Passkeys and passwordless authentication
Passwords are the weakest link in most security setups — not because the technology is flawed, but because people reuse them, forget them, and type them into phishing pages. The 2025 Verizon Data Breach Investigations Report found that stolen credentials were involved in the majority of web application attacks. That number has barely moved in years.
What is a passkey
A passkey is a credential stored on your device — not a password you type, but a cryptographic key pair generated when you register. One key stays on your device (private), the other goes to the server (public). When you sign in, the server sends a challenge, your device signs it with the private key, and the server verifies the signature with the public key. Access granted.
The private key never leaves your device. It's protected by whatever authentication your device uses — biometrics, PIN, or a hardware security key. The server never sees it, so there's nothing to steal from the server side.
This is the WebAuthn standard, developed by W3C and the FIDO Alliance. It's the same technology behind passkeys on Google, Apple, and Microsoft accounts.
Supported authentication methods
Passkeys work with any WebAuthn-compatible authenticator:
| Authentication method | Examples | Where the key lives |
|---|---|---|
| Device biometrics | Face ID, Touch ID, Windows Hello, Android fingerprint | Secure Enclave / TPM chip |
| Physical security key | YubiKey, Google Titan Key, any FIDO2 key | The key itself |
| Device PIN | Windows PIN, iPhone passcode | Device secure storage |
All of these work as either a primary sign-in method (replacing your password) or as a second factor on top of a password.
Two ways to use passkeys
Option 1: Passwordless sign-in
You replace your password with a passkey. When you open an app or service, you authenticate with your fingerprint, face, or security key — no password field, no typing.
This is the highest-security option. A password that doesn't exist can't be phished, guessed, or leaked in a breach. Good fit for:
- Teams where phishing is a realistic threat
- Environments where password reuse is hard to control
- Organizations that want to reduce IT support load from password resets
Option 2: Passkey as a second factor
You keep your password and add a passkey as the second authentication step. Instead of entering a 6-digit TOTP code from an authenticator app, you confirm the login with biometrics or a security key.
Good fit for:
- Teams that want to upgrade their second factor without changing login habits
- Gradual rollout — start with 2FA, move to passwordless later
Why passkeys are more secure than TOTP
TOTP codes have a known weakness: real-time phishing. An attacker sets up a fake login page, captures your username, password, and TOTP code as you type them, and immediately replays them on the real site. The 30-second window is enough.
Passkeys don't have this problem. The cryptographic challenge is tied to the exact domain of the site. If you're on a fake domain — even one that looks identical — the device won't use the passkey. There's no code to intercept, and no way to replay the authentication.
| Security property | TOTP | Passkey |
|---|---|---|
| Phishing-resistant | No | Yes |
| Requires typing | Yes (6-digit code) | No |
| Can be intercepted in transit | Yes | No |
| Tied to specific domain | No | Yes |
| Stored on server | Hash of secret | Only public key |
NIST SP 800-63B (2024 revision) explicitly requires that MFA implementations offer at least one phishing-resistant option. Passkeys meet this requirement. SMS OTP does not.
Rolling out passkeys in your organization
Start with a pilot group
Pick a small team — ideally one that's comfortable with new tools — and have them switch first. Collect feedback before a wider rollout.
Decide on the model
Two options:
- Passwordless — passkey replaces the password entirely. Higher security, bigger change for users.
- Passkey as 2FA — passkey added on top of the password. Lower-risk for rollout, easier to communicate.
For most organizations, starting with passkey as 2FA is the right first step.
Plan for lost devices
Define the process before someone loses their phone. Options:
- Backup passkey on a physical security key
- Recovery code stored in the company password manager
- Admin reset procedure
Document it and make sure users know it exists before the rollout, not after the first incident.
Use hardware keys for high-privilege accounts
For administrators and users with access to sensitive systems, a hardware security key (YubiKey or similar) provides an additional layer of assurance. Unlike device biometrics, a physical key can be physically secured and its use can be audited separately.
Always register at least two passkeys per account — one for the primary device, one backup. If you lose a device, you won't be locked out.
Communicate the change
Users who have never used biometric authentication for a work tool may not understand what's happening. A short internal guide — what changed, how to set it up, what to do if something goes wrong — prevents most support tickets.
Common questions
Can I use a passkey on multiple devices?
Yes. You register separate passkeys for each device — your laptop, phone, a hardware key. Each is independent. Removing one doesn't affect the others.
What happens if I lose my device?
If you have a backup passkey on another device or hardware key, you sign in with that. If you don't, an administrator can reset your authentication. This is why registering a backup is mandatory, not optional.
Is biometric data sent to the server?
No. Biometric data never leaves your device. The device uses biometrics to unlock the private key locally, then sends only the cryptographic signature to the server. Your fingerprint or face scan is never transmitted.
Can I still use a password after setting up a passkey?
By default, yes — unless an administrator has disabled password-based sign-in. Both methods can coexist during a transition period.
Passkeys in Passwork
If you use Passwork as your password manager, passkey support is built in. You can sign in to Passwork using Face ID, Touch ID, Windows Hello, or a physical security key — either as your primary sign-in method (replacing the master password entirely) or as a second factor on top of it.
Passwork also supports standard TOTP-based 2FA via the Passwork 2FA app.
All authentication methods are managed from a single page in your account settings. Full documentation: Sign-in methods.
The broader picture
Passkeys are becoming the default authentication method across the industry. Apple, Google, and Microsoft have all committed to the standard. GitHub, Shopify, PayPal, and others have already rolled it out. The infrastructure is there; adoption is accelerating.
For small companies, this matters because the attack surface shifts dramatically. Phishing campaigns that harvest credentials — the majority of attacks against small businesses — stop working when there are no passwords to harvest.
It takes a few minutes to set up. The security improvement is permanent.
What's next
Authentication is handled. Next: user directory and SSO — centralizing access so that adding and removing people from all your systems is one action, not twenty.