Passkeys let users log into sites and apps without an actual password. Instead of asking users to type in passwords, a passkey system uses a set of linked secrets between a device and a website. When someone creates an account, their device keeps one part of the secret and sends the other to the website. When they return to log in, the device proves its link without revealing any secret directly.
A report by the FIDO Alliance, along with Axiad, HID, and Thales, found that 87% of companies surveyed in the US and UK are either already using passkeys or actively introducing them. The research, conducted by Sapio Research in September 2024, covered firms with more than 500 employees. It found that companies see passkeys as a way to improve logins, protect data, and meet legal requirements.
Among the companies using passkeys, 47% said they were combining passkeys stored on physical keys or cards with ones that sync across devices. They often prioritised passkeys for staff with access to sensitive data, admin panels, or high-level accounts. Businesses also trained staff to use the new method, which helped increase support for the change.
Those not using passkeys said the reasons included cost, complexity, or not being sure how to introduce the system. But the same survey showed that passkey users had better security, better user experiences, and fewer help desk complaints.
Are Passkeys Safer Than Passwords?
So, unlike passwords, passkeys are not stored in a way that can be stolen from a hacked website. Even if a company’s server is attacked, the stolen data cannot be used to access accounts elsewhere. That means the risk of hacking is much lower.
Passkeys are also harder to fake.. because users log in with facial recognition or a fingerprint, fake websites can’t trick devices the way they can trick people. This makes passkeys harder for criminals to target, even with tools like AI.
Is It Time To Use Them?
Both experts and cybersecurity teams say it is better to switch now. Even everyday users will find that logging in with a face or fingerprint is easier than typing passwords. Passkeys are becoming the standard, and websites are changing to support them.
For those stressing about convenience or losing access, tools like password managers are still helpful. But many of these tools are also moving towards supporting passkeys. This means people can make the switch gradually if they prefer.
Are Passkeys The Solution To Attacks?
Experts have shared their thoughts on whether passkeys would help with vulnerabilities online…
Our Experts:
- Anar Israfilov, Cybersecurity Expert, Founder, Cyberoon Enterprise, IEEE Senior Member
- Kenn Yee, Senior Consultant, Tech Policy, APCO
- Robert Dang, Principal Advisory Director, Security & Privacy Practice, Info-Tech Research Group
- Derek Hanson, Field CTO, Yubico
- Christina Hulka, Executive Directo, Secure Technology Alliance
- Ashish Jain, CTO, OneSpan
Anar Israfilov, Cybersecurity Expert, Founder, Cyberoon Enterprise, IEEE Senior Member
“Passkeys sound like a buzzword — but they actually solve some of the most frustrating security problems we’ve dealt with for decades.
“Imagine this: you sign into your favourite website with just your face or fingerprint — no password needed, and no chance a hacker could steal what you didn’t type.
“That’s the magic of passkeys. Behind the scenes, instead of storing a password on a server (which can be hacked), your device uses a unique digital key pair. One key stays safely on your phone or laptop. The other is public and can’t do any harm on its own. When you log in, your device proves who you are without revealing your secret. No typing. No phishing. No leaks.
“So are passkeys the solution?
They solve a big part of the puzzle:
No more stolen or reused passwords.
No more phishing links tricking you into typing your login.
No need to remember anything.
“But here’s the honest truth:
If your device is lost or not backed up, recovery can be tricky.
Not every website or system supports passkeys yet.
Businesses still need solid policies for managing devices and identity.
“At Cyberoon, we’ve already started integrating passkey-based logins into enterprise tools — and the results are promising. But we always remind clients: there’s no one-size-fits-all in security. Passkeys are a leap forward, but they must be combined with education, strong endpoint protection, and smart policies to truly make a difference.”
Kenn Yee, Senior Consultant, Tech Policy, APCO
“Passkeys, especially those that leverage biometrics, provide consumers a faster, more convenient, and oftentimes more secure way to log in.
“However, perhaps a big gap in passkey implementation is cross-device compatibility. Passkeys in typical consumer implementation are reliant on phone biometrics. If the user wishes to log in to a banking app on their PC, for example, as some banks don’t offer certain functions on phone apps, the user has to switch back to using passwords; good luck remembering them if you’ve not used it for some time.
“Passwords remain a more universal method of logging in, especially across devices.”
Robert Dang, Principal Advisory Director, Security & Privacy Practice, Info-Tech Research Group
“Passkeys offer a smarter and more secure alternative to passwords. They are phishing-resistant, easy to use, and designed to scale, and many people view them as the future for safe logins. But there’s no easy transition. There are platform gaps, device compatibility, end-user education, and legacy system integration to worry about for organisations. These challenges emphasise the need for a holistic approach that goes beyond integration of technical solutions.”
More from Cybersecurity
- Can Cyber Essentials Help Businesses Comply with Industry Regulations?
