Passkey vs Password? What is a Passkey, and how do I use them on eBay, Facebook, and WhatsApp?

I recently upgraded my phone from the Pixel 8 Pro to the Samsung Galaxy S24 Ultra, and as I started to log into all my apps, I was prompted to use a Passkey with Samsung Pass when logging into eBay.

Similarly, when I logged into WhatsApp and Facebook Messenger, I was prompted to create a Passkey to allow me to access messages across devices. In this case, I chose not to use Samsung Pass but linked them to my Google account.

Then, when logging into eBay and DocuSign on my Geekom Mini IT13, I was prompted by Bitwarden to use a Passkey.

So, what are passkeys? How do they differ from passwords, and are they more secure?

What is a Passkey?

Passkeys are a new form of authentication technology that aim to replace passwords. Instead of using a text password that you type in, a passkey is a type of passwordless authentication powered by public key cryptography and the WebAuthn standard. Instead of a text password, a passkey uses a combination of your biometrics (face or fingerprint) or device PIN, along with a unique cryptographic key pair to authenticate you.

The key pair contains a private key stored securely on your device, and a public key stored by the website or app you are accessing. The private and public key are mathematically related. When you login, your biometrics or PIN confirm it’s really you, unlocking your private key to authenticate with the public key on the server.

This technology removes passwords from the equation, while offering security improvements. Most importantly, there is no password that can be phished, reused across sites, or cracked with brute force attacks.

Benefits of Passkey vs Password

Passkeys offer several security and usability advantages over traditional text passwords:

Phishing Resistant

Passkeys are completely resistant to phishing attacks. Because there is no actual password to steal or capture, phishing websites gain nothing from fooling you.

Immune to Password Reuse

Every passkey is unique to the site or app it’s created for, so reusing passkeys across accounts is not possible. This eliminates one of the biggest password security risks.

Protection from Cracking

Without a password that can be cracked with brute force attacks, passkeys provide excellent protection even if website databases are breached. The unique cryptographic keys cannot be reverse engineered.

Easier for Users

Passkeys remove the burden of having to remember complex, unique passwords for every account. Instead, users only need to remember their biometrics or device PIN.

Automatic Synchronisation

Passkeys synchronize seamlessly across devices via cloud backup services. Adding new devices is easy without having to remember passwords.

Two Factor Built-In

The requirement for biometrics or a PIN before authenticating provides a form of two factor authentication that is built into every passkey by design.

However, passkeys do come with some downsides:

Requires Modern Hardware/Software

Passkeys require modern devices with biometric readers or PIN entry capability. The device ecosystem support for passkeys is still incomplete.

Not Universally Supported

While major platforms like Apple, Google, Microsoft and Mozilla are backing passkeys, website and app support is still inconsistent. Support is improving rapidly, though.

Do I still need 2FA with a Passkey?

While passkeys inherently bolster security, the question of whether additional two-factor authentication (2FA) is necessary remains pertinent.

In essence, passkeys integrate the principles of 2FA by requiring something you have (the device storing the passkey) and something you are or know (biometric or PIN). Therefore, in environments where passkeys are fully supported, traditional 2FA may become redundant. However, during transition phases or on platforms that do not yet fully support passkeys, maintaining 2FA can provide an extra layer of security.

Can I delete my password after I enable a Passkey?

In theory, once you successfully enable and test a passkey for an account, you can safely delete the password on that account if the option is given to you.

Many services that implement passkey sign-in give you the option to delete your password after successfully configuring a passkey. For example, Google, Apple ID, and Microsoft Accounts allow removing the password after setting up a passkey.

If the service does not give you the option to delete the password, it likely requires keeping the password as a fallback until passkey support is more complete across devices.

In general, it is safe to delete your password on accounts after confirming your passkey works, but keep passwords around for compatibility if not given the deletion option explicitly.

How do I use a Passkey on Android?

Using a passkey on Android devices involves a few straightforward steps, typically integrated with the device’s built-in security features:

1. Install the latest version of Chrome or Edge Browser.
2. Go to the website where you want to create a passkey and click Sign up or Login.
3. Choose to sign up/login using a passkey when given the option.
4. Follow the instructions to scan your fingerprint or enter your device PIN to authorise the passkey.
5. Confirm the generated passkey name displayed by the site.
6. On subsequent visits, scan your fingerprint or enter your PIN to unlock your passkey for login.

Once created, passkeys synchronise across Android devices signed into the same Google account via Google Smart Lock. To add new devices, simply sign into your Google account on the device to sync passkeys.

How do I use a Passkey on iPhones / iOS?

