With a variety of threats to online accounts, ensuring security is of the utmost importance. Passkeys have emerged as a strong, secure method for logins and can help to improve account protection. Passkeys can also be a simple and easy tool for logging in, helping to make accessing accounts a more seamless process.
This article explores what passkeys are, what they're used for, and how they work.
Passkeys are a secure login standard created by the FIDO Alliance and the World Wide Web Consortium. A passkey lets the user securely log in to apps or websites across their devices without entering a password. A passkey works as a digital credential for the user, aiming to simplify and secure the login process. The user proves their identity by unlocking their device and using a secure digital key that only works for them.
A passkey consists of a public key and a private key that form a cryptographic key pair. Passkeys can be set up on a website or app with a device operating system that supports this login method. Each passkey is uniquely associated with the account for the app or website being used. Passkeys verify identity using the same method a user unlocks their device. This can include facial recognition, fingerprint, device passcode, or PIN.
Passkeys are stored by each device’s operating system cloud and can be synced across a user's other devices. So if someone sets up a passkey on their phone, they can usually use it to log in to their laptop if it is a part of the same operating system or brand ecosystem. If the person gets a new device, their passkey should automatically sync to the new technology. This way, they don't have to set up their login information again.
If a device is lost or stolen, the passkey can typically be recovered by logging into the cloud or using a one-time passcode. Some services also allow people to remove a passkey from their account to prevent anyone else from using it. The process may differ depending on the device, operating system, or user settings.
Passkeys use advanced authentication and cryptography to protect people's information. When someone creates a passkey, an encrypted private key is generated and stored on the person's device, while a public key is generated for the website or app being used. This public key is essentially the equivalent of a username, worthless to anyone without the private key. When logging in, these two keys work together to authenticate the login attempt — but the private key itself is never revealed to anyone, even the website or app being used.
This authentication means protection is strong. These keys are linked only with the specific website or app, meaning it becomes significantly more difficult for a fraudulent website to trick someone into revealing their passkey by using a fake duplicated login screen or site. Additionally, the private key is encrypted and stored on the user’s operating system. Since passkeys are not stored in remote servers or databases, they are likely to be resistant to phishing attacks and cybersecurity breaches.
Passkeys and passwords are different. Passwords are usually a string of characters that are tied to a username and entered at sign-in, authenticating the login by matching the password to the account. Passkeys utilize cryptography for authentication. Passkeys are secure digital keys that use a person’s device unlock mechanism to authenticate, so someone can use a passkey to log in with a face scan, thumbprint, or code.
Passkeys are privately stored and synced on a user’s device operating system to protect them from loss. If someone gets a new device, a passkey can quickly be restored. Passkeys are also considered more secure than passwords.1 They can be resistant to cybersecurity threats like phishing and data breaches. That's because passkey data is encrypted and stored directly on each person's device — not on remote servers, which can be vulnerable to hacking.
Ready to create a passkey? The process will vary depending on device, site, and operating system, but it may look something like this:
People using Apple or Android devices can use passkeys to log in to their account with PayPal through their Account Settings in the app or on PayPal.com using Safari or Chrome browsers.
Learn about security and protection with PayPal.