Passkeys Explained: 7 Passkey Myths Busted by Dashlane’s Head of Innovation
Passkeys are set to transform how we access every online account—at home and at work. To help you know what to expect and stay ahead of the curve, we’re back with the fourth post in our series on passkeys. Before you read on, catch up on our last three posts to learn what passkeys are, how to manage them, and how they impact 2FA and MFA.
There are a lot of myths out there about passkey security and usage, including the idea that losing your phone means you lose all your passkeys or that vendors use passkeys to force users to stay with their platforms. Let’s bust some common myths so you can make more informed decisions about your personal and professional passkey usage.
Myth #1: If you lose your phone, you can’t access your passkeys
Passkeys typically sync between devices so that losing your device doesn’t mean losing your passkeys. For example, if you use an iPhone and store passkeys with the Apple Passwords app, you’ll regain access to your passkeys once you sign into another Apple device with your Apple account.
The same applies to Dashlane and other password managers. As soon as you access the password manager account on another device, your passkeys will be ready to use on that device.
Myth #2: Only Google and Apple currently sync passkeys
Third-party passkey providers like Dashlane use their own cloud infrastructure for syncing, similar to Google and Apple.
At Authenticate in October 2024, Microsoft announced that synced passkeys will be coming to Windows 11 and associated with Microsoft accounts. Although it remains uncertain whether these passkeys will be accessible on non-Microsoft platforms, Google recently indicated that synced passkeys in Google Password Manager will soon be available on both macOS and Windows.
Myth #3: Passkeys send your biometric information over the internet
All verification methods used with passkeys—whether biometrics, PIN codes, screen locks, or passwords—operate solely on your device to unlock the passkey. For example, if you use Face ID on an iPhone, it unlocks the passkey locally. No biometric information is sent to the website, only a confirmation that verification was successful.
Myth #4: You can change your password but you can’t change a passkey
A recent NIST publication (SP 800-36-B) discourages password change rules unless the password has been compromised. Passwords are easily compromised through phishing attacks, server breaches, or simply when users choose a weak or already compromised password. A passkey is always strong and unique and cannot be phished, so there’s rarely a reason to change a passkey.
However, passkeys can be changed simply by deleting them from the website they’re set up with and re-enrolling a new one. This is because every new passkey is unique, even when multiple passkeys are set up for the same website.
Get a first-of-its-kind look at the 20 brands and services leading passkey adoption.
Myth #5: PIN codes are not as secure as passwords
Passkeys can be unlocked with a device PIN code, which may be a concern for some. Passwords are typically more complex than 6-digit or 4-digit PIN codes. However, that’s not the only factor to consider when assessing security.
Once a device PIN code is set up, it can only be used on a particular device. In this sense, a device PIN code is a knowledge factor combined with a possession factor.
Unlike most passwords, PIN codes also incorporate an attempt limit. This means that, after a certain number of guesses, no more guesses are allowed, which prevents PIN codes from being hacked. This combination of device binding and attempt limits makes PIN codes inherently more secure than passwords. You’re likely already using a device PIN on your mobile device.
Myth #6: Using a password manager for your passwords is better than using passkeys
Password managers are excellent for generating and securely storing complex passwords, saving users from having to remember them. However, passwords can still be vulnerable to phishing if a user is tricked into copy-pasting them into a fake site. While password managers help, they can’t completely prevent phishing. Passkeys, by contrast, are phishing-resistant by design.
Additionally, almost all leading password managers now support passkeys, so using a password manager allows you to benefit from both secure password storage and the added protection of passkeys.
Myth #7: Passkeys are a way for vendors to lock users into their platforms
The FIDO Alliance has published new standards that will allow password managers to safely and easily export passwords and passkeys. Until now, this hasn’t been possible because there was no industry standard. Each password manager had determined its own format and exported plaintext CSV files to allow for data portability.
Thus, while passkeys haven’t been exportable, password managers will soon implement the new FIDO standard for credential exchange. In fact, many of the leading providers have committed to this support.
Despite the many myths about this emerging technology, passkeys are rapidly becoming more mainstream. In fact, Dashlane users’ passkey authentications have surged to well over 500,000 per month, a 6x increase in the past year. Passkeys are the future of authentication, and that future is rapidly approaching.
Learn how to elevate your digital security with passkeys.
Sign up to receive news and updates about Dashlane
