Six Colors
Six Colors

Apple, technology, and other stuff

Support this Site

Become a Six Colors member to read exclusive posts, get our weekly podcast, join our community, and more!

By Glenn Fleishman

August 18, 2025 8:15 AM PT

Report a mistake

Some key facts about passkeys and how they work

Glenn Fleishman, art by Shafer Brown

The passkey was introduced with some excitement by Apple and varying degrees of hurrahs from Microsoft and Google a few years ago.1 This humble method of combining strong encryption, avoiding password entry, and adding the best aspects of second-factor authentication seemed like a winner. The excitement died down, even as operating systems, browsers, and websites provided increasingly robust support.

Why haven’t passkeys seemed to match their hype? Or do they “just work” and are being ignored despite their value?

I recently found one of the best arguments for using them, which I’ll share below. I’ve also seen quietly increasing adoption, even by the least-technology-focused sites, like those of home-improvement retailers and shipping suppliers.

What’s wrong with a password, anyway?

I think you know the answer to this, but I’ll spell it out a little. Being text, a password can be copied or stolen, even if it’s generally obscured. Someone might be able to extract your password in a bunch of ways:

  • Phishing: Don’t be too smug about not falling for fake SMS or email attempts to make you log in. I’ve received phishing messages alleged to be from American Express, DHL, the local Washington State highway tolling authority, and SendGrid (an email-sending service provider) in the last few years, and almost been taken in! The reason? They didn’t ask me for money, but told me I needed to log in to check the status or update something.
  • Social engineering: Again, we all believe no one will talk us out of our password, but the right person at the right time, particularly when we’re vulnerable or panicked, can often pry information out of the mostly tightly shut clams among us.
  • Shared password and weak sites: One of the most common ways we have our passwords stolen is because we reuse them. Maybe you generate a unique one now, but you (and I) surely have some sites we never updated our passwords at, and it might be the same among 10 or 100 old sites. Poorly stored passwords that are exfiltrated from a site and then cracked (or, horribly, stored in plain text) can then be applied against our other sites.2
  • Shoulder surfing: Most passwords are too complicated to watch someone type them in, and most of us use password managers, so we’re using our finger or face to validate automatically filling in a password or login. But it still happens. Someone with an iPhone can film you in 4K from across a room and see each letter as it briefly appears.

The strongest password from a complexity angle still has the weakest links: it can be used anywhere, by anyone, and has to remain accessible to you in plain text. When it’s pasted or filled into a Web page, it may be transmitted through secure https transport, but it’s still in the clear briefly at your end and the other.3

What if there were a way to eliminate these flaws and simplify the process? That’s the goal of the passkey.

Double, secret validation

A passkey isn’t just an extra-secure password. Rather, it relies on public-key cryptography (PKC), in which your system creates a secret that can be derived into two parts: one public and one private. The public key portion can be freely shared without risk through a variety of methods.4 The private key must be kept secret. It never leaves your device and is never typed in or shared.5

Because there’s no shared, identical (or “symmetrical”) password used between two parties that’s send in the clear (over an encrypted method like https or otherwise), there’s nothing useful that can be intercepted or stolen.

One of the useful aspects of PKC for proving your identity to access an account at a site is that the site only needs your public key to validate who you are. The private key, only you have access to, can encrypt a message that any possessor of the public key can validate could only have come from someone with that private key. Similarly, someone with the public key can encrypt a message that only you, with the private key, can decrypt.

PKC allows passkeys to provide two-way validation along with the primary purpose of a secure login. When you enroll to use a passkey at a site, you use your existing credentials to log in, often including a second-factor code or process. Your device generates a fresh private-public key pair for this login and sends the public key to the site.

The next time you log in, you opt to use a passkey, and the site sends a challenge through the browser that the browser or operating system manages. Using a fingerprint, your face, or a password, you confirm you want to use your locally stored passkey. Your system creates a message signed by the private key, which is sent to the site, which uses the public key to validate it. Easy as pie!

Graphic explaining the workflow between a server and client in passkey secure exchange for authentication.
This graphic may seem complicated at first glance, but it describes a neat flow that starts with a server generating a challenge that is answered by a user authenticating and their device providing a passkey-based response back. (Source: Google)

If someone tries to log into your account with a passkey, they would lack the proper keys and be unable to. Likewise, if you’re being phished, your browser won’t offer to log in to that site with a passkey, because the details don’t match. This is true with password managers, too, of course, which match accounts to sites. However, even if someone suborned a domain and a password manager “thought” it was the correct site, there’s no way for the phisher to provide a valid request your passkey system would respond to. Even then, that login information isn’t portable—it couldn’t be reused (or “replayed”) at the legitimate Web site.

PKC also prevents man-in-the-middle attacks, where a third party captures information from one side and silently hands it over to the other, and back to the first as a way to grab data or credentials. Without the private key, there’s no way for a third party to impersonate the logging-in user.

Notice that this process effectively removes the necessity for a second factor because the second factor becomes an integral part of the enrollment process: you have a unique set of information shared between the site and your device (or account ecosystem, like iCloud) that can’t be intercepted. A passkey makes logging in as easy as automatically filling in a password while offering the security advantages of two-factor authentication.

I’m not aware of a widely available website that allows you to disable password-based logins or two-factor authentication exclusively in favor of a passkey. Most sites that have adopted them shifted their login process in a way that you might have noticed a couple of years ago that added some friction: instead of a dialog for your email address or account name and then password, you were first asked for your user name. In a second step, you can enter a password or click or tap a button to use a passkey.

