What Are Passwords and Who Should Use Them?
We’ve been using passwords to protect our accounts for decades, and frankly, we’re not very good at it. Many of us use the same simple, easy-to-remember passwords for all our accounts—easy to log in, but terrible for security. Not only can an attacker (or computer) easily guess this password, but they can also try to use it for other accounts. Before you know it, you’ve suffered several breaches, some of which could involve financial or personal information.
Of course, there are a number of steps you can take to improve password security. First, you can use a complex and unique password for each account, never reusing it. A well-crafted password is impossible for a human to guess, and virtually impossible for a computer to guess. But even if the company loses your password in a data breach, two-factor authentication (2FA) provides additional protection. Without a secure device that generates or receives the 2FA code, your password becomes virtually useless to hackers. And since you haven’t reused passwords, they won’t be able to use it on your other accounts. That’s why this combination is a winning strategy.
But many, if not most, of us aren’t using this winning strategy. Many still put their organizations at risk by using weak authentication methods. So, users are shifting to a new form of authentication that combines the convenience of passwords with the security of two-factor authentication (2FA), without having to remember anything: access keys.
What are access keys?
Passwords are a (relatively) new authentication method similar to passwords but without the use of a password. This measure is based on so-called public-key cryptography: when you create a new account with a password or create a password for an existing account, a “key pair” is generated. One of these keys is public and is stored by the company managing the account. This key is not private and could theoretically be stolen or lost in a hack. However, the other key is private. This private key is stored on your device—such as a smartphone, tablet, or computer—and is used to actually authenticate your identity.
To create a passkey, simply use your device’s built-in authentication method. This can be a face scan, fingerprint, or PIN. After successful authentication, the passkey will be set. To log in later, simply use one of these three methods. If authentication is successful, the system will check the account containing the public key to confirm your identity, and you’re logged in—no password required.
Your access keys are securely stored on your devices, typically in a “vault” such as Keychain or a password manager. Apple generates and stores access keys, for example, in iCloud Keychain. If you use a password manager such as Bitwarden or 1Password, you can generate and store access keys there. Any device with access to this password manager can also use this key for authentication.
However, you don’t need to sign in to your accounts on the device that contains your passkey. If you’re using another device, such as a friend’s computer or tablet, that doesn’t have a passkey, you can use a trusted device for authentication. For example, you might want to check your bank account on your computer, but your account uses a passkey stored on your iPhone. You can choose to authenticate using the device with the passkey, and the account website will display a QR code. You can scan the QR code on your iPhone, authenticate using Face ID, Touch ID, or a PIN, and you’ll be signed in. This feature also works when signing in to accounts on devices that don’t directly store passkeys, such as the PlayStation 5.
Are passwords secure?
The short answer? Yes. Passwords are an extremely secure authentication method. While they’re much more secure than passwords, they’re even more secure than two-factor authentication (2FA). Two-factor authentication is great and certainly better than using just a password, but attackers can steal authentication codes , especially if those codes are sent via SMS. This can range from a sophisticated hack into the platforms that send your codes to a simple phishing attack: scammers can impersonate the account in question and trick you into sharing your two-factor authentication (2FA) codes. So, two-factor authentication, while secure, has the same drawbacks as phishing attacks.
Passwords don’t have this drawback. You can’t be tricked into revealing one of your passwords, and a hacker can’t steal it from your device. The system won’t prompt you to authenticate unless you’re visiting the exact platform domain, meaning scammers can’t create fake websites to trick you into logging in: the password entry process simply won’t start. Importantly, access key login requires the trusted device to be physically present near the device you’re logging in from. This means a hacker can’t send you a QR code, trick you into scanning it, and then convince you to authenticate to log in. Unless you’re in the same room as the hacker, they won’t get your password.
What should I do if I lose my device?
One of the most common questions about access keys is what happens if you lose the device they’re stored on. After all, if the secret key is stored only on your smartphone, what happens if it’s lost, stolen, or broken?
As it turns out, there are several possibilities here. First, there’s the risk of completely losing your access key if you lose access to a trusted device. If you choose to store your access keys on a physical security key, such as a YubiKey, losing or breaking the key will result in the loss of your access key. However, depending on the account, you may have recovery options, such as answering security questions to verify your identity. Of course, this will be case-sensitive: if your account only has an access key configured, and that access key is stored on only one device, you could lose access to the account. Check whether your accounts offer recovery options or even backup authentication. Because of this possibility, some accounts may still require you to create a password even if you’ve chosen access keys.
But even more importantly, you don’t have to store your access keys on just one device. Secure protocols exist that allow you to sync them across multiple devices. For example, if you create a passkey on your iPhone, iCloud Keychain will securely sync it with your other connected Apple devices, such as your iPad and Mac. So, whenever you want to sign in to your account on any of these devices, you can authenticate with your passkey on any of them—just use Face ID, Touch ID, or your PIN, and you’re good to go.
Is it possible to export access keys?
Currently, no. This is perhaps the biggest drawback of passwords. Unlike passwords, which can be exported to other password managers, keys are tied to the service they were generated with. If you set up a passkey for your Google account on your iPhone, you can’t directly transfer it to, say, an Android device. If your passkey is in Bitwarden, you can’t transfer it to Google Password Manager. Therefore, you should try to generate passkeys on the platform you use most often. If you’re entirely within the Apple ecosystem, Apple’s iCloud Keychain is your best bet. But if you have multiple devices from different manufacturers, you’re better off generating passkeys in a cross-platform password manager. Of course, you can always authenticate with your iPhone, but the real convenience of passkeys lies in quickly logging in to a device that already contains a passkey.
However, this doesn’t mean you have to use this service all the time: you can set up new passwords for existing accounts on other services to safely get rid of old devices with passwords. However, be sure to keep the old device until you set up a password on the new one. If something goes wrong and you can’t set up a new password on the other device, you’ll need the old device to verify your identity, unless you have an alternative authentication method, such as a password.
Passwords aren’t perfect: in practice, they can be quite complex, especially when used across multiple devices. But at their best, they provide both convenience and security. If you’re not particularly tech-savvy or aren’t well-versed in a single tech company’s ecosystem, it might be too early to rely entirely on passwords. However, passwords can keep your accounts secure if you understand these vulnerabilities.