3 days ago
13
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- Adoption of passkeys is fragmented across sites and devices.
- Users still need passwords for recovery and new device setup.
- Phishing protection makes passkeys worth adding, despite confusion.
OK. Fine. I've finally decided to embrace passkeys. But why does it feel so icky?
As you probably know, passkeys are the tech industry's answer to The Password Problem. Unlike password data, which can be breached, phished, quished, vished, and smished, passkeys require an encrypted private key that (at least theoretically) only you have.
Also: Passkeys won't be ready for primetime until Google and other companies fix this
They are the pinnacle of modern credential security, and we all should be using them. Or at least, that's the message our favorite sites are nagging us with constantly.
But not so much. The reality is way, waaaay messier than it should be.
I'm moving to passkeys
Slow down, bucko. You apparently don't move to passkeys. Most of the time, you just add them. Stick with me here. I'm going to try to deconstruct some of the hype and share my understanding of where these overreaching beasties fit into our credential security infrastructure.
Let's start with a little digital adventure I had recently.
Also: How passkeys work: The complete guide to your inevitable passwordless future
After being nagged one too many times by a number of sites I use daily, I recently decided to give in. I decided to "move" to passkeys. At that point, I mistakenly believed passkeys are replacements for the username/password paradigm we've been using for decades.
Actually, about two years ago, I briefly tried passkeys only to abandon them almost immediately. That was just as they were gaining early adoption, and I, as a professional early adopter, figured I should jump on the bandwagon. The experience was a convoluted mess. I quickly gave up on the effort.
Now, though, it's been a few years since that attempt. My sites have started constantly nagging me about passkeys. I naively thought most of the worst challenges must have been overcome since my earlier, ill-fated attempt. Surely, with so many consumer-facing sites pushing muggles to passkey use, the technology must be ready for primetime.
Also: How I easily set up passkeys through my password manager - and why you should too
I started with a well-known financial institution. My previous login method had been username and password, combined with my authentication app for second factor authentication.
Following the site's directions, I implemented passkey login. The process went fairly smoothly. Within a few minutes, I was able to log in with my passkey.
At that point, I decided to delete the authentication key from my auth app, because I'd upgraded to passkeys and wouldn't need the auth code anymore. After all, part of the reason for upgrading to passkeys is to eliminate all that extra work at login, right?
But then I tried logging in again. I was not locked out. I was, instead, presented with the choice of logging in with my password or my passkey. Out of curiosity, I tried to log in with my username and password. That worked. But, of course, I wasn't asked to authenticate, because I had turned that important security feature off a few moments prior.
Also: Syncable vs. non-syncable passkeys: Are roaming authenticators the best of both worlds?
Huh. OK. The financial institution had allowed me to delete the authentication method, but apparently, my username and password were still associated with my account. No amount of digging around in settings would allow me to delete my password and go all in on passkeys.
Baffled and fairly annoyed, I went back into my account, re-enabled the auth key, and wondered why I'm even bothering with passkeys.
Slacking a friend
The game show Who Wants to Be a Millionaire? has a feature called "phone a friend." The idea is that if a contestant is asked a question that's too hard to answer, the player gets to phone a friend for advice.
Also: What if your passkey device is stolen? How to manage risk in our passwordless future
One of my favorite aspects of working with ZDNET is that I work daily with some of the most well-informed subject matter experts in tech. So I decided to Slack our resident passkey expert, David Berlind. He has written an entire series on passkeys that I consider mandatory reading for anyone living in the 21st century and using The Online.
Berlind was kind enough to jump onto a Slack voice chat and spend almost an hour with me, explaining the ins and outs of how passkeys really work.
It turns out that passkeys are such a mess because every site implements them differently. Each site you authenticate on is called a "relying party" in passkey speak. Passkeys themselves are a nickname for FIDO2 credentials. By the way, if I get something wrong here, it's not Berlind's fault. I'm recounting what he told me from my notes, which could well be as flawed as the industry's implementation of passkeys themselves.
