Cyber Explained

What is a passkey — and are passwords going away?

After passwords, phishing, and two-factor authentication, there’s a natural question: Is there a better way to do all of this?

Robert Shone 2 min read
What is a passkey — and are passwords going away?

After passwords, phishing, and two-factor authentication, there’s a natural question:

Is there a better way to do all of this?

That’s where passkeys come in.

They’re already being introduced by major websites and apps — and they aim to replace passwords altogether.

So what is a passkey?

A passkey is a way of logging in without needing to remember a password.

Instead of typing something in, your device proves it’s you.

That might be:

  • A fingerprint
  • Face recognition
  • Your phone unlocking

Behind the scenes, your device holds a secure “key” that only it can use.

How is this different from a password?

With a password:

  • You create and remember a secret
  • The website checks if what you typed matches

With a passkey:

  • Your device handles everything
  • You don’t need to remember anything
  • Nothing is typed, so nothing can be stolen in the same way

Why are passkeys considered more secure?

Because they remove the main weaknesses we’ve already seen:

No password to guess

There’s nothing for attackers to brute-force.

No password to reuse

Each account uses its own unique key.

No password to give away

Phishing becomes much harder, because you’re not typing anything in.

Does this mean phishing disappears?

Not completely — but it becomes much less effective.

Phishing works best when it can trick someone into typing a password into a fake site.

With passkeys:

  • There’s no password to type
  • Your device only responds to legitimate services

That removes one of the biggest attack paths.

Are passkeys already being used?

Yes — and you may have seen them without realising.

Many platforms now support passkeys, including:

  • Email providers
  • Social media platforms
  • Online services and apps

They’re often offered as:

“Sign in with your device”
or
“Use passkey instead of password”

Do we still need passwords?

For now, yes.

Most systems still support passwords because:

  • Not all devices support passkeys yet
  • People are used to passwords
  • It takes time to change how systems work

So for the moment:

Passwords, 2FA, and passkeys will exist side by side.

What does this mean for me?

You don’t need to change everything overnight.

But it’s useful to be aware of what’s coming.

A simple approach:

  • Continue using strong passwords or passphrases
  • Keep 2FA turned on
  • Try passkeys when they’re offered
  • Get comfortable using your device to log in

🧠 The Human Factor
Technology involved Passkeys and device-based authentication
Root cause Password systems rely on humans remembering and protecting secrets
What was at risk Password theft, reuse, and phishing attacks
Prevention Move towards passkeys, keep 2FA enabled, and reduce reliance on passwords

References and sources

  • National Cyber Security Centre (NCSC) — Authentication guidance
  • Industry standards (FIDO Alliance) on passkeys
  • Platform security documentation