Browse Definitions :

Passkey vs. password: What is the difference?

Companies are turning to passkeys as a secure login for consumers. Passkeys make it more difficult for thieves to steal information, and they are also more convenient for users.

Passwords may be a thing of the past as tech giants are moving to new passkey technology -- a passwordless login that is more secure and convenient.

Apple and Google are updating their phone software and web browsers toward the end of 2022 to use passkey technology. Passwords have security issues -- such as breaches, phishing and stolen identities -- and can be an inconvenience to users as they have to remember several passwords. Passkeys are an alternative that reduces data breaches and other security vulnerabilities.

Moving to a passwordless future is underway. However, there are some key differences between passkeys vs. passwords to help prepare for this change.

What is a passkey?

Passkeys are a new type of login credential that removes the need for passwords. The authentication requires either biometric authentication -- such as a fingerprint or facial recognition -- or a PIN or swipe pattern used with Androids for access.

The passkey works on a person's device, so users can't use passkey functions on another device without a QR code. Users can scan the QR code from their phone and use their Face ID or Touch ID to sign in from another nearby device.

Passkeys were created with the Web Authentication API security standard that uses public key cryptography for access. Each key is unique and created with encrypted data for added security -- think of a digital version of a keycard.

What is a password?

A password uses a string of characters used for identification during sign-on. They are typically used together with a username. Passwords should be unique and only known to the user.

Passwords can vary in length and can also contain special characters, letters and numbers. To protect data, businesses should implement password policies, including guidelines for strong passwords and a timeframe for updating regularly.

One of the main problems with passwords is remembering multiple passwords and not reusing them. Reusing passwords can present security issues because once bad actors get one password, they can access various accounts using the same credentials.

To help remember multiple passwords, users turn to password managers, which use one master password or key to pull the correct password from a database to authenticate the login for the website or application. After entering the main login, the password manager will fill in the form to log the user in, so they don't have to remember multiple passwords. Having a password manager may help remember passwords, but they are not completely secure if the master password is stolen.

Learn more about password hygiene practices.

Passwords face security issues as 80% of hacking breaches were linked to passwords.
Passwords are vulnerable to security attacks.

How does a passkey work?

Passkeys use Bluetooth technology. Bluetooth requires physical proximity, which helps verify the user.

After signing in and linking accounts, a push notification is sent to the device through Bluetooth. Then, the user needs to unlock their device with their private key, which is either a biometric authentication or PIN to create a unique public key that relates to the login. At the next login, the user will only have to use the chosen credential when prompted, which is their private identification -- with no password to remember. The passkey option will appear by the username field.

Google's Chrome password and Apple's iCloud Keychain synchronize passkeys across multiple devices through the cloud. When adding a new device, the user will have to sync it up to use passkey technology.

How are passkeys more secure than passwords?

Passwords are the current standard for sign on, but they aren't the perfect standard. First, people must remember their passwords, which can be a hassle to remember multiple passwords. Users also must create a complex password to avoid password cracking.

Passwords are also vulnerable to cyber attacks and data breaches. Bad actors can use phishing scams to trick people into sharing passwords on fraudulent websites. Passkeys cannot be stolen as easily because data is stored on a device and not a web server.

Passkeys should be more secure than passwords because the bad actors need access to the device and the fingerprint, facial ID or PIN to unlock it. Or, they would have to be near a person's device to use the Bluetooth. If someone loses a device, the thief will be unable to access information without the biometric authentication.

Each passkey is also unique and created using a strong encryption algorithm. The user doesn't have to worry about weak passwords that can be guessed.

People typically choose the same password for multiple sign-on and sites, so if a bad actor learns the password, they could get access to multiple accounts. Weak passwords create vulnerabilities to both the user and business.

Why are companies moving to passwordless authentication?

Passkeys may be easier to use than passwords and safer for companies to help avoid breaches. Apple, Google and Microsoft are working with the FIDO Alliance and the World Wide Web Consortium (W3C) to ensure passkeys are implemented in ways that work across multiple platforms. Passkeys are the newest technology developed by the FIDO Alliance.

Password-only authentication is a big security problem and can be inconvenient for consumers, according to the FIDO Alliance. When consumers reuse passwords, there is a bigger risk for data breaches and stolen identities. Even with password managers and two-factor authentication, passwords can still be stolen because they are stored online. The initiatives from the FIDO Alliance and W3C are an industrywide collaboration to make sign-on technology more user-friendly and safer.

Users won't be forced to use passkey technology, but more websites and apps will start offering passkeys as an option.

Dig Deeper on Authentication and access control

  • network packet

    A network packet is a basic unit of data that's grouped together and transferred over a computer network, typically a ...

  • virtual network functions (VNFs)

    Virtual network functions (VNFs) are virtualized tasks formerly carried out by proprietary, dedicated hardware.

  • network functions virtualization (NFV)

    Network functions virtualization (NFV) is a network architecture model designed to virtualize network services that have ...

  • MICR (magnetic ink character recognition)

    MICR (magnetic ink character recognition) is a technology invented in the 1950s that's used to verify the legitimacy or ...

  • What is cybersecurity?

    Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.

  • Android System WebView

    Android System WebView is a system component for the Android operating system (OS) that allows Android apps to display web ...

  • privacy compliance

    Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or ...

  • contingent workforce

    A contingent workforce is a labor pool whose members are hired by an organization on an on-demand basis.

  • product development (new product development -- NPD)

    Product development, also called new product management, is a series of steps that includes the conceptualization, design, ...

  • talent acquisition

    Talent acquisition is the strategic process employers use to analyze their long-term talent needs in the context of business ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

  • hybrid work model

    A hybrid work model is a workforce structure that includes employees who work remotely and those who work on site, in a company's...

  • Salesforce Trailhead

    Salesforce Trailhead is a series of online tutorials that coach beginner and intermediate developers who need to learn how to ...

  • Salesforce

    Salesforce, Inc. is a cloud computing and social enterprise software-as-a-service (SaaS) provider based in San Francisco.

  • data clean room

    A data clean room is a technology service that helps content platforms keep first person user data private when interacting with ...