I Think I Like Passkeys Now

Jonathan Cremin

Jonathan Cremin

2 min read
The Passkeys logo with a heart superimposed on the human figure

I've used password managers for over 15 years now, almost all of that with 1Password. For the longest time, I believed that was going to be the ultimate solution to my personal credential security.

Passkeys are designed to replace passwords. They are cryptographic key pairs with a website keeping one, and your device (or password manager) keeping the other. Kind of like SSH keys for your browser. Just like SSH keys, you can have multiple passkeys per website if needed. Like one for your phone, another for your desktop, etc. This also gives you redundancy in case you lose one of your devices.

When they first arrived on the scene, I was sceptical and dismissive. I fully expected all the major vendors to use it as an opportunity to lock people in. And for a while it looked to me like that was going to happen. But somehow, passkeys are becoming portable enough that it's much less of a concern now. Apple are adding support for Passkey exports/imports in iOS 26, Google are working on it, and so are 1Password. Who knows what Microsoft are doing, but they don't have a mobile OS and you can just use a passkey-compatible password manager or Chrome on Windows. There was also always the option of storing your Passkeys on a physical FIDO2 device like a Yubikey, but that's never going mainstream.

I haven't followed it closely enough to know who on the FIDO Alliance SIG for Passkeys is responsible for keeping the enshittification at bay, but thank you, I'm sure it wasn't easy.

Seeing Troy Hunt, creator of haveIbeenpwned.com, get pwned by a phishing attack back in March, and talk at length about how Passkeys would have prevented it really caught my attention. With portable Passkeys on the horizon and the clear security benefits, I've completely changed my position on them. I now use them whenever they're available, and recommend them to my family and friends when the topic comes up. Believe it or not, they're becoming common enough that I've started getting asked about them.

I'm so convinced, in fact, I've recently rolled out a Passkey-only authentication solution for my homelab. The passkey limitation makes Pocket ID an incredibly simple to manage (likely the simplest) OIDC provider. It's a wonderful example of how you can counter-intuitively make software better by restricting its capabilities.

Are you using Passkeys yet? If not, what's holding you back?