If you hate passwords, switch to this other kind of login right now

As I’ve said before, passwords suck. So do made-up holidays, but for Change Your Password Day (which arrives later this week on February 1), it’s a good excuse as any to kick your passwords to the curb.

The point of this celebration? Updating your passwords to be more secure—like finally abandoning password12345 (oof) for XSmpJAI5v@NtG-7L#Q2F. Or, if passphrases are more your vibe, Water-Whom-Atom-Flame-Snake5.

But to heck with updating. Go with replacing. Specifically, replacing your passwords with passkeys.

Passkeys don’t require memorization, can be stored directly on your phone, and are stronger than passwords. One particular advantage: They’re phishing-resistant. Separately, if a website gets hacked (a real possibility these days), your credential information shouldn’t be crackable nor usable by anyone else.

When you create a passkey, both a public and a private key are generated. (This is known as public-key or asymmetrical encryption.) The private key is kept by your device or password manager. Supported devices include phones, tablets, hardware dongles like YubiKeys, and compatible PCs. You can choose to store passkeys locally on your device or in the cloud.

These secret keys are secured by your device’s biometric authentication (e.g., fingerprint or face), or the method that secures your password manager.




Hardware security keys like YubiKeys can store passkeys, as well as serve as a two-factor authentication method.Alaina Yee / Foundry

Meanwhile, the public key is shared with the website it’s generated for. You need both the public and private key to login to the account they’re tied to. Whenever you log on, the website will ask for proof you’re the account owner, via the following steps:

A request is sent to your device (or password manager) to begin the verification process.

Your fingerprint, facial scan, or other authentication method is required to authorize the request.

If you approve, your private key (aka secret key) is used to create a digital signature, which is then sent to the website.

The website then uses the digital signature to try unencrypting the public key you gave it. If successful, you’re in.

When passkeys are implemented correctly, no one can deduce your private key based on the public key—which means data leaks and breaches aren’t as dangerous. (At least, in regard to password health.) Passkeys also only work for the specific site they’re generated for, so they can’t be captured or used by fake malicious sites, which is how phishing schemes steal passwords.




our favorite password manager




Dashlane












Read our review














Best Prices Today:


$4.99 at Dashlane







The one real wrinkle with passkeys is if you store them locally on a device—if you lose the device, you could get locked out of your account. But having a backup device (a tablet or older phone) or hardware dongle easily solves the problem. You can also use an extremely secure password + two-factor authentication as a backup.

That last option doesn’t fully escape passwords, but it at least gets you most of the way there for your day-to-day. I personally find logging in with a passkey faster than passwords, even when using a password manager with autofill.

You can start with major services like Google, Apple, Microsoft, though, as well as big stores like Amazon, Target, Best Buy, and more. And while passkeys aren’t yet supported by all apps and sites, even converting your most frequently accessed apps and sites, as well as any dealing with sensitive information (including billing info), already makes online life more secure—and convenient.