Passkey v password can anyone explain why passkeys are better?

[Pippick]

I read that the National Cyber Security Centre (NCSC), is recommending use of passkeys rather than passwords. I've noticed a lot of apps, websites and banks are using them but I can't for the life of me understand how they are more secure.
With passwords I have a different one for everything but a passkey is simple the PIN for my device whether phone or laptop. So if you know that you can get in everywhere?

No, it will be a key generated by your phone that you don’t see. Random, different key for each site / app for which a passkey is required.

So you can’t be persuaded to give it away to scammers.

(And as you won’t have to try to remember all the passwords you’ve invented, you won’t scribble them down on a piece of paper …)

(I heard it being discussed on BBC R4 PM this evening. And was surprised to hear this being spoken of as something new, when they’ve been a feature of my Internet use for a good few years.)

A passkey combines something that you know (your PIN) along with something that you own (your phone). In the industry this is known as multi-factor authentication and means that for someone to take over your account they'll need to steal your phone and your PIN. If you can use a biometric ID like a fingerprint instead of the PIN then that's even better.

By comparison, a password is just something that you know so if they steal that there are no more barriers for them.

All the sites I've used a passkey on simply use the PIN for the phone.

The NHS app for example is accessed using my phone PIN.
So if my phone PIN is 1234 then anyone who steals my phone and knows the PIN (because they've watched me) can not only get into my phone but also my Amazon account, NHS app and and any other site which uses the passkey 1234.
I just don't see how this is safer than having a separate password. Obviously I'm missing something?

It does seem as if you haven’t encountered the type of key you were reading about.

I repeat, it is not a code that you see. It is stored on your phone and you enter it when you open a relevant site via your phone.

Because having to steal two things (phone + PIN) is harder than having to steal one thing (password).

You can buy lists of thousands/millions of usernames and passwords on the darkweb for peanuts. You can't do that for physical phones + working PINs.

I agree that most banking apps use a different number for the passkey but there are several apps that just use the phone PIN. The NHS app asks whether you want to log in with email and password or use passkey. The passkey is just the phone PIN. Amazon is the same.

@GasperyJacquesRoberts thank you I think Iunderstand now. My data can only be accessed by via the device so if my phone is stolen it's an open book to whoever has it but they can't use my data without the phone.

Close, but not quite. Even if they steal your phone it's still useless without your PIN. It's "what you have" + "what you know". Stealing just one of those is worthless. The criminal needs both.

Well, if your phone pin is 1234, that's kinda on you.

You can use biometrics, such as fingerprint or facial recognition. Or, you know, a pin that isn't easy to guess.

Er, it was for illustrative purposes...

That isn’t using a passkey then. It might ask you to enter it as part of your security set up but if it’s not using your biometric id (face/fingerprint) or stored cryptographic key then it’s not a ‘passkey’.

the reason these are required now is because of Quantam Computing, and the significant increase in power and capability achievable by hackers.

consider how old your device is and make sure all Apps are on latest versions so that you can upgrade security where needed.

But what if you log into the same site from different devices - phone, tablet, laptop - if the passkey relies on logging on with your phone how does that work? With a password you can enter the same password from different devices.

Apologies if this is a stupid question …

the app - site you are logging into has encrypted security management in the background. So when you log into from the web it validates your passkey based on the credentials you entered and syncs to your new device. Sometimes you might get an email saying ‘someone has logged in from a new device’ and ask you to confirm this is you. Then it’s banked.

@StealthMama that makes sense. It's calling it a passkey but it isn't really.
When I click login with passkey it only needs my phone PIN. Example in pic

Yes that’s it. They hold the passkey in the background and approve it to be assigned to the new device.

Hopefully this explains a little more on the subject.

Passkeys vs passwords — a short explanation

• Think of a password like a single key you copy and give to every place you lock: if someone steals that copy (or guesses it), they can open every lock that uses it. Even with different passwords per site, sites store a version of your password — if a site is breached, attackers can try those passwords elsewhere.

• A passkey is different: it’s like a smart lock on each site that talks only to your device’s private key. When you log in, your device creates a one-time proof that you own the right key for that site — it’s unique for that specific login event. That means the proof can’t be reused at another site or later, and sites never get a copy of your private key to store. So even if the site is hacked, attackers can’t steal a working passkey from that site.

• Why passkeys can’t be stolen from a site: sites only store public information that’s useless by itself. Your private part of the passkey stays on your device (or secure account storage) and never leaves. A breached database doesn’t give attackers anything they can use to impersonate you.

• Because a passkey’s secret never travels over the network, intercepting traffic doesn’t give an attacker anything they can use. When you log in your device sends a one-time proof that it holds the secret; that proof is different each time and can’t be replayed. Sites only see public, non-secret data. So even if someone captures the messages between your device and the website, they cannot extract the private passkey or reuse the captured proof to impersonate you.

Passkeys and different computers.

The same passkey can be used from different computers — but only if you set it up that way.

A passkey’s secret normally lives on one device. By default you can log in from that device only.

Many systems let you sync or back up passkeys (for example via your phone’s secure backup or a trusted account) so the same passkey can be available on another computer or phone. If you’ve synced or exported the passkey to the second device, you can use that device to log into the same website.

If you haven’t synced/backed-up the passkey, you can’t use a different computer; you’d need a new passkey from that device instead.

Syncing makes access easier but must be protected (it should require your device passcode, biometric, or the vendor’s secure backup) — otherwise someone who gets both your device and backup access could misuse it.
Bottom line: one passkey can work on multiple devices only when you intentionally copy or sync it to them; otherwise each device has its own passkey.

Bottom line: passkeys give each site a unique, non-reusable way to verify you, and the secret part never gets sent or stored on the site — that’s why they’re more secure than passwords.

Hope this helps.

But what IS a passkey? It seems to just be my face

Passkey:
A passkey is a secret digital code stored on your device, while your face is simply the "permission slip" that tells your device it’s okay to use that code. They work together: the passkey provides the high-tech security, and your face provides the convenience of not having to remember a password.

Password/PIN number:
This method is called multi‑factor authentication (MFA), specifically password plus one‑time PIN sent to a phone — often implemented as SMS-based two‑factor authentication (2FA).

Multi‑factor authentication (MFA) with a PIN sent to a phone works like this:

1. You enter your password (something you know).
2. The website verifies the password and sends a single-use numeric code (a one‑time PIN) to your phone via SMS or an authenticator app (something you have).
3. You enter that PIN on the website.
4. The site checks the PIN (it’s valid for a short time and one use only). If it matches, you’re granted access.

In short: two different factors—knowledge (password) + possession (phone/PIN)—are required, which makes account access much harder for attackers.

Biometrics. A digital image of your face/ fingerprint etc converted to be used like a key.

Some sites I use require a verification code that is sent to my email or phone, or they use an app like Authy where you are asked for a code from Authy which is an app on your phone with a continually changing 6 digit number for each site. All the two factor authorisations rely on a password and then some sort of code provided remotely on a different source, so a thief needs your password and access to your email, text messages or authentication app as well.

I think I only have one log in with a passkey as such, but that is not the same as my pin for my phone. I created it when I set up the account, I guess you could use the same code but that wouldn't be a good idea.