Some sites have pushed a “passkey login” button to their main login page in recent months. The credit-card processor Stripe makes it one of several options, which makes sense given the security needed for its account. However, the company does let you disable SMS-based second-factor codes once you have a passkey or other non-phone authentication method set, which is a significant move.6

Web sites love passkeys more than users, possibly, because it reduces friction: it’s less effort to login, the password doesn’t have to be found or entered, and it likely saves money on customer support from people losing their password and being unable to reset it.

Screenshots of two stages of logging in with a passkey on Stripe: left, general login screen with an option for a passkey; right, passkey authentication on a Mac
Stripe presents the passkey login options on its main authentication page (left). Clicking Sign in with passkey results in a request by your browser to authenticate biometrically.

Enrolling in passkeys and managing them

Most sites have made it a trivial process to add a passkey to your account. The steps usually work like this:

  1. Log in to a site through your normal method.
  2. Go to your account preferences for password or security.
  3. Look for a section that says “add passkey” or “add authenticator.”
  4. Follow the steps provided, which typically involve just using Touch ID, Face ID, or entering a passcode/password at the right moment.
  5. The passkey is stored in Passwords.
Screenshots showing the process of enrolling in a passkey at Walmart's site: top left, a message offering passkey enrollment; top right, creating a passkey with Touch ID; bottom, passkey stored at the Walmart account
Walmart is one of many sites now pushing passkey enrollment (top left), as it reduces friction for customers. Using Touch ID (top right) creates and stores the passkey, which is synced among your iCloud Keychain enabled devices. Bottom, Walmart notes you’ve set a passkey.

When you’re using a single ecosystem, like Apple’s with Safari, you visit a Web site, click or tap use passkey, and use Touch ID or Face ID to complete the login, with a fallback to entering your passcode or macOS account password.

Screenshot of using alternate passkey method through QR scan and authentiation on mobile device. Screen shows a
You can still use a passkey while outside of your ecosystem by using a mobile device and a passkey-system-generated QR code.

When you’re using a browser or operating system that doesn’t connect to Passwords, or when you’re using someone else’s Apple device, there is a nifty built-in login workflow:

  1. You’re presented with an option to use a mobile device. Choose that option.
  2. A QR code appears that you scan with your iPhone or iPad. Scan that code with your iPhone or iPad.
  3. Tap the link that appears reading “Sign in with a passkey.”
  4. Use Touch ID, Face ID, or a passcode to proceed.
  5. The browser acknowledges the response, and the site proceeds to log you in.

While this seems a little sus, as the kids say,7 the whole process is well defined in the industry-standard passkey protocol, and is as fully secure as if you were using a passkey through authentication directly on the device.8

Passkeys were a little mistreated in Passwords until the fall 2024 upgrade to Apple’s operating systems. Now the Passwords app has its own category. An entry for a passkey also includes the user name, password, and other information associated with a site, such as the included domains.

Passkeys’ biggest flaw right now is that they aren’t exchangeable across password-management systems. I recommend Apple-centric people use the Passwords app to leverage the Safari and iCloud Keychain infrastructure and end-to-end encryption at the moment. If you regularly use Android or Windows, 1Password can manage passkeys across all its supported platforms, so it’s a better choice for now.

The whole industry touts the portability of passkeys without yet offering such a thing. But it’s inevitable, as there’s no lock-in benefit. Finding a secure way to sync or transfer passkeys without introducing security holes that bypass their value is the key (sorry) issue remaining.

One weird trick to share passkeys in Passwords

You can use Passwords as one nifty workaround I hinted at in the intro. My wife and I share a login at our auto insurance’s site, but it requires a second-factor SMS code, and it will only allow one phone number. So I have to bother her every time I’m paying a bill on the site for the code sent to her phone. The company recently upgraded to passkey support, which I enrolled in. Using Passwords, I moved the passkey to my spouse and my shared group. Now, either of us can use the same passkey across all our collective devices.

[Got a question for the column? You can email glenn@sixcolors.com or use /glenn in our subscriber-only Discord community.]

  1. The passkey relies on protocol work at the FIDO Alliance, an industry trade group that developed the underlying bits needed for hardware security keys, and is dedicated to simplified or password-free secure logins. 
  2. If you ever get messages that say “someone tried to log in at such-and-such site” or “someone is trying to log in,” that can often be because your user name or email address and an old password are in a cracked database, and attackers are using it at common sites, including financial ones. 
  3. Some Web sites, particularly ones related to money, require that you use a second factor at all times or whenever you log in from a Web browser or location that’s a first for you for that account. That can help somewhat. 
  4. For personal use of PKC—say, to encrypt email—you can publish your public key on your Web site, post it in a social media profile, use something like Keybase.io (which layers additional verification), or even text it via end-to-end secure messaging, leaning on Apple, Google, or WhatsApp’s underlying cryptographic infrastructure. 
  5. Apple’s Secure Enclave holds a lot of private keys generated on your devices for Apple services, adding an extra level of protection, as nothing entering the Secure Enclave can be extracted later. However, passkeys were designed to be portable, so their private key portion is protected in the general filesystem, not in the Secure Enclave. 
  6. It’s unfortunately relatively easy for people with motivation and means to intercept SMSes, as phone numbers are tied to carriers, not precisely to phones. Passkeys are another part of the effort to get away from SMS-based second factors. 
  7. suspect 
  8. Behind the scenes, the browser creates a secure session with the mobile device over which they can exchange information that can’t be snooped by sniffing a Wi-Fi or Ethernet network. 

[Glenn Fleishman is a printing and comics historian, Jeopardy champion, and serial Kickstarterer. His latest books are Six Centuries of Type & Printing (Aperiodical LLC) and How Comics Are Made (Andrews McMeel Publishing).]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

Search Six Colors

Six Colors® is copyright © 2025 by The Incomparable Inc.
Powered by WordPress | Hosted by Pressable