No problem.
These are common questions as we all get our heads around what passkeys are and how they work.
Fortunately, both of your questions have fairly simple answers. More importantly, they’re secure answers.
Become a Patron of Ask Leo! and go ad-free!
Losing your passkey?
Losing a device with a passkey isn’t a disaster. Each device has its own passkey. If you lose your phone, set up a new passkey on its replacement and disable the old one remotely. Two-factor authorization helps secure your phone if you’re still using a password, but transitioning to passwordless is safer because there’s nothing to steal.
Passkeys
Passkeys use cryptography instead of passwords to authenticate your identity and allow you access to an account. Passkeys are more convenient and secure than traditional passwords. There’s nothing for you to remember and no password or other credentials for a hacker to steal.
I dive into passkeys in a little more detail in What Is a Passkey? If you’re not familiar with the concept, that might be a good place to start.
Initial setup
Before we talk about your lost phone, let’s talk about how you set up the passkey in the first place.
The first time you sign in to an account that supports a passkey, you have to use some other form of authentication. Usually, that form of authentication is less convenient; it’s usually a code or link sent to you by email or text. Yes, it can even be your existing password, but I’ll talk about that more in a moment.
Once you’ve signed in successfully, you are asked if you want to set up a passkey for that device. Say yes, and you’ll never have to do anything more than unlock your phone or repeat the unlock sequence the next time you want to sign in. Your phone and your passkey are protected by your PIN, your fingerprint, or your face, depending on how you set up that device.
Important: Every device gets its own passkey. This means that by default, the passkey you set up for your phone won’t work on any other device1. It’s only for that phone. If you want to sign in to a new device — say your desktop machine — you need to repeat the sequence above once, after which you can set up a passkey for that device.
“You” don’t have “a” single passkey. Every account you sign into has its own passkey, and every device has its own passkey for each account after you’ve set it up.
Related
What Is a Passkey?
Passkeys are a new form of authentication that promise to be both easier and more secure.Losing your phone
Losing your phone has no effect on other devices. If you get a new phone, you repeat the initial setup sequence as above. If you set up passkeys on other devices, they continue to work on those other devices.
Remember that your phone is protected by your PIN, fingerprint, or face. To use any passkeys stored on the device, a thief would have to be able to provide or bypass those. Most hackers can’t or won’t be bothered.
However, there is a nifty feature of passkeys that I think is commonly overlooked.
Remember, each device has its own passkey for each account. If you lose the device, you can sign in to the account on another device and then disable the passkey for the device you lost. It’s the equivalent of saying, “You know that passkey I set up on my old phone? Disable it.”
That way, even if the thief somehow got past your phone unlock sequence (PIN, fingerprint, or face), the passkey(s) you’ve disabled remotely no longer work. (Your device doesn’t have to be stolen, by the way. You can disable a passkey on any specific device for any reason at any time.)
Speaking of disabling remotely, if you’ve truly lost your device, disabling the passkeys is good, but I’d consider a remote reset, wipe, or brick2 option.
Passkey creation
When you set up a passkey the first time, you sign in some other way. As I described above, that way is usually less convenient and time-consuming, but you only have to do it once.
And, yes, if your account has a password, then it might be a traditional password-based login. Of course, if you’re also protected by two-factor authentication, just knowing the password won’t be enough, but the questioner’s point is well taken. Simply adding passkeys to your account makes it more convenient for you but doesn’t address all concerns. Like that password.
So get rid of the passwords.
Now there’s nothing for hackers to steal.
My Microsoft account, for example, has no password. The first time I sign in on a new device, I’m prompted to confirm on the already-authorized Microsoft Authenticator app on my phone. After that, the passkey is set up, and signing in is, once again, just a matter of my fingerprint or PIN on that device.
These days, accounts currently continue to have passwords, I expect we’ll slowly start to see passwordless as an option more and more, and new services may well enroll users without ever using a password at all.
Do this
There’s no rush. It’ll take some time before passkeys reach critical mass. But now is a great time to learn what they are and how they keep you safer.
I’m sure I’ll be talking about them more in the future. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: Password vaults that save passkeys are an exception to this. If you save a passkey to your vault, it can be used anywhere. It is, of course, protected by your vault’s authentication.
2: Reset: restore to factory settings. Wipe: erase everything on the device. Brick: disable the device so it can never be used again.
