{"id":57692,"date":"2024-11-17T18:30:07","date_gmt":"2024-11-17T18:30:07","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/"},"modified":"2024-11-17T18:30:07","modified_gmt":"2024-11-17T18:30:07","slug":"will-passkeys-ever-replace-passwords-can-they","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/","title":{"rendered":"Will passkeys ever replace passwords? Can they?"},"content":{"rendered":"<p><span class=\"label\">Systems Approach<\/span> I have been playing around with passkeys, or as they are formally known, discoverable credentials.<\/p>\n<p>Think of passkeys as a replacement of passwords. They are defined in the Web Authentication (<a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.w3.org\/TR\/webauthn-2\/\">WebAuthn<\/a>) specification of the <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.w3.org\/\">W3C<\/a> (World Wide Web Consortium). This work evolved from several prior efforts including those of the <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/fidoalliance.org\/\">FIDO alliance<\/a> (FIDO = Fast Identity Online).<\/p>\n<p>My quick take on <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/passkeys.dev\/docs\/intro\/what-are-passkeys\/\">passkeys<\/a> is that they are a good idea, and if we could convince the world to use them instead of passwords, we would all be much better off. Phishing in particular should take a big hit if they are widely adopted. But I fear that this isn\u2019t likely to happen, for reasons that I will explain in a moment.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>In the perennial quest to create more secure systems that are also user friendly, some significant implementation issues are apparent. My experience reinforces my belief that a systems view of security is necessary and user interactions with the system must be carefully thought through.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>The basic idea behind passkeys is straightforward enough: A user (or more likely, a device owned by the user) creates a private\/public key pair specifically for a single website and provides the public key to the site. The user proves their identity to the website using some other method such as a previously established user name and password, maybe some other factors as well. The website stores the public key for subsequent use. The next time the user wants to authenticate to the website, the site issues a challenge to the user, who uses the locally stored private key to sign their response to the challenge. The website uses the stored public key to authenticate the user.<\/p>\n<h3 class=\"crosshead\">Key points<\/h3>\n<p>This is why we say passkeys replace passwords, specifically with public key cryptography. Because the user\u2019s private key never leaves their device it should be much harder for a phishing attack to succeed. Phishing normally relies on getting a user to divulge their password by entering it into a bogus site. (Sophisticated attacks sometimes get users to divulge their second factor, such as a one-time code from their phone, as well.)<\/p>\n<p>Passkeys, as well as remaining local to the user\u2019s device, are unique to a particular site \u2013 implementations verify a certificate from the designated site before the relevant private key is used to respond to a challenge. So you can\u2019t accidentally use a passkey on a bogus site. Similarly, the problems of password reuse across sites are avoided. Password reuse often means that a security breach on one site can be used to gain access on others. None of that happens with passkeys.<\/p>\n<blockquote class=\"pullquote\" readability=\"5\">\n<p>A systems approach to security should include viewing the user as part of the system<\/p>\n<\/blockquote>\n<p>There remain a few weaknesses. The process is bootstrapped by getting the user to authenticate using a traditional approach (such as username and password) which remains open to traditional attacks. One way to mitigate this is to require multi-factor authentication (MFA) \u2013 and there are better options than one-time codes sent over SMS, which I will get to. There is no getting away from the fact that public keys always need some sort of bootstrap process. (Remember <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/xkcd.com\/364\/\">PGP key-signing parties<\/a>?)<\/p>\n<p>But if a website adopts passkeys without disallowing subsequent login attempts by password, then the system remains roughly as vulnerable to phishing attacks as it was before. A savvy user might detect that they are being phished if they are suddenly being asked for passwords after using passkeys for a long time, but any time we rely on the judgment of users to detect security attacks we are bound for disappointment. It bothers me to read blog posts from seemingly credible sources that don\u2019t address the fact that passkeys are being added in addition to passwords but not (yet) replacing them. Maybe the time will come when passwords are the exception, but I see no way to get there on the current trajectory.<\/p>\n<h3 class=\"crosshead\">In practice<\/h3>\n<p>There are two broad categories of passkey implementation. One approach binds the key to a specific piece of hardware, such as a USB key (eg, Yubikey). Or a passkey might be stored on a mobile phone and require biometric authentication (eg, facial recognition) before the passkey can be accessed.<\/p>\n<p>The second class of passkey implementation allows the credentials to be copied among multiple devices, typically using some sort of password manager to keep the credentials secure and synchronized across devices. In this case, the private-public key pair is stored in the password manager and then is made available to the user across different devices (laptops, mobile phones, etc.) when they need the passkey.<\/p>\n<p>Hardware tokens make phishing attacks almost impossible (if they replace passwords, see above), since the only way to get access to the user\u2019s credential is to have physical access to the key. A password manager, on the other hand, is a piece of software that normally has some cloud service behind it to handle synchronization across devices. If an attacker manages to get access to the credentials necessary to log in to the cloud service, then they have access to the passkeys stored within it. For this reason (among others) password managers are generally secured with some sort of multi-factor authentication. One of those factors might be biometric, or even a hardware token.