Beyond Passwords: The Revolution of Passkeys

It’s simple: passwords are showing their age—no matter how cleverly crafted. Companies have spent years building cybersecurity policies: training staff, setting up phishing simulations, rolling out password managers, and layering on multi-factor authentication. These steps are still important, but passwords have overstayed their welcome. The persistent rise of phishing and brute-force attacks has exposed the limits of what passwords can do.

A 2025 Cybernews study found that 94% of 19 billion exposed passwords were reused across multiple accounts, concluding that passwords are insufficient for today's security needs. 

In a May 2025 Forbes article, Zak Doffman reports Microsoft is now urging users to “delete your password,” warning that attackers are ramping up phishing efforts before passkeys become the standard.

Declare Independence From Passwords

Passkeys offer a more secure and user-friendly alternative to passwords for accessing online accounts. When you register with a website, your device creates a set of unique passkeys: a public key (shared with the website) and a private key (kept on your device that never leaves). The keys are created using cryptographic algorithms—mathematical codes that scramble data—in order to protect them from unauthorized users.

Each account receives a unique set of keys, making it difficult for attackers to breach multiple accounts, even if one key is compromised.

Passkey technology uses the FIDO2 (Fast IDentity Online, version 2) framework, which works in conjunction with PINs, fingerprints, and facial recognition to support passwordless authentication. This is backed by a security principle called domain binding, ensuring your passkey only works on the legitimate website. The technology may seem complex, but the underlying principle predates computers and the internet; it reaches back several centuries.

What Passkeys and John Adams Have in Common

While watching a miniseries about John Adams, our second U.S. president, I noted a scene between him and a committee of Dutch bankers. The camera lingered on a committee member as he wrote a multi-million dollar check to the young United States. With a pair of scissors, the banker made a deliberate, jagged cut to separate the check from its stub.  

This early type of indenture cut, which was used for authentication during the 18th century, ensured the check could later be verified by matching the jagged edges. It occurred to me that this 250-year-old practice had more in common with modern cybersecurity than one might think. 

It works on a similar principle: the wavy paper cut is like today’s cryptographic algorithm, and the two halves of the check are the digital passkeys. The public key stored on the website simulates the check stub held by the Dutch bank. The private key on your device is the check John Adams took home—a secure possession.

When you log in to a website, your device receives a unique request—think of it as a lock that needs both keys to open. Your device uses its private key, proving you have the right to enter. The website checks your key against the public key. If everything matches, you’re in. The best part: there’s nothing for hackers or fake websites to steal, despite their best efforts.

Why Fake Websites Can’t Fool Passkeys

Here’s where the analogy really shines. Let’s pretend you register with a website called “ACME.COM” and set up a passkey. Later, because of a phishing email link, you’re tricked into visiting a fake website at “ACM3.COM”—one that looks identical but has a slightly different address. When you try to log in, your device attempts to use the passkey, but the fake website won’t work because the encrypted public key is tied only to the real website. That’s why passkeys are considered fundamentally phishing-resistant. Like the indenture cut that verified the check given to John Adams, the pieces have to fit, or the deal is off.

The Slow March Toward Passkeys

Despite their strong security and simplicity, passkeys haven’t yet swept through the business world, and I suspect it’s because of both human and technical reasons. Many users are unfamiliar with passkeys and wary of new login methods, especially when trusting how their data will be handled. It’s understandable that even the best technology will raise questions early ‌on. Still, user habits take time to catch up.

Addressing Common Sense Questions

I realize some people are still comfortable using passwords and side-stepping new technology for as long as possible, while others who already use passkeys have questions about their security. I’ve discussed passkeys versus passwords with many people, and I’ve found three concerns come up most often:

What If Someone Takes My Phone?

If a person picks up your phone, what’s stopping them from accessing your accounts with your passkeys? The answer is device-level security. Passkeys are protected by your device’s built-in safeguards—such as a fingerprint, face recognition, or, my favorite, a PIN. Even if someone has physical access to your phone, they can’t use your passkeys unless they breach your biometric or PIN security.

Additionally, if your phone does go missing, you can remotely wipe it using the “Find My Device” feature available on Android and Apple systems; it allows you to locate, lock, and even erase data.

Biometrics vs. PIN: Which Is Safer?

If someone gains physical access to your device, especially while you’re asleep, they could use your fingerprint or face to unlock it. This is a real risk with biometric authentication. It’s important to understand how it compares to PINs.

