Why are Passkeys So Much Better than Passwords?

March 25, 2025

Table of Contents

Why are Passkeys Much Better than Passwords?

Many of us have been using passwords to access computing resources our entire lives. Is all that really coming to an end?

What are passkeys and why are they rapidly becoming a mainstream passwordless authentication method? How fast is passkey usage expanding? And when can we expect to say goodbye to passwords forever

This article overviews how passkeys work, their security advantages, and their current state of global adoption.

What are passkeys and how do they replace passwords?

Passkeys are passwordless logins that replace passwords and are both easier to use and much more secure. Unlike passwords, passkeys can’t be stolen, guessed, “phished,” or end up for sale on the dark web. You never need to invent passkeys, remember them, or look them up, so they are also easier than passwords to configure, use, and maintain.
To access a website or application, a passkey relies on your phone, laptop, tablet, or other supported “authenticator” device to store biometric ID data as well as a private encryption key, which together prove you are who you say you are. A password manager that supports passkeys can also be your authenticator, which offers the benefit of enabling your passkeys to work across devices.

Why are passkeys better than passwords?

According to Anna Pobletts, Head of Passwordless at 1Password, the big advantage with passkeys is really to remove human error from the equation when logging into applications and websites.
“With passkeys, the security is just built straight into the technology,” says Anna. “With passwords, the biggest problem is that users have to think up a good password and remember it and make sure it’s unique. With passkeys, all that happens totally automatically.”
From a user’s viewpoint, using passkeys looks and feels identical to unlocking your device using a biometric method or Windows Hello, for example. You could easily overlook that you’re using authentication, so it’s very low stress. All the “security stuff” takes place behind the scenes

Meanwhile, the rise of cyberattack vectors like password crackers and deepfake AI mean that even as we struggle to strengthen passwords, they become harder and more dangerous to use. Additional authentication steps help bolster security, such as sending SMS codes, but always at the expense of users’ time and convenience

Meanwhile, the security and usability advantages of passkeys have just become too great to ignore. “No downsides—that’s my claim!” Anna Pobletts jokes.

How do passkeys nullify phishing attacks?

Passkeys are inherently resistant to phishing attacks as well as business email compromise and other social engineering or password stuffing attacks aimed at credential theft and misuse. In a typical phishing attack, the victim gets an email prompting them to visit a malicious website. If they try to sign into the phishing site, the attacker can harvest their login and password.
But with passkeys none of that can happen. Passkeys eliminate the need for passwords, and they won’t work on malicious sites because they are bound to the legitimate site for which they were created

How do passkeys compare with physical security keys like a Yubikey? Both make it harder to steal identities, but passkeys are lower cost, easier to use, and don’t need to be remembered or carried around. Some other two-factor authentication (2FA) scenarios like SMS texts are potentially less secure than passkeys, as well as less user-friendly overall.

How do passkeys work cryptographically?

As noted above, passkeys are passwordless but they still require authentication. Passkeys rely on public-key encryption, so authentication requires two cryptographic keys:

A private key that is stored on your device.
A public key that resides with the service that holds your account (e.g., Google Mail).

Before you can use a passkey you also need a secure form of identification, such as biometric data (e.g., face ID or touch ID) or the passcode that unlocks your phone screen. This data stays on your device and is not shared with your services, so it can’t be stolen if a server is compromised

Depending on the application your passkeys can be synced to the cloud and shared among different devices. That way if you lose your phone you won’t lose all the passkeys stored on it. Likewise, you can revoke passkeys on some systems, such as Google or an iCloud keychain

Is there a way to do “account recovery” with passkeys? For now, it usually works as it traditionally has with passwords, such as by using the email address associated with your account.

How fast are passkeys replacing passwords?

It seems likely that passkeys will eventually replace passwords almost entirely, simply because they are a better option. Passkey adoption is becoming more widespread with each passing week as individuals and organizations begin creating their first passkeys and continue adding more.

According to the FIDO Alliance, an open industry association that promotes standards for passwordless authentication and device attestation, passkey adoption doubled in 2024 with over 15 billion online accounts now supporting passkeys.

Consumer research shows that as of 2024:

62% of consumers surveyed were aware of passkey technology.
53% reported enabling passkeys on one or more of their accounts.
Of those who have enabled one or more passkeys, 23% enable passkeys “whenever possible.”
61% see passkeys as more secure than passwords and 58% find them more convenient.
1Password states that over 4 million passkeys are now saved in the 1Password password manager application, with about 2.1 million passkey authentications requested per month.
Hundreds of millions of new passkey users are expected in 2025, per the latest adoption data on state-of-passkeys.io.

Google, Amazon, eBay, Apple, Walmart, Microsoft, IBM, and many others have rolled out passkeys and more are sure to follow. Still in its early stages, use of passkey technology is not yet seamless across all devices, operating systems, and web browsers. But standardization and support among service providers is advancing rapidly. Most individuals and organizations will probably experience a gradual transition where they will still use passwords for some applications while switching to passkeys as they become available.