Woman getting into her account using a passkey
5 min
Updated 14 08 25

What Is a Passkey and Is It Safe?

Posted by Picture of Sam Kendall Sam Kendall

Seen “passkeys” pop up when signing into an app or website and wondered what they are - and whether you should be using them?

Passwords are still the most common way to sign in online, but they’re often reused, easy to guess, and can be stolen.

Weak or stolen passwords are a factor in most cyber attacks, making them a long-standing security risk.

Passkeys are being introduced as a simpler, more secure alternative - one that could replace passwords while making logins more convenient.

Here’s what they are, how they work, and when they make sense to use.

What Is a Passkey?

Iphone passkeys

A passkey is a way to log in without typing a password.

Instead, it uses a pair of cryptographic keys to prove who you are.

When you register with a service, your device creates two keys:

  • Public key: Stored by the service you’re signing up to.
  • Private key: Stored securely on your device and never shared.

When you log in, the service sends a challenge to your device.

Your device signs it with your private key and sends it back.

If the signature matches the stored public key, you’re signed in - with nothing sensitive sent over the open internet.

Why Are Passkeys Gaining Ground?

The UK government plans to roll out passkeys across services - including NHS and HMRC - from late 2025, replacing SMS codes for verification.

The UK government will roll out passkeys across NHS and HMRC services from late 2025

This change addresses operational issues with SMS codes: they can be delayed by network issues, and are costly for organisations to send.

Passkeys remove these challenges while reducing login times from around a minute to just a few seconds.

They also block a major phishing pathway. Even if a user is tricked into visiting a fake site, the private key stays on the device and can’t be copied or reused elsewhere, whereas entering your phone number for verification means parting with a piece of personal data.

Most modern devices - from smartphones with fingerprint or facial recognition to laptops with PIN unlock - already support passkeys, so many people can start using them with no extra hardware.

What Are the Risks or Limitations?

Passkeys offer strong protection, but they’re not without challenges:

  • Coverage gaps - not all services support passkeys yet, though adoption is growing.
  • Device dependency - if you lose the device that holds your private key and don’t have a backup option, you could be locked out.
  • Recovery risks - unsecured fallback methods, such as email or SMS resets, can undermine the security gains.
  • User onboarding - organisations must make it simple for people to set up, back up, and move passkeys between devices without lowering security.

How Passkeys Compare to Other MFA Methods

Multi-factor authentication (MFA) methods like SMS codes, email links, or security questions add a second layer of protection beyond a password.

But every security method comes with weaknesses - SMS can be disrupted by network issues, email accounts can be compromised, and many security questions can be guessed or researched.

Passkeys can cut login times from around a minute to just a few seconds

Passkeys remove the need for passwords entirely and are phishing-resistant because they won’t work if the website or app isn’t genuine.

They also make logging in faster - there’s no code to type or remember.

That doesn’t mean older methods are irrelevant.

Where not all users have compatible devices, or during phased rollouts, established MFA options still play a role.

The ICO advises that any authentication method must be “appropriate” to the level of risk for the data or service.

How Passkeys Work (Simplified)

  1. You set up a passkey - your device generates a public key and a private key (often tied to your biometrics - e.g., a fingerprint).
  2. The public key is stored by the service.
  3. When you log in, the service sends a one-time challenge to your device.
  4. Your device signs the challenge with your private key.
  5. The service checks the signature against your public key.
  6. If they match, you’re in - with no passwords or secrets sent over the network.

So, Is It Safe?

Yes - when implemented correctly, passkeys are one of the most secure and user-friendly authentication options available.

They protect against phishing, credential theft, and password reuse.

"Passkeys represent a big leap forward in how we prove who we are online.

They reduce friction for users while closing off some of the most common attack paths that criminals exploit."

Paul Holland, Founder, Beyond Encryption

But like any security measure, they’re only as strong as the recovery and backup options around them.

A good rollout includes clear guidance, multiple secure recovery paths, and alternative methods for those unable to use passkeys.

For most people and organisations, passkeys offer a safer, faster, and easier way to log in - and they’re likely to become a standard option in the years ahead.

Just email it (securely)! CTA

FAQs

Do I Need Extra Hardware to Use Passkeys?

No - most smartphones and laptops already have the capability, using built-in authentication like fingerprint readers, facial recognition, or secure PINs.

What If I Lose My Device?

Set up backup methods such as a secondary device or secure cloud sync before relying on passkeys - otherwise you risk losing access.

Are Passkeys GDPR-Compliant?

Yes - they meet the UK GDPR’s requirement for “appropriate technical measures” and can reduce the likelihood of a data breach.

Can Businesses Integrate Passkeys Alongside Existing Methods?

Yes - many organisations run passkeys alongside existing MFA methods to ensure everyone can log in during a transition period.

Are Passkeys Stealing Biometric Data?

No - biometrics like fingerprints or face scans never leave your device. They’re used locally to unlock your private key, which is what signs you in.

 

References

Web Authentication: An API for Accessing Public Key Credentials Level 2, W3C/FIDO, 2021

Government to Adopt Passkey Technology for Digital Services, NCSC, May 2025

Multi-factor Authentication for Your Corporate Online Services, NCSC, 2025

Passkeys: They Are Not Perfect but They Are Getting Better, NCSC, Jan 2025

Authentication Methods: Choosing the Right Type, NCSC

Passwords in Online Services, ICO, 2025

Practical Ways to Keep Your IT Systems Safe and Secure, ICO, 2025

Reviewed by

Sam Kendall, 12.08.25

 

14 08 25

Posted by: Sam Kendall

Sam Kendall is a digital strategy specialist with nearly a decade of experience exploring the intersection of technology, culture, and transformation. At Beyond Encryption, he drives strategic marketing initiatives that enhance secure digital communications and foster digital identity innovation. Known for insightful research into digital culture and user behaviour, Sam combines expertise in SEO, CRO, and demand generation with a deep understanding of the evolving digital landscape. His work empowers organisations to navigate complex challenges in digital transformation with clarity and confidence.

Follow on social
Next blog post Previous postScottish Widows’ Digital Transformation: Customer Experience at Scale

Related posts

Return to listing