No problem.
These are common questions as we all get our heads around what passkeys are and how they work.
Fortunately, both of your questions have fairly simple answers. More importantly, they’re secure answers.
Become a Patron of Ask Leo! and go ad-free!
Losing your passkey?
Losing a device with a passkey isn’t a disaster. Each device has its own passkey. If you lose your phone, set up a new passkey on its replacement and disable the old one remotely. Two-factor authorization helps secure your phone if you’re still using a password, but transitioning to passwordless is safer because there’s nothing to steal.
Passkeys
Passkeys use cryptography instead of passwords to authenticate your identity and allow you access to an account. Passkeys are more convenient and secure than traditional passwords. There’s nothing for you to remember and no password or other credentials for a hacker to steal.
I dive into passkeys in a little more detail in What Is a Passkey? If you’re not familiar with the concept, that might be a good place to start.
Initial setup
Before we talk about your lost phone, let’s talk about how you set up the passkey in the first place.
The first time you sign in to an account that supports a passkey, you have to use some other form of authentication. Usually, that form of authentication is less convenient; it’s usually a code or link sent to you by email or text. Yes, it can even be your existing password, but I’ll talk about that more in a moment.
Once you’ve signed in successfully, you are asked if you want to set up a passkey for that device. Say yes, and you’ll never have to do anything more than unlock your phone or repeat the unlock sequence the next time you want to sign in. Your phone and your passkey are protected by your PIN, your fingerprint, or your face, depending on how you set up that device.
Important: Every device gets its own passkey. This means that by default, the passkey you set up for your phone won’t work on any other device1. It’s only for that phone. If you want to sign in to a new device — say your desktop machine — you need to repeat the sequence above once, after which you can set up a passkey for that device.
“You” don’t have “a” single passkey. Every account you sign into has its own passkey, and every device has its own passkey for each account after you’ve set it up.
Related
What Is a Passkey?
Passkeys are a new form of signing in that promise to be easier and more secure. I'll walk you through some of the high level concepts and how they work, and how they keep you safer than passwords.#157308
Losing your phone
Losing your phone has no effect on other devices. If you get a new phone, you repeat the initial setup sequence as above. If you set up passkeys on other devices, they continue to work on those other devices.
Remember that your phone is protected by your PIN, fingerprint, or face. To use any passkeys stored on the device, a thief would have to be able to provide or bypass those. Most hackers can’t or won’t be bothered.
However, there is a nifty feature of passkeys that I think is commonly overlooked.
Remember, each device has its own passkey for each account. If you lose the device, you can sign in to the account on another device and then disable the passkey for the device you lost. It’s the equivalent of saying, “You know that passkey I set up on my old phone? Disable it.”
That way, even if the thief somehow got past your phone unlock sequence (PIN, fingerprint, or face), the passkey(s) you’ve disabled remotely no longer work. (Your device doesn’t have to be stolen, by the way. You can disable a passkey on any specific device for any reason at any time.)
Speaking of disabling remotely, if you’ve truly lost your device, disabling the passkeys is good, but I’d consider a remote reset, wipe, or brick2 option.
Passkey creation
When you set up a passkey the first time, you sign in some other way. As I described above, that way is usually less convenient and time-consuming, but you only have to do it once.
And, yes, if your account has a password, then it might be a traditional password-based login. Of course, if you’re also protected by two-factor authentication, just knowing the password won’t be enough, but the questioner’s point is well taken. Simply adding passkeys to your account makes it more convenient for you but doesn’t address all concerns. Like that password.
So get rid of the passwords.
Now there’s nothing for hackers to steal.
My Microsoft account, for example, has no password. The first time I sign in on a new device, I’m prompted to confirm on the already-authorized Microsoft Authenticator app on my phone. After that, the passkey is set up, and signing in is, once again, just a matter of my fingerprint or PIN on that device.
These days, accounts currently continue to have passwords, I expect we’ll slowly start to see passwordless as an option more and more, and new services may well enroll users without ever using a password at all.
