An oversimplified explanations of Passkeys

[+Warwagon MVC]

Imagine one of those heart necklaces that breaks into two matching pieces. One person keeps one half, and the other person keeps the other half.

With passkeys, the website has one half, and you have the other half.

If the website gets hacked and someone steals its half, that stolen piece is useless by itself. It cannot unlock your account without your matching half. This particular heart necklace is one of a kind, there is only one in existence.

Your half of the necklace has to be stored somewhere.

It might be stored on your phone, tablet, computer, security key, or a password manager that can sync it between all your devices.

A security key is a small physical device that you keep with you, kind of like a house key, car key, or flash drive.

I would not usually recommend a security key as the first option for the average person. For most people, it is easier to use their phone, computer, or a password manager that can sync passkeys between their devices.

A security key is more like a spare key you keep in a safe place, just in case you lose access to your other devices or your password manager.

Some security keys plug into your computer. Some plug into your phone or tablet and some get tapped against your device.

The idea is simple: a security key can hold another passkey for the same website.

Think of it like creating a second one-of-a-kind heart necklace for the same account. One necklace could be paired with your password manager, while another necklace could be paired with your security key.

That means the website has more than one matching half on file. One half matches the passkey in your password manager. Another half matches the passkey stored on your security key.

So, if you lose access to your phone, computer, or password manager, you would still be able to log in using the passkey stored on your security key.

Think of it like keeping an extra special necklace piece on a tiny keychain, stored somewhere safe. The website still has the matching half for that security key, but your half is safely stored inside the little key.

A passkey does not automatically exist on every device you own. It lives wherever you save it.

If your half is stored on one device, then that device is the one that has the matching piece.

For example, if you create the passkey on your Windows computer and it is only saved to that computer, your iPhone does not automatically have that same half. If you create it on your iPhone and it only stays on that iPhone, your Android phone does not automatically have it either.

That is where password managers come in.

A password manager can act like a protected jewelry box for your passkeys. Instead of your half of the necklace being locked to only one device, the password manager can securely sync that half to your other approved devices.

For example, Apple Passwords and iCloud Keychain can sync passkeys between your Apple devices. Google Password Manager can sync passkeys with your Google account.

But password managers such as 1Password and Bitwarden can sync passkeys between everything, your phones, tablets and computers.

Now, you might ask: “What happens if I lose access to the device that has my passkey?”

That depends on where your passkey was saved and what recovery options the website gives you.

If your passkey was synced through a password manager, you may be able to sign in from another device that has access to that same password manager. For example, if your passkey is saved in iCloud Keychain, Google Password Manager, 1Password, or Bitwarden, another approved device may still have access to it.

If your passkey was saved only on one phone, computer, or security key, and you lose that device, then you may not have your half of the necklace anymore.

In that case, you would usually need to use the website’s backup login or account recovery options.

A lot of websites that support passkeys still let you fall back to your regular password. So if you lose access to your passkey, the site may still let you log in with your password, a code sent to your email, a text message, a recovery code, or some other account recovery process.

That is convenient, but it is also important to understand: if the website still allows password login, then your password still matters.

Passkeys are safer than passwords, but if your account still has a password as a backup, you should still use a strong, unique password and turn on two-factor authentication if the website offers it.

This is why it is a good idea to have more than one safe way back into important accounts. For example, you might keep your passkey in a syncing password manager, add a second trusted device, save recovery codes somewhere safe, or set up a backup security key.

A passkey is very secure, but just like a real key, you need a backup plan in case you lose access to it.

Now, you might ask: “What stops a hacker from copying my half of the necklace?”

That’s the important part: your half is protected. It is not something you type in, and it is not something the website gets to keep.

Think of your half as being locked inside a tiny safe on your phone, computer, security key, or password manager. That safe only opens when you approve it with your fingerprint, face, PIN, or device password.

When you log in, the website does not need to see your half. It only needs proof that your half matches its half.

Your actual half is not handed over to the website.

This is different from a password. With a password, you type the secret into the website. If you type it into a fake website, the hacker now has it.

With a passkey, you are not typing your secret into the website. Your device is proving you have the matching half without giving the half away.

That also helps protect you from fake websites. If someone makes a fake login page that looks like the real site, your device can tell it is not the real match. It will not use your passkey there.

Now, could someone use your passkey if they stole your device, got into your password manager, or somehow unlocked the safe that holds your half? Yes, that is why your device password, PIN, fingerprint, face unlock, and password manager security still matter.

But a hacker cannot just steal your passkey from the website or trick you into typing it into a fake page like they can with a password.

That is why passkeys are safer than passwords. The two matching pieces have to come together, like two lovebirds who were once separated and are finally reunited.

[+virtorio MVC]

Well, that answered all the questions I had about passkeys, but never seemed to have time to go look up. Thanks for that.