PASSKEYS

HMS TRAINING AND SUPPORT

PASSKEYS

What are Passkeys?

Passkeys are a new, more secure way to log into your online accounts without using traditional passwords. Here’s a simple explanation:

Imagine your online account is a house, and to get in, you need a key. In the past, you would use a password, which is like a physical key that can be copied or stolen. If someone else gets your password, they can get into your house.

Now, with passkeys, instead of a physical key, you have a digital key that’s stored on your device, like your smartphone. This digital key is unique and can’t be copied. When you want to enter your online house, your device confirms it’s really you (usually with something like a fingerprint or face scan) and then uses the digital key to unlock the door.

The cool part is, the digital key is actually made up of two parts: a public key and a private key. The public key is like the address of your house that everyone knows, and it’s stored on the website’s server. The private key is like the actual key to the door, and it stays safe on your device. When you use your passkey, the private key on your device talks to the public key on the server to unlock your account, but the private key never leaves your device. This means even if the website’s server is hacked, your private key is still safe with you.

So, passkeys make your online accounts much more secure because they rely on something you have (your device) and something you are (like your fingerprint), instead of something you know (a password), which can be guessed or stolen

More about Passkeys

Passkeys are tied to a device

Passkeys are cryptographic “keys” created by your device used to unlock your account, just like you use a physical to key to open a door. The passkey can only be created on your device once you have provided security information to prove you are the account holder, using two-factor authentication (usually via touch or face ID). Once the passkey is created and stored on your device, the device can be used to sign in seamlessly. The passkey is tied to your device - moving passkeys from one device to another involves transferring the passkey information.

Why are passkeys being introduced by the big tech companies?

Passkeys eliminate the need to remember complex passwords. They are unique to each device and can’t be used across different accounts. You don’t need to write them down. At best, they use biometric data to create the keys, which is more secure than letters, numbers, shapes and symbols.

Why are passkeys better than passwords?

Phishing-resistant: Passkeys can't be tricked into logging into fake websites.
No passwords to steal: Even if a website is hacked, your private key isn’t there.
Simple and fast: Logging in can be as easy as looking at your device (facial recognition), typing in a PIN code or using your fingerprint.
Cross-device support: Passkeys can sync across your devices (e.g., via iCloud Passwords (Keychain) or Google Password Manager).

For example:

You visit a website and choose "Sign in with passkey". Your phone asks for Face ID, you're logged in to the website, securely, without typing anything.

What’s the downside, if there is one?

There’s quite a learning curve for new users, creating the passkeys can be confusing, but I believe this will improve over time. Those with older devices may not be able to use them. Not all websites/organisations will employ this technology so there's going to be a period of transition. If you lose access to the device that holds your passkeys, or get a replacement, you need to know how to transfer the private keys (on that device) to a new one, or find out how to recreate new passkeys on a new device without losing access to your existing online accounts. If your biometric data (Face or Fingerprint/s) changes through injury or surgery, you could lose access to your private keys.