6 hours ago
13
Sooner or later, it's coming: You'll be logging into one of your favorite websites or applications, and you'll find no option to supply a user ID and password. There won't even be a password field. (The jury is still out on the user ID field.) You'll simply choose from a personalized dropdown list of credentials valid for that site or app and, if all goes well, you'll be granted access. Today, this auto-magical, password-less process is hardly bulletproof. But, our industry sources assure us, it will get better.
Considering that today is World Password Day (as if you shouldn't pay close attention to your password best practices every day of the year), what preparations do you need to make now for this brave new world of passkeys? Quite a few, actually.
How did we get here?
Apple, Google, Microsoft, and other members of the FIDO Alliance – the consortium developing and promoting the passkey standard – are leading this titanic shift in how we authenticate with sites and apps. The tech industry has been quietly making adjustments to operating systems and web browsers to enable this highly automated passwordless future.
Also: 7 password rules security experts live by - the last one might surprise you
One of the big ideas behind passkeys is to keep us users from behaving as our own worst enemies. For nearly two decades, malicious actors -- mainly phishers and smishers -- have been tricking us into giving them our passwords. You'd think we would have learned how to detect and avoid these scams by now. But we haven't, and the damage is ongoing.
In response, the FIDO Alliance found a way to eliminate passwords altogether. If there aren't passwords to supply to legitimate websites and apps, the FIDO Alliance figures there won't be passwords to give to the malicious actors either.
The FIDO folks are going the extra mile to make sure we users don't screw this up. (Like parents sick of their kids always wrecking the car, eventually taking the keys away, and hiring a professional driver to shuttle them around.) With passkeys, the tech industry is taking our keys away and handing them over to a professional credential manager whose job is to unlock and hold the doors for us. And no, we can't have our keys back. But we can make some smart choices now.
The two types of credential managers
Today, ironically and unconstructively, we refer to these credential managers as password managers. Apple rebranded its credential manager (formerly iCloud Keychain) to Apple Passwords last year. That's the same Apple -- a FIDO Alliance member -- credited with inventing the word "passkey" in 2022. Google gave its credential manager the backward-looking name Google Password Manager, while Microsoft's credential manager doesn't yet have an official name.
But let's be clear: Passkeys are not passwords. If we're getting rid of passwords, shouldn't we also get rid of the phrase "password manager?"
Note that there are two primary types of credential managers. The first is the built-in credential manager. These are the ones from Apple, Google, Microsoft, and some browser makers built into our platforms and browsers, including Windows, Edge, MacOS, Android, and Chrome. With passkeys, if you don't bring your own credential manager, you'll likely end up using one of these.
The second type is the dedicated bring-your-own (BYO) credential manager. Examples include 1Password, Bitwarden, LastPass, and NordPass.
All credential managers -- built-in and BYO -- operate on the same principle: Once a credential is established, it is synchronized to a central resource (in most cases the credential manager's central cloud) and, from there, it is synchronized to your other devices -- as long as those devices are set to sync with that central resource.
Also: The best password managers of 2025: Expert tested
To varying degrees and with varying dexterity, credential managers can manage and autofill other personal information and sensitive assets such as names, addresses, and credit card information. Although the current passkey ecosystem has a few potholes and speed bumps, you should not be deterred from adopting passkeys. But you should take a considered and informed approach.
Although passkeys remain an evolving ecosystem, users can prepare for this passwordless future in several ways. Here are our 10 recommendations for embracing the passkey present and future.
1. Pick a bring-your-own credential manager now
Research and choose a BYO credential manager as though it's one of the most important technology decisions you're going to make for the foreseeable future.
Why? Today's built-in credential managers leave you little control over the management of your credentials and other secrets. The web is rife with tales of woe, like the guy who loves Apple Passwords but still uses 1Password and another guy's six reasons he gave up on Google Password Manager.
Also: 1Password extends enterprise credential management beyond humans to AI agents
More importantly, BYO credential managers compete based on their widespread availability across many platforms and browsers. In contrast, built-in credential managers have little motivation to serve the interests of other platform makers. Choosing a BYO credential manager that supports multiple operating systems and browsers futureproofs you against any unplanned platform changes down the road. For example, you love the Mac but take a job where Windows is the only option. Or you decide to leave Chrome for Firefox.
