ProtonBlog
Subscribe by RSS
what is a passkey?

What is a passkey?

Fergus O'Sullivan

Share this page

Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, and how does it work?

What are passkeys?

A passkey is a form of identification you can use to gain access to an account. Passkeys replace the need for passwords and two-factor authentication (2FA) by using your device to identify you. Since you no longer have a password to steal, passkeys protect against phishing. Passkeys are also less susceptible to brute-force attacks as they work by creating cryptographic keys. 

Passkey vs. password

The definition above probably sounds vague, so the best way to explain is by comparing passkeys to something you’re more familiar with, namely passwords. Normally, you gain access to an account by entering the credentials you gave when you created it: your username (often your email address) and password.

Not so with passkeys. When you create an account with a service that supports passkeys, your password manager generates a set of encryption keys. The next time you try to access the site, it will recognize the keys you hold and log you in without the need to enter your password.

How passkeys work

Passkeys use the principle of asymmetric or public-key cryptography. We go into more detail about this in our article on how encryption works, but the short version is that when you create a passkey, your password manager generates two mathematically connected numeric keys: one public, one private. 

The service you’re signing up for holds the public key, while you as the user hold the private one, which is stored on your password manager. When logging into the service, the public key sends a challenge to your device which can only be answered correctly by your private key, identifying you as the account owner.   

how passkeys work

The system is very secure and practically impervious to brute force attacks. To crack the kind of numbers used in public-key cryptography would take a combination of the world’s supercomputers billions of years.

Advantages of using passkeys vs. passwords

For you, the user, the whole login procedure is entirely seamless: All the above happens automatically and virtually instantly. The only real downside to using passkeys is that few sites use them at time of writing, adoption is slow as implementation can pose problems. Supporting passkeys can get very technical, and since passwords and passphrases are highly secure there’s not always a direct need to bother with it. On top of this, there are moments when using a passphrase can be more useful as they can be more easily memorized.

Even if more sites used them, another issue is that many devices don’t support passkeys. For example, Android users can only use them if they’re using Android 14, and even then only if they have enabled some specific options — read more about this in our article on enabling passkeys.

Passkeys and Proton Pass

To use passkeys, you need to use a program that can send and receive the keys that make up the passkey. For most people this will be a password manager, a program that stores and manages passwords and, more recently, passkeys. Currently, not all password managers support passkeys, across all devices,  but Proton Pass does. 

As secure as passkeys are, they do create a single point of failure: if somehow somebody gets access to your passkeys, you’re in trouble. To prevent this from happening, Proton Pass uses end-to-end encryption to make sure your passkeys are always stored safely on our servers; nobody can access them, not even us. 

On top of that, we are also platform agnostic: You can use passkeys on any site that supports them, using any of your devices as long as they are compatible. 

Add to this our acclaimed interface, and you have a convenient way to implement this modern security tool. If you’re interested in knowing more about how Proton works, create a free Proton account today or check out our guide on how you can get started using passkeys.

FAQ

Can I log in to Proton Pass with Passkeys? 

No, you can’t log into Proton Pass apps using passkeys, but with passwords or passphrases, or via biometrics.

Do passkeys mask a password?

No, they replace passwords completely as they work entirely of keypairs.

Where are passkeys stored?

An encrypted version of your private key is stored on Proton’s servers, while the public key is held by the service you have an account with.

What happens to my passkeys if my device is stolen?

Nothing, they will still be on your device, making it imperative that you secure your Proton Pass app with a PIN or biometric scan.

Protect your passwords
Create a free account

Related articles

Hackers use various methods to crack passwords, and one of them is the rainbow table attack. In certain cases, this method can be faster than dictionary attacks or credential stuffing. In this article, we explore how rainbow table attacks work and d
The more personal information we share on the internet, the greater the privacy risks that make us vulnerable to identity theft. This issue affects millions globally, impacting people financially and personally, with over 24 million victims in 2021 i
Ensuring HIPAA compliance is crucial for any healthcare business that handles sensitive patient information. Failing to use HIPAA-compliant services, such as email, can result in severe consequences, including hefty fines and legal repercussions. If
The email addresses and other sensitive information of 918 British MPs, members of the European Parliament, and French deputies and senators have been leaked to dark web marketplaces where data is illegally bought and sold. As part of our investigati
Email threads are so ubiquitous you might not realize what they are. An email thread is basically a series of related emails grouped together.  This article will tell you everything you need to know about what exactly an email thread is and when you
Identity theft is a major sector of criminal activity. About 24 million people fell victim in the United States alone in 2021, costing them over $16 billion. Credit card fraud is the most common type, but criminals target all kinds of personal data.