  1. Biometrics (fingerprint, face recognition) are designed for convenience and quick access. However, they’re not always the best defense. In a worst-case scenario, someone could press your finger to the sensor or hold the phone up to your face to bypass the lock screen.
  2. PINs require active participation. No one can use your PIN without knowing it. This makes PINs a stronger defense in situations where coercion is possible.

Personally, I prefer using a PIN together with an extra security step. For example, when I log in to my bank app and use my passkey, the website initiates a second layer of authentication using number matching by displaying a two-digit number. At the same time, my phone presents several numbers, but only one matches what appears on the website. I need to tap the matching number to confirm my identity. This extra step assures me that my account is secure.

What About Password Managers?

Password managers remain a vital part of the security toolkit, especially for systems that haven’t caught up to passkey technology. These tools create and save complex passwords, so you don’t need to memorize them. Plus, many are adding passkeys—connecting the password-past to the passkey-future.

For people who just aren’t ready to let go of their password lifestyle, I recommend using a password manager for the time being, and incorporating passkeys as they become available; it’s a ‌smart way to cover your bases.

Real-World Proof: Passkeys in Action

Let’s look at some compelling numbers: After rolling out passkeys, CVS Health reported a 98% reduction in account takeover fraud, saving the company potentially millions of dollars. 

The State of Michigan’s MiLogin system (online access to many state services) reported a reduction of password resets by 1,300 after adopting passkeys, freeing up IT staff to focus on other security tasks.

Microsoft reported passkey sign-ins are not only faster—up to three times quicker than passwords—but prove resistant to phishing attempts. 

The Irony: While typing the previous Microsoft statistic, a friend sent me a Washington Post story detailing a widespread cyberattack. The story (“Global hack on Microsoft product hits U.S.”, July 21) broke overnight, exploiting a critical vulnerability. Dubbed with the name, ToolShell, cyber criminals breached Microsoft’s on-premises SharePoint servers at hundreds of organizations in several countries. 

The attackers bypassed multiple layers of protection to extract passwords and keys from affected systems. To clarify, the “key” theft is not the passkey technology I’m explaining in this article; these were “server-side” keys—digital secrets stored on a company’s physical server to manage user permissions and encrypted files. Unfortunately, reliance on outdated and traditional authentication methods caused this breach.

This is precisely why passkeys and FIDO2 are measurable improvements for both security and user experience when integrated into a company’s security plan. Yet, as most security professionals will tell you, any cybersecurity tool comes down to the people using it—because technology is only as strong as its most distracted user.

The Human Element: Why This Matters

Phishing attacks don’t just target the careless or the uninformed; they catch even the experts off guard. As I mention in The Weak Link of Cybersecurity:     Understanding and Improving the Human Factor, the real world is full of distractions, and even the best-trained employee can be tricked, but passkeys help with some of the responsibility. If a user lands on a convincing fake site, the login process refuses to respond. It’s a technical safeguard that finally gives the human firewall some real backup.

So, as John Adams negotiated America’s future with nothing but a check, a stub, and a pair of scissors, I couldn’t help but appreciate the irony—that centuries later we’re still trying to outsmart the forgers and the bad actors.

If you’re considering moving beyond passwords and embracing an authentication method that’s effective and efficient, it’s time to consider passkeys. Start by enabling them for your most sensitive accounts and encourage your team to get comfortable with the alternative approach. If you want to know how passkeys fit into your organization, or need help mapping out your next steps, talk to an advisor at Atlantic Data Security. They will help you find a solution that makes sense for your organization and your staff.

Additional Reading:

Best Practices for a Secure Password: (Atlantic Data Security) Insight on the best password practices for individuals and organizations seeking sensible security.

How to Protect Your Team From Social Engineering: (Atlantic Data Security) A reference to social engineering and how attackers manipulate human psychology—rather than technology—to trick people into revealing sensitive information or providing access. 

Cybernews Password Reuse Study (2025): An analysis of 19 billion exposed passwords. This study provides data to explain why passwords have failed to meet current needs.

FIDO Alliance Passkey Adoption Report  (2025) Industry survey showing growing consumer preference toward passkeys versus passwords. Demonstrates the momentum behind passwordless authentication.

Michael Civisca is a freelance contributor for Atlantic Data Security. ADS has established themselves as a pioneer in the cybersecurity industry with customized solutions for their clients for over thirty years. Talk to an advisor and learn more about managed security services, endpoint security, and cybersecurity trainings at Atlantic Data Security. Follow us on LinkedIn, and read more in our resource blog.