So, yeah. Every site implements them differently and is implementing a different "transition path" from passwords to passkeys. Some sites will only allow you to log in with passkeys. Some will let you switch from passwords to passkeys. And some, like the financial institution above, keep both.
Also: 10 passkey survival tips: Prepare for your passwordless future now
Another weirdness is that some sites allow you to use the same passkey on all your devices. Others, notably PayPal, require you to set up a different passkey on each device. These are called "device-bound passkeys." If you access PayPal from your Mac Studio, your MacBook Air, and your iPhone, you'll need three separate passkeys.
Now, here's where you're gonna get brain freeze.
PayPal requires device-bound passkeys, which they're doing presumably to be extra diligent about your security. But think about this. If you add a passkey to your MacBook Air and remove password access, how are you going to add a new device-bound passkey to your Mac Studio and iPhone?
Also: How to set up and use passkeys across your iPhone, iPad, and Mac
Yeah, you'll need to log in with your username and password, then set up the passkey for the new device. But since you're almost always going to need the option to add a new device (like, for example, if you upgrade your iPhone this fall), you're always going to need to have username and password access to PayPal.
That seems to defeat the purpose of passkeys, which is to provide a better, more secure, and less breachable form of authentication.
When I posed this paradox to Berlind, he had some sage advice.
ZDNET's recommendations
Simply out of morbid curiosity, I asked ChatGPT, "Why do passkeys suck?" It replied:
Passkeys don't necessarily "suck" -- they're far more secure than passwords -- but they feel broken in practice because of ecosystem lock-in, poor cross-platform usability, and confusing recovery processes. They'll likely get better as adoption grows and workflows mature.
(Disclosure: Ziff Davis, ZDNET's parent company, filed an April 2025 lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.)
This tracks with what I learned from Berlind. He told me that he uses passkeys for any relying party that offers them. Beyond easier login for those sites, he had an interesting reason: protection from phishing.
Also: Why the road from passwords to passkeys is long, bumpy, and worth it - probably
He said that if he lands on a site where he knows he uses passkeys, and the site asks him to log in with his username and password, that site might actually be a fake. The passkey request is, essentially, a validation mechanism that you're on the site you intend to be. That's because scammers can't harvest passkeys. Well, they can, but because of the private key encryption, whatever they harvest won't be usable.
So, using passkeys can help you set up a situational awareness trap for phishing attempts.
As for me, I've decided that if a site offers passkey authentication, I'm going to add it. If nothing else, it will stop sites like Amazon from nagging me incessantly. But it will also provide that phishing awareness protection Berlind recommended, and get me into the practice of using and tolerating passkeys.
I suggest you do the same. Keep track of your existing usernames and passwords. Make sure you set up multifactor authentication wherever you can, and keep track of those recovery codes. But also add in passkeys as a belts-and-suspenders level of security, authentication, and transition preparation.
Also: I replaced my Microsoft account password with a passkey - and you should, too
Be careful. The false sense of security provided by passkeys might lull you into thinking you're protected when you're not. Don't implement passkeys thinking you can remove second-factor authentication protection. Be aware that the act of implementing passkeys won't directly increase your account protection if there is still a username and password system in place. You should still use second factor authentication for accounts that offer it. They are offering it for good reason.
It seems that as long as you protect your username and passwords the way we've all been trained, adding passkeys into the mix doesn't hurt anything. It just makes it simpler to sign in. It's pretty clear that it's the way of the future. I just wish it wasn't a harbinger of such a messy, convoluted, inconsistent, confusing future. But that's progress, right? Right?
Have you started using passkeys yet, or are you sticking with traditional passwords? Do you find the mixed implementations across sites confusing, or do you see clear benefits in phishing protection? How do you balance convenience with security in your own accounts? Let us know in the comments below.
You can follow my day-to-day project updates on social media. Be sure to subscribe to my weekly update newsletter, and follow me on Twitter/X at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, on Bluesky at @DavidGewirtz.com, and on YouTube at YouTube.com/DavidGewirtzTV.
English (US) ·