09 Apr Passkeys: A More Secure Future.
Why Passkeys Are the Future of Online Security: Moving Beyond Vulnerable Passwords
–Alfred Bonilla, Vice President, Modern Access, Mastercard
San Jose, Calif. – Apr. 9, 2025
At this point, we’ve all heard the old adage that passwords aren’t secure. And the statistics prove it: The latest Verizon Data Breach Investigations Report continues to show that attackers are utilizing stolen, easy-to-guess, or reused passwords to break into accounts.
In response to the insecurity of passwords, many enterprises have put policies in place that introduce significant user friction. They force staff to change passwords often, use lengthier passwords that are harder to remember, and require a complicated mixture of letters, numbers, and special symbols. This ultimately results in insecure outcomes, where users have easy-to-guess passwords with numbers replacing vowels or use the same password for multiple sites. It seems like a never-ending circle that doesn’t really get us anywhere, continuing to make companies vulnerable and users frustrated. So what’s the solution?
The answer is passkeys. Passkeys are being touted as the password killer, and it’s a reputation that is well-earned. They effectively replace passwords and are demonstrably easier to use. And this ease of use is essential to their adoption.
What makes passkeys different from passwords is how they are generated. Where users often set their own passwords, the service generates the unique passkey and gives it to the user, who can then use it to log in and store on a device of their choosing, like a phone or a laptop.
A fancier way of saying this is that passkeys use a pair of cryptographic keys, which you can read more on here. So, rather than being presented with fields to type in a username and password, the user is prompted to present their passkey to the service when it’s time to log in. If the user possesses that passkey on their device, the device asks the user if they want to log in with it and then couples that with the user’s way of unlocking their phone whether it’s through a biometric or pin. It’s inherently multifactor authentication. Passkeys can also be shared across devices, utilizing things like Apple’s Keychain service, meaning the passkey is usable from the user’s iPhone, iPad, or MacBook. Alternatively, a user can use their phone that contains their passkey to log onto a service by scanning a QR code.
Passkeys are also more secure than passwords. Passwords can be easily guessed, or the same password can be used across multiple services. They can be phished, vished, or smished. Passkeys, on the other hand, are always unique to the service that handed it out. They cannot be reused across websites. Importantly, passkeys are also tied to the service’s website.
An attacker will commonly try to steal a user’s password through phishing. The user is sent an email that looks like it’s from a legitimate service, like their bank. That email will contain a link that sends them to a fake website that looks exactly like their bank’s login page. When a user gets to the fake website, they enter their username and password for the attacker to steal and use. However, if a user with a passkey is sent to a fake website, the user is never prompted to present their passkey for an attacker to steal.
Passkeys are quickly being adopted. If you are wondering whether a service you use supports passkeys, you can check websites like http://www.passkeys.io to see if it’s on the list. Extremely popular services like Google, Microsoft, and Apple allow users to set up passkeys to log in, and more are on the way. This trend is encouraging. With how easy and convenient they are to use, passkeys are leading the way to a more secure future where passwords are a thing of the past.
–Alfred Bonilla, Vice President, Modern Access, Mastercard
SPONSORED BY MASTERCARD
Mastercard works to connect and power an inclusive digital economy that benefits everyone, everywhere by making transactions safe, simple, smart and accessible. Using secure data and networks, partnerships and passion, our innovations and solutions help individuals, financial institutions, governments and businesses realize their greatest potential. Our decency quotient, or DQ, drives our culture and everything we do inside and outside of our company.