- INE Security Launches Enhanced eMAPT Certification
- Keeping Your Small Business Secure During Grid Failures
- How Much Did The Recent Retail Cyberattacks Actually Cost Businesses?
- How To Keep Your Business Safe From Cyber Attacks
- INE Security Partners With Abadnet Institute For Cybersecurity Training Programmes in Saudi Arabia
- Don’t Let The Drop In Rnasomware Fool You, Here’s How Cyber Threats Are Evolving
- INE Security Alert: Top 5 Takeaways From RSAC 2025
Derek Hanson, Field CTO, Yubico
“Human error is the top cause of breaches due to phishing, with an overwhelming majority of cybersecurity breaches caused by simple mistakes such as clicking on fraudulent links that look real but are not. Despite organisations aiming to improve their cyber defense by implementing multi-factor authentication (MFA), phishing remains a significant challenge. While any form of MFA is better than a password, legacy MFA approaches like SMS-based one-time passcodes (OTP) and mobile authenticator apps are broken and have been proven to be easily bypassed by malicious actors via phishing attacks.
“Passkeys are the most effective solution for individuals and organisations to replace passwords across apps and websites because they are inherently phishing-resistant. Passkeys seamlessly authenticate users online by using cryptographic security “keys” stored on their computer or device (such as hardware passkeys like a YubiKey), and are considered a superior alternative form of authentication by proving the person logging in is the one who’s supposed to be. Once a passkey has been set up, the authentication process happens opaquely at login, with minimal additional involvement from the user. As a result, signing into apps and websites becomes an effortless, almost automatic experience – freeing users from having to remember and manage passwords that can also be stolen or intercepted.
“A major reason why passkeys are so effective is because it reduces the burden on users to make the right choices and not hand over their credentials during a phishing attempt. Passkeys mitigate attackers intercepting or tricking users into revealing access information by requiring each party provide evidence of their identity, as well as communicate their intention to initiate authentication via deliberate action.”
Christina Hulka, Executive Directo, Secure Technology Alliance
Pros and cons:
“Passkeys offer a much more secure and user-friendly alternative to passwords. They’re typically based on a biometric such as a fingerprint or facial recognition that is unique to the individual and already familiar, since those are commonly used to unlock personal devices like smartphones. Because passkeys don’t transmit or store sensitive information on a central server, there’s nothing for hackers to steal in the event of a data breach. They are also uniquely tied to a specific website URL, which makes them inherently unphishable. From a user experience perspective, passkeys are simple to use and eliminate the need to remember multiple complex passwords. They also help preserve privacy, as no personal information is shared with the service provider during authentication.
“There are very few downsides to passkeys, and even where limitations exist, they still represent a significant improvement over passwords. One challenge is accessibility: not everyone has a modern smartphone or computer capable of supporting passkey technology. Additionally, for synched passkeys that work across devices, users must place a certain amount of trust in major tech companies to secure that data. Some regulated industries may also find that specific use cases are not yet fully supported by current implementations of passkey technology.”
What Passkeys Are:
“Passkeys are a modern, secure replacement for passwords. They allow users to log in to services or authorise transactions using a biometric that’s already available on their personal device, or with a physical security key that connects via USB, Bluetooth, or Wi-Fi. By eliminating passwords entirely, passkeys provide a simple, phishing-resistant method of authentication.”
How Passkeys Work:
“When a user wants to log in, for example, to a bank account, they simply perform a biometric action, like a fingerprint scan, on their device. Behind the scenes, this generates a unique cryptographic signature using public key cryptography, which is then sent to the service provider (known as the relying party). The provider verifies the signature and grants access. Unlike traditional methods, no shared secrets or passwords are stored on the server, which means there’s nothing for attackers to steal in the event of a breach.”
The Technology Behind Passkeys:
“The foundational technology behind passkeys comes from the FIDO (Fast IDentity Online) Alliance, which was established in 2012 by eight companies including Lenovo, PayPal, and Nok Nok Labs. The organisation was created to reduce the world’s over-reliance on passwords. Since then, FIDO has developed global standards and certification programmes that enable the broad adoption of authentication methods based on public key cryptography.”
Ashish Jain, CTO, OneSpan
“The future of authentication is here – and it’s passwordless. Passwords have long been a point of vulnerability, often leading to breaches and user frustration. Passkeys represent a meaningful step toward improving both security and usability, moving us closer to a more resilient digital infrastructure. They’re especially valuable in securing high-risk interactions like financial transactions, where strong, phishing-resistant authentication is critical.
“FIDO passkeys take traditional authentication a step further by using cryptographic credentials stored on a user’s device, ensuring both identity verification and security. This method strengthens authentication across desktops and mobile devices, creating a more secure digital environment. As the adoption of passkeys grows, I’m confident they will be key to transforming how we protect our most sensitive online interactions.”