2. Migrate with care from other credential managers
This is easier said than done. Although many password managers try to ease and automate the migration process, your mileage with automated migrations might vary. Some BYO managers leave your existing credential manager in place in a way that could result in unwanted autofill conflicts. For example, when a website offers its user ID and password dialog, both your old and new credential managers might simultaneously spring to life with their own dialogs that confusingly overlap each other.
Unfortunately, credential managers don't behave like browsers. When you use a new credential manager for the first time, you might not be asked if your system should make the new credential manager your default. We love how browsers do this and wish credential managers would do it too.
Bottom line: When it comes to such migrations, double-check that all entries listed in the new credential manager don't involve duplicate entries. Before removing any entries from either the old or new credential manager, ensure you've identified and tested your keepers -- those credential records that you'll depend on to handle all future logins.
Why? Nothing's more aggravating than a bunch of overlapping pop-ups that sully the user experience so that your mouse can't even click the credentials you want to use. The best way to guarantee a clean migration is to manually review the old and new credential managers to look for conflicts or, worse, entries in the old credential manager that may have been excluded from the automated migration. By the time you're done, all of the entries in your old credential manager should be eliminated. And, as long as you're examining all the entries in the new credential manager to identify which ones to keep and which ones to trash, you might as well go the extra mile with step 3.
3. Stop using shared passwords now and forever
"Shared passwords" are passwords you reuse or share across different websites and applications. While many sites and apps are beginning to support passkeys, virtually none have yet to entirely eliminate user IDs and passwords. As long as this is the case, stop telling yourself that it's OK to use the same password for multiple websites. Password managers are great for generating long, cryptic, and unique passwords for all your sites and apps. The time has finally come to review and update all your logins.
Also: The best password managers for businesses: Expert tested
Why? The only reason you're sharing passwords is so you don't have to remember 40 different passwords. But once you lock in a credential manager and start using it on all your devices, think of it like the contact manager on your smartphone. When was the last time you remembered someone's phone number? Given the natural ability of the various credential managers to invent, manage, and autofill strong, unique passwords for every site and app that you use, just do it. It might take several weekends to upgrade all your passwords. (Pro tip: Click on the "lost password" links to speed up the process.) But the investment will pay dividends later.
4. Protect your passkey with a roaming authenticator
The FIDO Alliance defines a "roaming authenticator" as a separate device to which your passkeys can be securely saved and recalled. Examples are hardware security keys (e.g., Yubico) and recent Android phones and tablets, which can act in the capacity of a hardware security key. Since your credentials to your credential manager are literally the keys to your entire kingdom, they deserve some extra special security.
Also: The best security keys you can buy: Expert tested
First, commit your credential manager's user ID and password to memory (the memory in your head). Of all your user IDs and passwords, it's the only one worth remembering. The credential manager itself remembers the rest for you. Then, as a backup, instead of storing the passkey for your credential manager in the credential manager itself, store it on a roaming authenticator. In addition to the credentials you've stored in your brain, that roaming authenticator becomes your physical key to the entire kingdom.
Then… consider buying a second roaming authenticator as a backup to the first. Create another passkey for your credential manager and store it on the backup. Put the backup in a safe place protected from anything bad that might happen to your primary roaming authenticator.
Why? There are various scenarios where storing your passkey on a roaming authenticator makes sense. Perhaps the most important scenario is the one where your family needs access to your accounts in the event of your incapacitation or death. You could give them the user ID and password to your credential manager, and some credential managers offer a "share with family member" option. But, that puts a lot of burden on them to keep that information somewhere it won't be forgotten and protect it from discovery by malicious actors. By committing those credentials to a physical device, you're building the foundation of a legal framework whereby the only time anyone, including family members, can come into possession of your kingdom's keys is when you or a legal document deem it necessary.
5. Establish passkeys where possible
Only a handful of websites and apps worldwide currently support passkeys, and implementations can differ wildly from one website or app to the next. Still, now is a great time to get in the habit of setting them up, using them, and adjusting to the nuanced differences between the various implementations.
