I’m all about new technology, but sometimes, new technology gets in its own way, and passkeys epitomize this more than any other technology.
For those who do not know, passkeys are the new password, only more secure.
Also: How passkeys work: The complete guide to your inevitable passwordless future
Essentially, a passkey is a digital credential that allows you to log into your accounts using biometric (fingerprints or facial scans) and/or non-biometric (PINs, patterns, or device passwords) authentication — instead of having to type (and remember) a password. Passkeys use public key cryptography to enhance authentication, making them far more resistant to phishing and other types of attacks.
Anyone interested in a fuller exploration of passkeys is encouraged to check out David Berlind’s deep-dive series, How passkeys work.
Passkeys are real, and they are coming for your passwords.
On paper, passkeys are great. They make logins more secure and easier.
On paper.
In reality… not so much.
Let me paint a picture.
Recently, I was setting up an Android tablet to review. When it came to linking the tablet to my Google account, I was expecting it to go the usual route and ask me to “Say Yes on my phone,” but that didn’t happen. Instead, it wanted to use my passkey. I tapped “Use your passkey,” only to see that it couldn’t find my passkey.
Also: If we want a passwordless future, let’s get our passkey story straight
Wait, I’ve created a passkey for my Google account.
I tried again.
Nothing.
I decided to tap “Try another way,” but the only option was still a passkey.
If the tablet couldn’t find the passkey I’d created and wouldn’t allow me to use another method of logging into my account, what was I to do?
Fortunately, I continued attempting the passkey option, and eventually it allowed me to tap “Say Yes on your phone.” Whew. I was finally able to log in.
Also: Why the road from passwords to passkeys is long, bumpy, and worth it – probably
After that crazy roundabout, I hopped onto the Google Passkey manager to check into my passkey. While attempting to log in, at the 2-Step Verification phase, the only option was, again, “Use your passkey.” I clicked it, only to find out the passkey was assigned to my old Pixel 8 Pro (which I no longer had).
Thankfully, after clicking “Use a different phone,” Google presented me with a QR code to scan. I scanned the code, only to then be presented with a pop-up informing me that something went wrong. It didn’t say what, it just said “something.”
I tried again. This time I clicked “Create a passkey,” only to be told that a passkey couldn’t be created on this device because it doesn’t support passkeys. Is that because my desktop PC doesn’t have biometrics?
What gives? Why is this so hard?
I write about technology, and I’ve been using technology for a long time. I know technology, so this should be second nature to me. I can use SSH key authentication and PGP encryption, so passkeys should be a no-brainer for me.
The solution was to use the Google Passkey manager on my phone and create a passkey.
Also: What really happens during your ‘passwordless’ passkey login?
Only Google informed me that I already had a passkey on my device. If that’s the case, why didn’t it work when I attempted to log into my Google account on the tablet? When I was logging into the tablet, Google should have been aware I had a passkey on my Pixel 9 Pro and requested I authenticate with either a fingerprint or face scan. It didn’t. No passkey was recognized… even though it’s there.
It’s a recursive nightmare from which I can’t seem to escape.
Now, let’s consider a user who knows little or nothing about technology — think about how frustrating it would be to try creating and using a passkey. How would your grandmother deal with this? She’d be calling you on the phone — the very device on which she’s trying to create a passkey — frustrated and concerned.
You don’t want Meemaw concerned, right?
Also: 7 password rules security experts live by – the last one might surprise you
Simply put, passkeys are not ready for the average user. Until Google (and every other company employing this technology) can figure out a seamless way of creating and using passkeys, they should consider them in beta.
I get it, I really do. Usernames and passwords are obsolete. They’re simple to crack because they allow users to be lazy with their credentials. But until passkeys can be easily created and used, this so-called passwordless alternative will accomplish nothing but infuriate people.
I want passkeys to work. I like the idea behind them and believe they are the authentication method of the future. But for the love of DwvvfPt05qDzQrZGdW5wr! To every company that wants to make passkeys its default login method:
Also: The best security keys of 2025: Expert tested
Before you migrate from passwords, make sure the technology is easy enough for anyone to use. When you make things harder, users want to throw their phones off the highest mountain.
That’s not good for the company, and it’s not good for Meemaw.
Stay ahead of security news with Tech Today, delivered to your inbox every morning.