want to reduce the risk of security breaches and enhance your overall security posture, it’s a good idea to use passkeys.
  • Yubikeys are a type of security key. Security keys store passkeys. Passkeys stored on security keys are device-bound—meaning they can never leave the device they’re stored on.

Follow Microsoft Security