Passkeys are the future, security giants claim
1Password has built a reputation on protecting and managing your passwords securely and Google has a security team that is renowned globally for the work it does to protect billions of users every day. Both have warned that passwords are less secure than an already available and easier to use alternative. Now 1Password has exclusively revealed to me how its users are flocking to passkeys as they seek to abandon passwords for a more hacker-resistant and passwordless future. Here’s what you need to know and why making the move is less painful than you might imagine.
Passkey Adoption Surges As Users Grasp The Passwords Replacement Nettle
According to statistics made available exclusively to me by 1Password’s head of passwordless technology ahead of publication, Anna Pobletts, passkey adoption has surged during the last 12 months among 1Password users. On average, 1 in every 3.4 1Password users has at least one passkey stored, and there are more than 2.1 million passkey authentications made every month. Since 1Password first launched passkeys in the market in Sept. 2023, there have been 4.2 million passkeys saved in 1Password. The most significant week for passkey adoption was April 15, 2024, when almost 90,000 passkeys were saved. This date correlates closely with an announcement by X that it was adding support for passkeys to iOS users globally on April 8. It would seem that consumers of 1Password are more likely to adopt passkeys currently, with 73% falling into this category and just 27% being business account holders.
The most interesting, and in my never humble opinion, important statistic is regarding the number of organizations that have added passkeys as a login option for users. “The number of companies in 1Password’s passkey directory has doubled from last year,” Pobletts told me, “we have seen more than 200 companies add passkeys as a seamless log-in option, including big names like Walmart, Amazon, Target, PlayStation, Discord, Canva and more.” Amazon has recently reported that it now has more than 175 million customers using passkeys, for example.
This data, alongside the fact that 1Password is seeing an average of 2.1 million passkey authentications a month, Pobletts said, “shows that apps aren’t just adding passkey support as an option, but people are choosing to use them over passwords. The more major service providers that go all-in on passkeys, the quicker we will see this switch.”
Passkey Technology Is More Secure And Easier To Use Than Passwords
Launched initially as an initiative by Apple, Google and Microsoft, passkeys are consumerizing security standards such as FIDO and WebAuthn. You can try a simple passkey demo at Passkeys.io and see just how painless they are to use and create. Google’s security team has gone on record to say that “passkeys are faster, more secure, and more convenient than passwords and multi-factor authentication, making them a desirable alternative to passwords and a promising development in the journey to a more secure future.”
Explaining how passkeys work, and how they are a more secure replacement for passwords, 1Password’s chief product officer, Steve Won, said: “Every passkey is made up of two keys—a unique public key, which is created and stored on that company’s server, and a private key, which is stored on the user’s device.” The public key is used to create a challenge that can only be solved by the private key. “Because of this,” Won said, “passkeys are nearly impossible for hackers to guess or intercept because the keys are randomly generated and never shared during the sign-in process.”
So Why Aren’t Passwords Dead Already?
I asked Anna Pobletts if passkeys are such a significant security advance, which I honestly believe they are, and I recommend that every reader investigate further: What’s stopping people from adopting them? I mean, the 1Password passkey uptake statistics are encouraging but hardly earth-shattering in scale.
“Since we’ve used passwords for decades, they’re just too ingrained in our culture to go away overnight,” Pobletts said, “a broader public understanding and comfortability with passkeys will be critical for mass passkey adoption.” I’d have to agree that it is mostly unfamiliarity that may be what’s holding most users back. Passwords are pretty rubbish at doing their job; we all know that, but at least we are comfortable using them. “For more organizations to receive buy-in to proceed with passkeys, or for individual users to feel confident in using them,” Pobletts said, “a focus on proactively educating the public about passkeys is key and can help reduce the amount of change management required for adoption.” This is, to be honest, one of the reasons for this article, so please share a link to it on your social media and with your friends so that more people can get the no-more passwords message!
Passkeys Are More Secure Than Passwords
Let’s look at some of the reasons why passkeys are way more secure than passwords, if that might help convince you to switch up your login security.Here are three compelling reasons according to Pobletts:
Passkeys are:
- Strong by default: Unlike weak and reused passwords, passkeys can not be guessed by hackers because of their innate complexity.
- Phishing and social-engineering resistant: Hackers can’t steal and use credentials if there are no credentials to steal in the first place. Since private keys don’t leave your device, passkeys completely eliminate these types of common attacks for users.
- Effortless to create and use: Passkeys are automatically-generated, leaving no room for human error and nothing to remember. They also provide a very familiar experience as users can authorize use of their passkeys to unlock any service with biometrics.
If Passkeys Are Linked To Your Smartphone, What Happens If It’s Stolen?
Whenever I write anything about passkeys being a more secure alternative to passwords, I get emails and messages asking how that can be if all your security eggs are in one smartphone basket. After all, if your smartphone is lost or stolen, how do you access your accounts and can’t the thief or a hacker use this to their advantage? Pobletts insisted that in cases of either loss or compromise, passkeys are keeping people safe than passwords. “When a passkey is created on their device, it gets synced across all their devices in the ecosystem,” Pobletts said, “the passkey is not tied to their lost device, but to their overall account and they can recover their passkeys on another device by signing into their passkey provider, whether that be Apple’s iCloud Keychain or 1Password.”
When you don’t have access to another device, websites that support passkeys also hold responsibility to provide account recovery or backup options for users to prevent this situation from happening with SMS, email magic links or backup codes to re-authenticate, Pobletts told me. “The same is true for compromised devices,” Pobletts said, “the website and the passkey provider have joint responsibility to allow you to manage your passkeys and devices – including de-authorizing devices or passkeys you don’t control any more.”
Passwords Are Dead, Long Live The Passkey
1Password, along with many other technology companies, has been working alongside the FIDO alliance in order to publish a working draft of a new set of specifications that, once implemented by major passkey providers, will allow for the import and export passkeys in a way that’s convenient and secure. “In 2025, we’ll see more companies meeting users where they are. There will be critical improvements like the ability to automatically create passkeys for users, use passkeys across multiple domains for the same brand, and more that will make it easier for websites to provide a best in class user experience with passkeys,” Pobletts concluded. I genuinely hope that 2025 is the year we can say, without irony, that passwords are dead, long live the passkey.