Experts say we should use passkeys, but can a smartphone PIN really be safer than a password? The long-running series in which readers answer other readers' questions explores a topical issue of personal cybersecurity.
Readers Reply: Are Passkeys the Future?
I've been struggling to get my head around the idea that a passkey, which can be a PIN on your phone, or facial recognition, can be safer than using a complicated password and two-factor authentication.
I get that having something unique to your device, not stored on a company's server, is unphishable and less hackable by cybercriminals. But what if your phone is nicked and someone guesses the password? And what if you lose your phone?
Sorry if that sounds simplistic, but I am genuinely stumped to understand why the UK's National Cyber Security Centre and others who know about these things are so sold on passkeys. Can anyone who's used them enlighten me?
Understanding Passkeys
Passkeys are a modern authentication method that relies on cryptographic keys stored on your device. Unlike passwords, they are not shared with servers, making them immune to phishing attacks. When you log in, your device proves possession of the private key using biometrics or a PIN.
Security Concerns Addressed
Phone Theft: If your phone is stolen, the thief would need to bypass your device's lock screen. Modern smartphones have strong protections, and biometrics like Face ID or fingerprint scanners make guessing difficult. Additionally, passkeys can be revoked remotely via cloud services.
Lost Phone: You can recover access using another trusted device or backup methods provided by your platform (e.g., iCloud Keychain or Google Password Manager).
Why Experts Recommend Passkeys
- Phishing Resistance: Passkeys cannot be tricked by fake websites.
- No Password Reuse: Each service gets a unique key.
- Simpler User Experience: No need to remember complex passwords.
While no system is perfect, passkeys significantly reduce common attack vectors. As adoption grows, they are becoming a cornerstone of modern cybersecurity.