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>As an aside, I would note that there is considerable variation in the security of different password manager implementations. Lastpass, for example, apparently made some <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/01\/25\/goto_security_incident_update\/\" rel=\"noopener\">poor design decisions<\/a> that meant <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/01\/16\/dump_lastpass_bitwarden\/\" rel=\"noopener\">a breach<\/a> was much more serious than it needed to be. By contrast, 1password\u2019s <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/support.1password.com\/1password-security\/\">description<\/a> of system security suggests that the only way the passwords (or passkeys) in their password manager can be accessed by anyone is if they have access to all your authentication factors (which in my case includes a hardware token.)<\/p>\n<p>My last concern about passkeys is that the implementation seems to have failed the \u201cmake it easy for users\u201d test, which in my view is the whole point of passkeys. I have been using public key cryptography for 30-plus years. (My first boss insisted his managers use PGP to encrypt emails containing sensitive information about employees \u2013 ah, those were the days.) Surely the reason for yet another technology based on public key cryptography is to simplify its use. If I find passkeys confusing to use, it doesn\u2019t bode well for more typical users. Let me walk through an example.<\/p>\n<h3 class=\"crosshead\">User interfarce<\/h3>\n<p>I decided to try to add a passkey to my WordPress.com account on my Apple Mac. So I log in using my existing password and second factor (a hardware token). I navigate to the security page; there is no mention of passkeys, so I click \u201c2-factor authentication\u201d then \u201cadd a security key.\u201d<\/p>\n<p>OK, I\u2019m not going to replace a password with a passkey here; instead I am going to add a security key as a second factor. And for the sake of this example, let\u2019s say I want to store it on my Yubikey. When I click \u201cadd key,\u201d three different bits of software compete for my attention.<\/p>\n<p>First up is the password manager, offering to store a passkey. (This is the first time passkeys have shown up in this process \u2013 you can begin to see how a casual user might be getting confused.) I don\u2019t want the password manager to be involved in this case, so I dismiss the window.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Next up, a window appears from macOS asking me if I would like to use TouchID to \u201csign in\u201d (to what? \u2013 I am already signed in to the website) and to save a passkey. Again, note the different terminology. When I dismiss that window, it is time for the browser to have a go, offering me <em>four<\/em> ways to save a passkey, including finally the option to store it on the hardware token. I insert the USB key and proceed.<\/p>\n<p>I think we can all agree that this is a confusing experience, with three different systems fighting to be the One True Place To Store Passkeys, along with the inconsistency of terminology (passkeys or security keys) and use cases (password replacement or strong second factor?)<\/p>\n<p>It\u2019s like every piece of software wants to \u201chelp\u201d but there is noone looking at the system-level behavior where these different bits of software interact with each other and the end user. I\u2019ve encouraged my wife (a social scientist not a computer scientist) to adopt a password manager and 2FA, and she\u2019s very willing to follow my lead, but the confusion of terminology and bewildering arrays of options frequently (and understandably) leads to complete frustration on her part.<\/p>\n<p>There is a longstanding trade-off between security and usability. It\u2019s important to take a systems approach to security and that should, I believe, include viewing the user as part of the system. If you can\u2019t make a security technology sufficiently easy for users, then it\u2019s unlikely to provide good security.<\/p>\n<p>Passkeys and the WebAuthn specification were intended to make public key cryptography accessible to average users, rather than just the domain of the tech-savvy. If done right, they could seriously improve security on the Web.<\/p>\n<p>There is a well-defined API to allow a broad choice of authentication devices (such as FIDO keys or password managers) to manage the creation and use of private\/public key pairs. But unless things get a lot more consistent and smooth for the end user, I fear this will end up just like PGP or <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc8446.html#section-4.4\">client certificates<\/a> in TLS: A technically valid solution that has minimal impact on the majority of users. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2024\/11\/17\/passkeys_passwords\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here&#8217;s why they really should Systems Approach\u00a0 I have been playing around with passkeys, or as they are formally known, discoverable credentials.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-57692","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Will passkeys ever replace passwords? Can they? 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Will passkeys ever replace passwords? Can they? 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-17T18:30:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Will passkeys ever replace passwords? Can they?\",\"datePublished\":\"2024-11-17T18:30:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/\"},\"wordCount\":1618,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/\",\"name\":\"Will passkeys ever replace passwords? Can they? 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-11-17T18:30:07+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/will-passkeys-ever-replace-passwords-can-they\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Will passkeys ever replace passwords? Can they?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Will passkeys ever replace passwords? Can they? 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/","og_locale":"en_US","og_type":"article","og_title":"Will passkeys ever replace passwords? Can they? 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-11-17T18:30:07+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Will passkeys ever replace passwords? Can they?","datePublished":"2024-11-17T18:30:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/"},"wordCount":1618,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/","url":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/","name":"Will passkeys ever replace passwords? Can they? 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-11-17T18:30:07+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZzpsrUZ5YbOpfcgDwtUbFwAAAYw&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/will-passkeys-ever-replace-passwords-can-they\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Will passkeys ever replace passwords? Can they?"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57692","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57692"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57692\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57692"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}