Why? Getting in the habit of using passkeys for some of your favorite sites and apps reduces the likelihood that you'll get phished or smished for your user IDs and passwords. When a phisher or smisher comes phishing or smishing for your credentials to a site or app that you've been using passkeys for, your spider senses should start to tingle. That's your brain saying, "Full stop, bucko! This site always gives me the option of logging in with my passkey, and now I don't see that option." With good reason. Once you establish a passkey for a given website or application, it only works with that site or app.
Also: Data-stealing cyberattacks are surging - 7 ways to protect yourself and your business
Another reason has to do with those nuanced differences between implementations. Hopefully, over time, most sites and applications will gravitate toward the same recognizable and repeatable passkey user experiences. But we're just not there yet. Once you start playing with passkeys, it will only be a matter of hours before you encounter some adversity. And then more adversity. Well, adversity does have its advantages; you'll become more resilient when you encounter a pothole or a speed bump. Practice makes perfect. Before long, you'll become a passkey power user.
6. Name your passkeys when possible
From one website or app to the next, this naming feature is not always available.. That's unfortunate. But some site and app operators (known as "relying parties" in the security world) have put a lot of thought into their passkey user experience and make it possible for the end user to give a friendly name to one or more passkeys. When they allow for this option, take them up on the offer.
Also: 8 simple ways to teach your friends and family about cybersecurity
Why? One of the cool things about the passkey standard is that you can have multiple passkeys for the same site or app. For example, for a given website, you can have one passkey that goes with the credential manager on your work computer, another passkey that goes with the credential manager on your personal system, another passkey that goes on a roaming authenticator, and so on. Let's say you establish two passkeys for the same website, one for your work system and the other for your personal computer. For the site to keep track of them (something that the site has to do), it might give them default names like "Passkey #1" and "Passkey #2." But how do you know which one goes with which system? If you can rename them "Passkey - Work" and "Passkey - Home," that problem is solved.
Yes, start using passkeys. But don't eliminate your user IDs and passwords. Yet. Why does it matter? Currently, one particularly unevolved area of the passkey ecosystem has to do with passkey deletion. For example, let's say you decide to switch credential managers on your personal computer from 1Password to BitWarden or vice versa. Passkeys are not easily transferable from one credential manager to another. To make the move, you'll likely create new passkeys for the new credential manager and delete the old ones. But if you go to a website and the two passkeys you've already created are named "Passkey #1" and "Passkey #2," you won't know which one to delete. But if you took the time to rename those passkeys when you first established them, you'll be able to identify which passkey to delete and which to keep.
The FIDO Alliance is aware that the passkey deletion process is too complicated and is looking at ways to make the process more user-friendly.
7. Don't opt out of your user IDs and passwords
Yes, start using passkeys. But don't eliminate your user IDs and passwords. Yet. Some sites and apps are starting to allow users to delete their passwords. In other words, the relying party is taking baby steps toward that passwordless future. When this option exists, wait until you are 100% certain that your passkeys work wherever they're supposed to, and that you fully understand -- and have even practiced -- the process of recovering from a passkey failure.
Why? At ZDNET, we've already experienced a passkey snafu with PayPal's mobile application. A passkey that works for logging into PayPal's website does not work as it should when logging into the PayPal mobile app for Android. Given the number of entities involved in all end-to-end passkey workflows, it's unclear who or what is the cause of the problem. However, logging into the PayPal app required falling back to a user ID and password. This would not have been possible if the user ID and password were eliminated (and the recovery process for such a scenario is unclear).
Also: 5 ways to avoid spyware disguised as legit apps - before it's too late
Such passkey anomalies suggest the industry isn't quite ready to ditch user IDs and passwords. So, hang on to yours until the situation improves and don't let your guard down when it comes to phishers and smishers.
8. Where passkeys are unavailable, enable multi-factor authentication
A long tail of sites and apps don't yet support passkeys. Also, those one-time codes sent to you for both password and passwordless authentication are now considered vulnerable.
In the absence of a passkey option and considering the potential vulnerability of one-time codes, you should embellish your user IDs and passwords with the best possible additional authentication factors.
