There’s always another.
One of the most common questions or comments I get about passkeys is along these lines.
No. Hard no, in fact.
Become a Patron of Ask Leo! and go ad-free!
A lost passkey won't lock you out
Passkeys aren’t tied to one device, and accounts allow other ways to sign in, like passwords or email codes, so losing your phone doesn’t mean you’re locked out of your account. You can also deactivate passkeys for lost devices anytime, keeping your account secure. Passkeys are simpler and more secure than passwords.
Setting up a passkey
Let’s start by remembering how you got a passkey on that device in the first place. The process for setting up a passkey on your phone (or any device) is generally:
- Sign into the device.
- Accept the offer to set up a passkey on that device.
In other words, you had to sign into the device in order to set up a passkey in the first place.
How’d you do that? Generally, with a few more steps.
Related
What Is a Passkey?
Passkeys are a new form of authentication that promise to be both easier and more secure.#157308
Signing in without a passkey
Before a passkey has been set up, signing in typically uses one of these approaches.
- A password. If your account has a password, you may be asked for it.1
- Supplying a code texted to your phone
- Supplying a code emailed to your email address
- Clicking on a link emailed to your email address
- Responding to a prompt on another device already signed in to the same account
Each of these is more cumbersome than a passkey. They don’t require a passkey to have been already set up, but all of them authorize account access.
Once you’re authorized, the system may offer to establish the passkey, which you can use from then on.
Related
What If There’s a Passkey on My Lost Phone?
Losing a device with a passkey isn't a disaster at all. I'll describe why that is.#171643
There is no “my” passkey
While a passkey is kinda sorta like a password, and is part of a plan to phase out passwords, it is not exactly the same.
You have one password for one account, no matter where you sign into it, but you don’t have a single passkey. Each device you sign into has its own passkey for that account. If you sign into your account on a dozen different devices using passkeys, you have a dozen different passkeys for that account. Each passkey is set up using the process above — first signing into each of those devices without a passkey. Then you can choose to set up a passkey on that device to make future sign-ins easier for you.
There are two interesting side effects of this approach.
First, your account keeps track of all the passkeys created for it. If you lose your phone, you can sign in to the account from another device (using its passkey if you had set one up, or signing in without a passkey as described above). Then you can visit that list of passkeys (or, rather, the list of devices for which passkeys have been issued) and tell it the equivalent of “the passkey on the device I lost is no longer valid”.
Second, many password managers offer to store passkeys for you. This is a convenience, but it does mean that instead of each device having its own passkey, the same passkey, as kept by your password manager, is used everywhere.
It’s at least as safe as a password, with the added benefit that there’s no way to see or export the actual passkey.
When you lose your device
If you lose your device containing a passkey, you have the following options:
- Sign in to another device which already has its own passkey previously set up.
- Sign in to another device using an alternate sign-in method, just as you would when setting up a passkey in the first place.
“Another device” can, of course, be the new device you get to replace your lost one.
Passkeys are not hardware
I sometimes hear from people who confuse hardware keys like YubiKeys with passkeys. They are not really related.
- A hardware key is a cryptographic secret you set up once and use as a second factor, usually in addition to a password, when signing in.
- A passkey is a cryptographic secret kept as data that you set up once on each device and use as the primary or only factor when signing in, much like a password.
If you lose your hardware key for two-factor authentication, you use backup codes (created when you set up two-factor authentication) or other two-factor backup methods.
If you lose a device containing a passkey to an account, you can still sign into that account normally on other devices, and/or sign in without a passkey, as described above.
Do this
Passkeys are confusing, I get it. The fact is, they’re significantly more secure than password-based authentication.
One of the best things you can do is try it. If an account you use offers to set up and use passkeys, give it a whirl. I think you’ll find that in practice, they become a much easier way to sign in.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: One of the goals of passkeys is to eliminate passwords completely, so this is likely to fall out of favor over time.
Amazon is one web site that doesn’t seem to understand passkeys. I have 2FA set on my Amazon account and a passkey. When signing into my account, it doesn’t matter whether I sign in using my password or passkey, I still have to authenticate the log-in using my authenticator.
My Microsoft account login is passwordless and I have a passkey set up as well on my computer. If I use the passkey, Microsoft doesn’t ask for the authenticator code. I do have to use my authenticator app to sign in if I don’t use the passkey, which I expect.