On iOS devices, the use of passkeys is seamlessly integrated with Apple’s ecosystem, providing a user-friendly and secure authentication method:

1. Update your iPhone to iOS 16 or later.
2. Install the latest Safari browser.
3. Go to the website where you want to create a passkey, click Sign up or Login.
4. Choose to sign up/login using an Apple device passkey.
5. Authenticate with Face ID or device passcode to authorise the passkey.
6. Name your passkey when prompted by Safari.
7. On repeat visits, simply authenticate with Face ID or your passcode to login.

Your passkeys synchronise automatically across Apple devices via iCloud Keychain when signed into your Apple ID. Adding new devices is seamless by signing into your Apple account.

How do I use a Passkey on Bitwarden?

Bitwarden is my preferred password manager, they have embraced the shift towards passkeys, offering users the ability to store and manage their passkeys. They rolled out support for passkeys, its browser extensions, back in November 2023 and are available for both free and paid accounts.

At the time of writing, I believe it is only the browser extension that supports Passkey and not the mobile app.  

To use a passkey with Bitwarden:

1. Install the latest Bitwarden app on your device.
2. Enable Bitwarden integration in your browser’s passkey settings.
3. Create an account passkey as usual through the browser.
4. Give permissions for Bitwarden to access the passkey.
5. The passkey will then be securely stored in your Bitwarden vault.

You can subsequently fill the passkey to login through Bitwarden. If you get a new device, syncing your Bitwarden vault will transfer the passkey.This allows Bitwarden to manage, fill and sync your passkeys alongside traditional passwords – bringing passkeys into your existing password management workflow.

How do I use a Passkey on eBay?

As of January 2023, eBay has implemented passkey support on both mobile and desktop. Here is how to use passkeys on eBay:

1. Install the latest eBay app or access eBay through Chrome/Safari.
2. Go to your account settings and enable passkeys under ‘Login activities’.
3. Follow the instructions to register a passkey for your eBay account.
4. Use your biometric or PIN to authorize your passkey.

Once setup, you can sign in to eBay directly using your passkey without needing to enter a password. Passkeys enhance the security of your eBay account and simplify logging in.

How do I use a Passkey on Facebook and WhatsApp?

Facebook started rolling out support for passkeys in early 2023, allowing secure passwordless authentication for Facebook and WhatsApp accounts. Here is how to use passkeys with your Facebook and WhatsApp accounts:

1. Update to the latest Facebook or WhatsApp app on your device.
2. Go to your Facebook/WhatsApp account settings.
3. Enable passkeys under the Security or Login section.
4. Follow the on-screen instructions to register your passkey.
5. Use Face ID/Touch ID/PIN to authorise your passkey.

Once configured, you can directly login to Facebook or WhatsApp using your passkey. Support is still limited, so keep your password handy as a backup method for now.

Websites That Support Passkeys

Here are some popular websites that currently support passkey authentication:

• Google Accounts
• Apple ID
• Microsoft Account
• Mozilla Accounts
• Amazon
• eBay
• PayPal
• Twitter
• Uber
• Reddit
• eBay
• Linkedin
• DocuSign
• Coinbase
• Bitwarden
• Github
• Virgin Media
• Zoho
  

Support is quickly expanding to more websites and services. Check if a login page offers “Sign in with a Passkey” option.

Mobile Apps That Support Passkeys

In addition to websites, some mobile apps also support passkeys for secure login:

• Apple Apps (Settings, Apple ID, iCloud, etc)
• Google Apps (Gmail, Chrome, YouTube, etc)
• Microsoft Authenticator
• eBay
• PayPal
• Twitter
• Uber
• Reddit
• ebay

Look for a “Sign in with Passkey” option when logging into mobile apps going forward as support continues to grow.

Conclusion

Passkeys represent a major step forward for authentication security and convenience compared to traditional passwords. While ecosystem support is still incomplete, passkeys are the future of login and eliminate countless threats users face with passwords.

As device and service support expands, passkeys will become the default and preferred way of securing our online accounts in the years ahead.

James Smythe( Editor-in-chief )

I am James, a UK-based tech enthusiast and the Editor and Owner of Mighty Gadget, which I’ve proudly run since 2007. Passionate about all things technology, my expertise spans from computers and networking to mobile, wearables, and smart home devices.

As a fitness fanatic who loves running and cycling, I also have a keen interest in fitness-related technology, and I take every opportunity to cover this niche on my blog. My diverse interests allow me to bring a unique perspective to tech blogging, merging lifestyle, fitness, and the latest tech trends.

In my academic pursuits, I earned a BSc in Information Systems Design from UCLAN, before advancing my learning with a Master’s Degree in Computing. This advanced study also included Cisco CCNA accreditation, further demonstrating my commitment to understanding and staying ahead of the technology curve.

I’m proud to share that Vuelio has consistently ranked Mighty Gadget as one of the top technology blogs in the UK. With my dedication to technology and drive to share my insights, I aim to continue providing my readers with engaging and informative content.