Also: Why multi-factor authentication is essential in 2025
Short of passkeys, our favorite option involves an authenticator app like the ones from Google, Microsoft, Symantec, and Yubico. With authenticator apps, codes are never transmitted over potentially compromised communications channels.
If you cannot use an authenticator app with your credentials, having a one-time code sent to you via email is probably better than having it sent via SMS text. Emails are encrypted for at least part of their journey from the sender to the recipient; SMS messages are typically not encrypted.
Another question concerns your reliance on biometrics to further secure access to your apps and devices. Just a few months ago, we would have said "yes" to biometrics. But our thinking has shifted in light of recent reports of smartphone shakedowns and the degree to which US law enforcement officials can compel you to unlock a resource via biometrics without violating your rights.
Why? The best personal security practices always involve a balance between convenience and security. Make security for your sites, apps, and devices too tight, and it may become too inconvenient. Swing the pendulum too far in the other direction, and you open yourself up to unavoidable problems and consequences. That balancing act will be different from one person to the next.
Also: Biometrics vs. passcodes: What lawyers say if you're worried about warrantless phone searches
Implement the best possible practice at each layer of your personal security. For example, robust and unique passwords for each site and app will minimize the damage if a malicious actor somehow discovers one of your passwords. Adding a second authentication factor will present a formidable obstacle if one of your passwords is compromised. And so on. Where the options to put those additional layers of security to work exist, take advantage of them. You'll be glad you did.
9. When available, download and save recovery codes
Unfortunately, there's a little-known dark side to multi-factor authentication: What happens when you lose access to those additional factors of authentication? For example, what if you lose the smartphone that has the authenticator app you need to authenticate to a website? If you can't muster the second factor required to prove you're the person you claim to be, you could be an impostor.
Most site and app operators that support multi-factor authentication offer a backup plan based on secret recovery codes. These are codes the site or app makes available to you (but only while you're logged in and, even then, it sometimes requires re-authentication to download them). If your other forms of authentication fail, that site or app will ask you for one of your recovery codes to initiate the account recovery process. Secret recovery codes are the last line of defense for proving to the site or app operator that you are who you say you are.
When a site offers you secret recovery codes, take them and put them somewhere safe. Keeping them in a file on one of your devices is better than nothing, but it's ill-advised. If a hacker somehow discovers them, that hacker can easily break into your accounts.
Also: Why no small business is too small for hackers - and 8 security best practices for SMBs
Why? Increasingly, we expect more site and app operators to take the same stand that the app developer site GitHib now takes. Suppose you configure your GitHub account for multifactor authentication with an authenticator app and lose access to that app. In that case, the only way to recover access is with one of the recovery codes you should have downloaded when you had the opportunity. Github's support team assumes that anybody (including you) trying to gain access to an account without the proper credentials or recovery codes is an impostor. As more sites and apps adopt this hard line, recovery codes will be your only savior.
10. Use multiple copies of a credential manager on the same system
Some users will be running multiple browser profiles on the same system. For example, one profile might be personalized for all your personal affairs, while another is for all your work stuff. Most browsers keep profiles partitioned, so you have to install separate copies of your favorite browser extensions, including credential manager extensions, into each profile.
Also: The best VPN extensions for Chrome: Expert tested and reviewed
The good news: After installing separate copies of your credential manager's browser extension into each of your browser's profiles, you can still tie each extension to the same underlying credential management account. This can simplify your credential management strategy as long as you don't mind a single credential manager to handle your personal and work credentials, and your employer's IT policies allow for such a configuration. Some employers may not allow it or require you to use a credential manager different from the one you've chosen for your personal use.
In conclusion
The path to any new disruptive technology can be, well, disruptive. Passkeys definitely fall into that category. So much so that other tech sites are saying things like "passkey technology is elegant, but it's most definitely not usable security." Given the current state of the passkey, it's understandable why someone might say that. But at the same time, there are so many essential benefits to passkeys that we end-users have to actively advance their adoption, even if the road is a little bumpy.
Meanwhile, here on ZDNET, look for more articles that not only help you to embrace passkeys but also hold the industry accountable for terrible passkey user experiences.
Maybe by 2030, with any luck, we'll be able to cross World Password Day off our calendars for good.
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
English (US) ·