What Is a Password?
A password is a shared secret – you know it and so does the website. When you log in, you type it, the site checks it matches what’s stored and in you go. The problem is that this model has a lot of weak points. Passwords get reused, guessed, phished or stolen in data breaches. Even strong passwords can end up in the hands of hackers if a website’s database is compromised.
What Is a Passkey?
A passkey works completely differently. Instead of a shared secret, it uses a pair of cryptographic keys – one stored on your device, one on the website. When you log in, your device proves it has the right key without ever sending a password across the internet. There’s nothing to steal from the website’s end and nothing to phish from you.
In practice, signing in with a passkey looks a lot like unlocking your phone – you use Face ID, Touch ID, a fingerprint or your device PIN. That’s it. No typing, no forgetting, no resetting.
Why Are Passkeys More Secure?
- No passwords to steal. There’s no shared secret stored on a server that hackers can breach.
- Phishing-resistant. A passkey only works on the legitimate site it was created for, so fake login pages don’t work.
- No password reuse. Each passkey is unique to each site automatically.
- Device-bound (in a good way). Even if someone knows your email address, they can’t log in without your physical device.
How Do You Set Up a Passkey?
Most major platforms such as Google, Apple and Microsoft now support passkeys, and the process is straightforward.
On an iPhone or Mac: Go to your account settings on a supported site, look for “Passkeys” or “Sign-in options”, and choose to create one. Your device will prompt you to authenticate with Face ID or Touch ID and save the passkey to your iCloud Keychain automatically.
On Android: The same process applies, with passkeys saved to your Google Password Manager.
On Windows: Windows Hello handles passkeys using your PIN, fingerprint, or face recognition.
Popular sites including Google, Apple, Amazon and PayPal already support passkeys, and the number is growing quickly.
Can You Use Passkeys on WordPress?
WordPress doesn’t include native passkey support as standard, but it can be added via a plugin. Options like WP-WebAuthn and Secure Passkeys add passkey authentication to WordPress logins, and the Solid Security plugin (formerly iThemes) includes it as part of a wider security suite. If you manage a WordPress site and want to explore this, it’s worth getting in touch with us.
Do You Still Need a Password?
For now, yes – most sites support passkeys alongside passwords rather than replacing them entirely. Passkeys are best thought of as an upgrade you can opt into, rather than something forced on you overnight. That said, as adoption grows, passwords will gradually become the fallback rather than the default.
Ready to Make the Switch?
If you’re already using a modern phone or computer, you likely already have everything you need to start using passkeys today. Next time a site offers to set one up, it’s worth taking five seconds to do it. Fewer passwords to remember, better security all round.
At Zonkey, we build and maintain WordPress websites with security in mind. If you’d like advice on improving your site’s login security, get in touch with our team.