Do this
There’s no rush. It’ll take some time before passkeys reach critical mass. But now is a great time to learn what they are and how they keep you safer.
I’m sure I’ll be talking about them more in the future. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: Password vaults that save passkeys are an exception to this. If you save a passkey to your vault, it can be used anywhere. It is, of course, protected by your vault’s authentication.
2: Reset: restore to factory settings. Wipe: erase everything on the device. Brick: disable the device so it can never be used again.
It’s cool that you can disable the passkey for a specific device, but how do you know what passkeys are on the device? Do you need to access accounts one by one to see if there is a passcode that should be disabled?
To the best of my knowledge, yes … one by one.
All good and well, but lets say you are going passwordless, and then lose the ONLY device (phone as an example) that has your passkey? You no longer has a password – possibly not even in combo with 2FA – to get in to said account.
Understand this is likely different from service to service, but something that at least needs to be addressed/explained [better].
That said, Happy Fourth!
You normally set up recovery information such as alternate email addresses and/or phone numbers when you set up an account.
Go to the account recovery page for that account and follow the instructions.
Hi So, if you upgrade your phone to a newer one. You’d then have to create all new passkeys on all the websites/apps again. Then you’d have to go into each account and remove the previous device from their list? That’s a lotta work. I think I’ll stay with a password manager until things are more ironed out.
Passkeys are linked to the account, not the device. When you download and log in to those accounts on your device, the account recognizes you, eleiminating any need to create new passkeys.
Incorrect. Passkeys are unique for each device. (Each device/account pair, for that matter.) So if you get a new device, then yes, you’ll setup passkeys again on that new device.
EXCEPT: if your password manager supports passkeys. Then it’ll be as if nothing happened. The passkeys in the vault are device independent. 1Password does this and I love it.
If you use a password manager which supports Passkeys (such as 1Password), how to you use the Passkey on the p/w manager? When I set up a Passkey on a Microsoft account, it seems the Passkey is stored on the MS account not in 1Password. However there’s a possibility I’m not understanding how this works.
Your passkey is normally stored on your PC (in the TPM, as it turns out, when possible). It’s provided as part of the authentication process when you use a Passkey to authenticate.
When using 1Password, the passkey is securely stored in the 1Password database instead.
https://askleo.com/what-is-a-passkey/ has more.
But is this not less secure than a passkey on each device ? If the password manager had a breach then, in theory at least, the passkey could be compromised (granted with difficulty on the assumption that the password manager securely encrypted the passkey)
That’s a) highly unlikely, and b) not unique to passkeys
Currently using Roboform to manage and create my passwords. One of the motivators, for me, to use a password manager is that I can give my wife the credentials to get into Roboform and that will allows her access to all of my on-line accounts in the event of my death.
How will this work in a passwordless environment?
Make sure your wife knows how to login in on all of your devices (with your PIN or/and her fingerprint/face). Also, you can setup passkey login to your cloud backup account, Email account and any other important accounts on all of her devices.
I have several questions.
1. Say I have a passkey set up in my phone and I lose the phone, and go to another device to login in. What if the way I log in sends something to my phone to let me in? That could either be through 2FA or through a password reset that sends a code to my phone. But I don’t have my phone. Now what?
2. A related question: In the future, if we go passwordless and only use passkeys, how do I get into a website (for example) from another device? There’s no password to give, so a password reset that sends a code to my phone (for example) can’t be used because there isn’t a password that can be recovered.
3. I think I am not understanding something basic in the way passkeys work. Would it be like if my public key is 10. The website sends 10 to me/my device. My private key is 5, so the answer is 2. My device sends 2 to the website? That can’t be right, because the website is now storing 2 as the answer to the challenge. So it’s storing the equivalent of a password which is vulnerable if the website is hacked.
Thanks!
1. In general there will be more ways than just the phone. You would choose a different one.
2. How did you put a passkey on your device in the first place? You would do the same on the other device. (I.E. logging in some other way)
3. The “secret” that’s exchanged is different every time. The ability to encrypt/decrypt using the key pair is what confirms it’s really you.