Passkeys and Passwordless Login: What You Need to Know

About 11 min read

"Passkeys" are rapidly gaining adoption as a new authentication method to replace passwords. Major platforms including Google, Apple, and Microsoft have announced support, making a passwordless future increasingly realistic. According to the FIDO Alliance's 2024 report, the number of passkey-compatible services increased approximately 2.5 times year-over-year, and consumer awareness exceeded 50%. Google announced in October 2024 that passkey logins surpassed password logins. In 2025, major services including Amazon, PayPal, and GitHub have expanded passkey support, further accelerating the transition. However, not all services will migrate to passkeys overnight. This article comprehensively explains the technical mechanisms of passkeys, their adoption status, and how to maintain security with Passtsuku.com during the transition period.

How FIDO2 and WebAuthn Work

The foundational technologies for passkeys are FIDO2 (Fast IDentity Online 2) and WebAuthn (Web Authentication). FIDO2 is an authentication standard developed by the FIDO Alliance, and WebAuthn is its web browser API specification standardized by the W3C.

In traditional password authentication, the string entered by the user is sent to the server and compared against the stored hash value on the server side. With this method, there is a risk of password information being leaked if the server is compromised.

Principles of Public Key Cryptography Authentication

What fundamentally differentiates FIDO2/WebAuthn from traditional password authentication is its adoption of public key cryptography. Public key cryptography uses a pair of two mathematically related keys (private key and public key). Data signed with the private key can only be verified with the corresponding public key, and it is computationally impossible to derive the private key from the public key. This property is based on the mathematical difficulty of algorithms such as elliptic curve cryptography (ECDSA) and RSA.

The specific authentication flow works as follows. During registration, a private key and public key pair is generated on the user's device, and only the public key is sent to the server. During login, the server sends a random challenge (verification data), and the device side applies a digital signature to the challenge with the private key and returns it. Since the server only verifies the signature with the public key, the private key never travels over the network. Only the public key is stored on the server, so even if the server is compromised, all the attacker obtains is the public key, and they cannot break through authentication. This contrasts with the risk of recovering the original password through offline attacks when password hash values are leaked.

Phishing Resistance Through Origin Verification

The reason FIDO2/WebAuthn has strong resistance against phishing attacks lies in its origin verification mechanism. During passkey registration, the browser saves the site's origin (protocol + domain + port) bound to the private key. During login, the browser automatically compares the origin of the currently accessed site with the origin bound to the private key, and if they don't match, the authentication process itself is not executed. This verification is performed internally by the browser, so users don't need to visually check URLs, and the decisive advantage is that it doesn't depend on human judgment errors. Even sophisticated fake domains like "examp1e.com" (replacing l with 1) are reliably blocked at the browser level. For the full picture of phishing countermeasures, please also see how to identify and prevent phishing scams.

What Are Passkeys

Passkeys are an authentication method based on FIDO2/WebAuthn technology that significantly improves the user experience. While traditional FIDO2 security keys required physical hardware tokens, passkeys can complete authentication using biometric authentication (fingerprint, facial recognition) or screen lock (PIN) built into smartphones and PCs.

Synced Passkeys and Device-Bound Passkeys

There are two types of passkeys. Synced Passkeys are synchronized across multiple devices through Apple's iCloud Keychain or Google Password Manager. Since passkeys created on an iPhone can also be used on a Mac, authentication information can be carried over when devices are lost or replaced.

Device-bound Passkeys are tied to specific hardware and cannot be exported externally. Security keys such as YubiKey fall into this category. While security is higher than synced passkeys, recovery means are needed when devices are lost.If considering the introduction of device-bound passkeys, FIDO2-compatible security keys (Amazon)can also be helpful.

An important point to note is that synced passkeys synchronize private keys via the cloud, so if the cloud account itself is compromised, all passkeys are at risk of being leaked. Apple and Google mitigate this risk with end-to-end encryption, but the prerequisite that cloud account protection (strong password + two-factor authentication) is required is often overlooked.

Passkeys vs Password + 2FA vs Security Keys

To correctly understand the authentication method options, we compare the three main methods. It's important to understand the characteristics of each and use them according to the importance of the service.

• Passkeys (synced): High phishing resistance with easy login via biometrics. Cloud sync makes cross-device migration easy. However, depends on cloud account security. Compatible services are still limited
• Password + 2FA (TOTP): The most widely supported method. A certain level of security can be ensured with the combination of password strength and TOTP app, but there is a risk of entering both password and TOTP code on phishing sites. Within the TOTP code validity period (usually 30 seconds), real-time relay attacks (real-time phishing) by attackers are possible
• Security keys (device-bound passkeys): Highest phishing resistance with private keys never leaving the device. Ideal for enterprise privileged accounts and financial services, but requires physical device purchase costs (approximately $35-70 per key) and securing recovery means in case of loss

As a practical recommendation, the most balanced strategy currently is a "hybrid operation" where passkeys are set as the top priority for compatible services, and password + 2FA is maintained for incompatible services. For particularly important services such as financial institutions and administrator accounts, consider adding a security key. For details on the convenience and risks of biometric authentication, see risks and safe use of biometric authentication.

