Subscriber OnlyTechnology

Say goodbye to your passwords and start using passkeys

Passkeys are more secure but tech firms are doing little to encourage us to use them

Passwords are the bane of my digital life and I bet they are of yours too. They are a basic component of digital security, and still the most common — more than two-thirds of organisations worldwide still base their in-house security on the good old username + password combination, according to Statista, as do the majority of the general public.

But that mix, while old, is not good. Most of us choose passwords that range from crappy to appalling. According to a Bitwarden survey of 2,000 global internet users on last year’s World Password Day — yes, it seems there is such a thing — 19 per cent use “password” as their password, and half use easily identifiable information such as company or brand names, song lyrics, family or pet names (15 per cent of British people use their pets’ names, according to the UK’s national cyber security centre). Some 85 per cent of people reuse passwords across multiple sites.

We all know these kinds of statistics, and those amusing, most-popular password lists of shame, as they pop up every year in media stories about our need to improve. Yet few of us seem to change our habits, even though survey after survey shows nearly all of us worry about being the target of a cyberattack or hack. Most of us have had at least some of our passwords leaked in some data breach somewhere, too. If you have an iPhone, you’ll likely have seen the notifications that tell you if a password has been leaked in a known breach, or warning if you’ve reused one across numerous websites and services.

Guilty as charged. I’m as bad at this as anyone. I’ve reused passwords, especially in the long distant past, when it was really common to do so and not that many people were online. I’ve reused passwords more recently because I just want to quickly create an account to buy something and be done. I’ve tried a couple of password managers and don’t follow through using them. I diligently use the strong passwords conveniently generated by Apple’s Safari browser when I’m using it, but I’m often on a different browser. I confess to all this despite having had digital security as a particular reporting interest of mine since the 1990s. I know better. But still.


Companies know they need to do better for us, too, especially as they now have legal obligations under laws like the EU’s General Data Protection Regulation (GDPR) and can be fined eye-watering amounts for data breaches. Heck, we all know we need to do better. But password pain points are real, and the alternatives can be confusing, even if they’re much better and safer for everyone. However, like me, you need to get away from using passwords whenever you can, especially for sensitive accounts, such as those for financial services.

Has Apple Inc run out of ideas?

Listen | 20:14

One option is to use basic two-factor authentication (2FA) like emailed or messaged once-off log-in codes, which are a good start, but not if someone can view your device or email account. A better option is an authenticator app. They’re freely available from big companies like Microsoft and Google, or smaller companies like Authy. These generate a 6-digit code that’s only usable to log in on a website within a brief time frame. But the website has to offer this authentication option; few do. And there’s minor, but still off-putting friction in using an authenticator. There’s getting and setting up the app and then fiddling to go get a code and return to the site to log in.

Another strong alternative pushed by an increasing number of online services is the passkey. Passkeys are based on encrypted keys. You create a private key that identifies you as you, authenticating it with something like a master key on a password manager, or biometrics like a fingerprint or facial scan. Many smartphones easily create these and will walk you through the set-up. Your key resides on your device in encrypted form and is virtually impossible to hack. When you visit a site that uses passkeys, your private key identifies you to a public key sitting on the site’s servers, and you’re swiftly logged in. Once set up, passkeys are easy to use. You may already be using one without realising, if you use facial recognition on your handset to access, say, online banking.

But companies have a way to go in making passkeys an easy or obvious choice. For example, Microsoft has recently introduced passkeys for its services, and if you use any Google service you’ll have been nagged to create passkeys. Yet when nudged by these companies to make this move, I was initially confused about what I was being asked to do, and why. If I was flummoxed, I figure this is also a problem for the average person. Still, setting them up was easy, logins are instantaneous and my associated accounts are far more secure. If you have the option to create passkeys, do it.