What Is a Passkey — And Are They Actually More Secure?
Helpful? Yes. A magic fix? Not quite.
You’ve probably started seeing prompts that say something like “Sign in with a passkey instead”. Big tech companies are pushing them hard, often describing passkeys as the future of authentication — safer than passwords, phishing-proof, and easier to use.
There’s some truth there. But like most security tools, passkeys are good in the right context and overhyped in others.
Let’s break it down.
What Is a Passkey, Anyway?
A passkey is a passwordless way to log in using something you already have — usually your phone, computer, or tablet.
Instead of typing a password, you:
- Approve a prompt
- Use Face ID / Touch ID
- Enter your device PIN
Behind the scenes, your device uses cryptographic keys to prove who you are. No password gets typed. Nothing reusable gets sent over the internet.
That’s the big appeal.
Why Passkeys Can Be Good
When implemented properly, passkeys solve a few real problems:
🔐 No Password to Steal
There’s nothing for a phishing site to capture and nothing for a keylogger to record.
🎣 Resistant to Phishing
A passkey won’t work on a fake website. Your device checks the real domain before approving the login.
😌 Easier for Humans
No memorizing long passwords. No “was it an exclamation point or a question mark?” You can imagine a passkey as a pre-saved super awesome password, that changes after every use, AND that you don’t have to remember!
From a usability standpoint, passkeys are genuinely nice.
Where Passkeys Fall Apart
This is the part that often gets glossed over.
❌ Most Accounts Still Have Passwords Anyway
Here’s the big one:
Almost every account that supports passkeys still requires a username and password as a fallback.
Why?
Because people lose phones.
Devices break.
Passkeys get deleted.
So the password still exists.
That means:
👉 Attackers won’t use the passkey. They’ll just attack the password.
Phishing, credential stuffing, brute force — all the same old attacks still apply. The presence of a passkey doesn’t remove that risk unless the password is fully disabled (which is still rare).
❌ Not All Passkeys Sync Between Devices
Passkeys only work well if they’re available everywhere you work.
We’re fans of passkeys when they’re stored in a real password manager that syncs securely between devices, like:
- Apple Passwords / iCloud Keychain
- 1Password
Those handle passkey syncing properly.
When we don’t recommend using passkeys:
- Browser-only password managers like Chrome or Edge
They don’t support passkey syncing across ecosystems, and that’s how people end up locked out — or falling back to weaker recovery methods.
❌ Lock-In Is Real
If all your passkeys live on one device or inside one ecosystem, switching platforms or recovering from a lost device can get painful fast.
That’s not a deal-breaker — but it’s something to be aware of.
So… Do We Like Passkeys or Not?
Yes — with conditions.
Passkeys are:
- 👍 Better than passwords alone
- 👍 Convenient
- 👍 A nice extra layer
But they are not:
- ❌ A replacement for good password hygiene
- ❌ A substitute for MFA
- ❌ A silver bullet for account security
If an attacker can still log in with a password, passkeys don’t stop them.
When We
Do
Recommend Using Passkeys
If you are:
- Using a robust password manager that syncs passkeys across devices
- Already using unique passwords and MFA
- Comfortable managing your security centrally
Then there’s no reason not to use passkeys.
They add convenience and some extra protection — without much downside.
If you’re not using a proper password manager yet, we’d focus there first.
Security Is About Layers — Not Buzzwords
Like most security trends, passkeys are a useful tool, not a miracle cure.
Real security still comes from:
- Unique passwords
- MFA everywhere
- A real password manager
- Educated users who know what to approve — and what not to
At Ultrex, we don’t push one-size-fits-all solutions. We don’t bill per ticket, and we’re not tied to any one vendor or shiny new feature. We tailor recommendations to your environment, your risk tolerance, and your budget — because what’s “best” depends on how you actually work.
If you’re curious whether passkeys make sense for your setup — or want help implementing them the right way — we’re happy to walk through it with you.
No hype. No pressure. Just smart security that fits.