Services That Support Passkeys

Since 2024, passkey-compatible services have been expanding rapidly. According to FIDO Alliance research, websites and apps supporting passkeys covered over 15 billion accounts worldwide as of the end of 2024. The support status of major services is as follows.

• Google: Passkey support across all services including Gmail and Google Workspace
• Apple: Passkeys available for Apple ID sign-in
• Microsoft: Integration with Microsoft accounts and Windows Hello
• Yahoo! JAPAN: Early adoption of passkeys as a domestic service
• GitHub: Passkey authentication provided for developers
• Amazon: Passkey support for shopping accounts
• PayPal: Passkey support as a payment service

However, compatible services are only a small fraction of the total. Many web services, especially small and medium-sized domestic services, still primarily use password authentication. Even services that have announced passkey support may have incomplete implementations. For example, there are many services where passkey login is possible but the account recovery flow depends on passwords, or that only work on specific browsers.

Common Misconception: "Passkeys Make Passwords Unnecessary"

The most common misconception about passkeys is that "it's safe to delete your password once you set up a passkey." In reality, the majority of services retain password-based fallback authentication even after passkey setup. This means attackers can bypass passkeys and attempt to log in with passwords. Setting up a passkey is not a reason to lower password strength. Rather, after setting up passkeys, it's important to update fallback passwords to random strings of 20 characters or more on Passtsuku.com to block the path for attackers to intrude via passwords.

Another misconception is that "passkeys send biometric information to the server." In reality, biometric authentication is processed locally within the device's secure enclave (Secure Enclave or TPM), and biometric information itself is never transmitted over the network. Biometric authentication is merely "local authentication to permit access to the private key on the device," and authentication with the server is performed through digital signatures based on Public Key Infrastructure (PKI).

The Coexistence Period with Passwords

It is expected to take considerable time before passkeys completely replace passwords. There are several reasons for this.

• There are technical and cost hurdles for all services to support passkeys
• Older devices and browsers may not be able to use passkeys
• Even passkey-compatible services often retain password authentication as a fallback
• Migration of corporate internal systems and business applications takes time

During this coexistence period, you need to prioritize setting passkeys for compatible services while continuing to defend with strong passwords for incompatible services. Half-hearted measures are the most dangerous. Even for services where passkeys are set, if password-based fallback authentication is active, the strength of that password itself must be maintained.To deeply understand how passkeys work, public key cryptography and authentication protocol books (Amazon)can also be helpful.

Passkey Migration Checklist

This is a practical checklist for gradually progressing your migration to passkeys. We recommend addressing services in order of priority.

• Set up passkeys for email accounts (Google, Microsoft, Yahoo! JAPAN). Protect email first as it's the starting point for password resets
• Set up passkeys or security keys for financial services (banking, securities, payments)
• Set up passkeys for social media accounts (GitHub, X, Facebook)
• Update fallback passwords for passkey-configured services to 20 characters or more on Passtsuku.com
• Update passwords for passkey-incompatible services to random strings of 16 characters or more on Passtsuku.com
• Use two-factor authentication alongside all services
• Consolidate all authentication information in a password manager and set the master password to the strongest level
• Check passkey support status every 3 months and set up for newly compatible services

Maintaining Strong Passwords with Passtsuku.com

Although a passwordless future is approaching, passwords remain the main pillar of authentication at this point. Sufficient strength is required not only for passkey-incompatible services but also for fallback passwords of passkey-compatible services.

By utilizing Passtsuku.com, you can streamline password management during the transition period. By batch-generating different random passwords for each service and saving them in a password manager, you can ensure security until the migration to passkeys is complete.

The spread of passkeys is a welcome advancement, but the road to complete migration is long, and strong passwords still support security in the meantime. Let's robustly protect all accounts while confirming 80 bits or more of entropy on Passtsuku.com's strength meter.

What You Can Do Right Now

1. Register a passkey from your Google account's "Security" settings (completed with smartphone biometric authentication)
2. Sequentially set up passkeys for major passkey-compatible services such as Apple ID and Microsoft accounts
3. Update fallback passwords for passkey-configured services to 20 characters or more on Passtsuku.com
4. Update passwords for passkey-incompatible services to random strings of 16 characters or more on Passtsuku.com and use two-factor authentication alongside
5. Recheck passkey support status in 3 months and set up for any newly compatible services

Frequently Asked Questions

What is the difference between passkeys and passwords?

Passwords are strings you memorize, while passkeys are credentials based on public-key cryptography with the private key stored securely on your device. They eliminate the risk of phishing and credential leaks.

What should I do for services that don't support passkeys?

For services without passkey support, use a long random password from a password manager combined with two-factor authentication. This combination is the most practical approach during the transition period.

What happens if I lose the device with my passkey?

If you use Apple or Google cloud sync, your passkeys are restored by signing into a new device. As a precaution, always set up account recovery options (recovery codes or alternative authentication) on each service.