Can Passkeys Keep Your Data Secure?
It’s no secret that using passwords to authenticate accounts is getting more problematic each year: Most people reuse them across accounts, they can be bought and sold by the billion online, and passwords like “12345” and “password” still top the lists of most password combinations. A quick visit to haveibeenpwned.com will provide an eye-opening view of how many times specific passwords have been compromised. Simply put: It’s not pretty.
Attempts to bolster password security have largely fallen flat; enforced complex passwords (with special characters/numbers/capitalization) have made them harder to remember, leading to more password resets and wider reuse across accounts. The same goes for requiring users to regularly update their passwords, creating more widespread confusion, and once again increasing re-use across multiple accounts.
What are passkeys?
Passkeys bypass passwords as the primary method for account information by requiring a trusted device, such as a laptop, smartphone, or security dongle. When a passkey is created, a public (virtual) key is created on your account’s end, and is paired with a private key on your device.
When you log in to an account, the public key issues a “challenge” to your device to verify that the private key is the one paired with the account. If the public key is compromised, it’s of little use to a threat actor without access to your device.
Why are passkeys appealing?
The primary appeal of passkeys stems from the weaknesses of passwords. If a single account is compromised (massive data breaches are almost daily occurrences), the password associated with it is like a skeleton key for any account that uses it for authentication.
Passkeys render the need to manage, update, guess, and recover passwords to accounts as moot; a quick confirmation on your device means you’re logged in. This provides greater security for individuals and companies alike. Given that this year’s Verizon 2025 Data Breach Investigations Report attributed nearly 90% of breaches to stolen passwords and credentials, this creates a significantly higher barrier for hackers and threat actors of all types.
Why isn’t everyone using passkeys, then?
Despite being more secure, passkeys aren’t a true silver bullet. Setting up a single passkey, without a second passkey device or less-secure backup authentication method like password + 2FA is a dangerous proposition, while using 2FA as a backup makes the passkey method itself less secure. Devices can be stolen, lost, or damaged, effectively locking users out of their accounts until their passkeys can be recovered. They also take longer to configure, cost more to deploy, and require more user education to ensure they’re used effectively.
There’s also a familiarity factor. The usage of passwords predates the internet by centuries (if not more). While they’re not perfect (the story of Ali-Baba and the Forty Thieves is an early example of compromised passwords), they require little to no technical expertise. Habits of all kinds are hard to break, and password use is no exception.
Are passkeys the future?
The bigger question is whether or not they’re here to stay. We’ll see passkey adoption rise as users and companies become more familiar with it, but they'll still rely on a password/passkey hybrid model for the foreseeable future.
Several newer forms of security have been tried and either failed to truly secure accounts, hit problems with user adoption, or are simply too inconvenient (the less said about identifying traffic signs on CAPTCHAs, the better).
That being the case, passkeys may not be the future, but they’re very much the present. Almost every major Big Tech company, including Adobe, Apple, Amazon, Microsoft, Google, Paypal, and Nvidia all currently support and/or require them.
Want to secure your data with passkeys? Not sure how to start? Nodal can help! Contact us today.