Accelerating the adoption of passkeys without compromising user experience

Phishing remains one of the most persistent and dangerous cybersecurity threats, despite growing user awareness. According to Verizon’s 2025 Data Breach Investigations Report (DBIR), phishing reporting has increased, suggesting users are more vigilant, but attacks still succeed at an alarming rate. This ongoing vulnerability points to a deeper problem: the fragile nature of password-based authentication and the need to move on from passwords for good.

The case for eliminating passwords with passkeys

Phishing attacks thrive because humans are fallible. Many data breaches exploit poor password habits: weak credentials, reused passwords, and susceptibility to fake login pages. We need authentication methods that remove the human element from the equation, and that’s where passkeys come in: phishing-resistant WebAuthn/FIDO2 credentials that replace traditional passwords entirely.

Endorsed by organisations like the National Institute of Standards and Technology (NIST) and included in the Australian Cyber Security Centre’s ‘Essential Eight’, passkeys are designed to eliminate the need for users to remember or manually enter passwords. This innovation represents a significant leap forward in making authentication more secure and user-friendly.

At their core, passkeys are built on public-key cryptography. When a user creates a passkey, their device generates a unique key pair: a private key securely stored on the device and a public key shared with the service provider. Since the private key never leaves the device and cannot be entered manually, passkeys inherently resist phishing and credential theft.

Users authenticate using biometrics (like Face ID or fingerprint), a PIN or a physical security key, removing the need to remember or manage passwords entirely. This significantly reduces human error and simplifies the login experience.

Reimagining modern multi-factor authentication

Passkeys offer a seamless form of modern multi-factor authentication (MFA) that doesn’t rely on SMS codes or authenticator apps. But not all passkeys are created equal, and there are two main types to consider for various use cases:

1. Syncable passkeys: Stored in cloud-based password managers or platform-bound keychains (eg, Apple iCloud, Google Password Manager), these passkeys allow users to access credentials across multiple devices.
2. Device-bound passkeys: Stored on a physical device like a hardware security key, device-bound passkeys offer a much higher level of security by keeping the credential locked to a single, physical object.

While syncable passkeys prioritise convenience to be able to sync passkeys across multiple devices in the cloud, they also introduce new vulnerabilities: if cloud storage is compromised, the keys could be intercepted or misused. Device-bound passkeys, on the other hand, ensure that authentication requires physical possession of the device, raising the bar significantly for attackers.

Why device-bound passkeys?

Adoption friction is often blamed on the novelty of passkeys and users’ resistance to change. Indeed, some users have encountered issues with syncable passkeys, particularly around cross-platform compatibility, device syncing and usability. These poor experiences can turn users off from trying passkeys again.

Device-bound passkeys solve many of these problems. They offer protection and streamline the user experience by delivering fast, secure and consistent logins without relying on potentially fragile cloud syncing mechanisms. By eliminating passwords and the sync-related errors, hardware passkeys reduce friction rather than increase it.

A new path forward: striking the right balance of security and usability

The security versus convenience debate is real, but it’s no longer a binary choice. Passkeys allow users not to compromise; they offer the ease of passwordless authentication with the assurance of unbreakable cryptographic protection. Device-bound passkeys are also becoming more accessible and affordable.

To accelerate the adoption of passkeys without compromising user experience, a multifaceted approach is essential. First, user education must take centre stage. People need to understand not just what passkeys are, but why they matter, and how they eliminate the risks of phishing and password-related breaches while simplifying everyday login experiences. Clear communication around the benefits and ease of use is key to overcoming initial scepticism and encouraging behavioural change.

On the technical side, developers and platform providers must work to simplify the implementation and integration of passkey support across devices, browsers and operating systems. Reducing fragmentation and ensuring compatibility will remove friction for users and organisations alike. At the same time, fallback mechanisms should be designed with care, offering alternative access without reverting to weak, legacy methods that undermine the integrity of passwordless systems.

Passkeys represent a turning point in the evolution of digital security. By aligning usability with robust protection, they have the potential to make secure authentication both practical and pervasive.

*Geoff Schomburgk is responsible for driving the Yubico business across the Asia Pacific and Japan (APJ) region, working with partners and enterprise customers to implement modern phishing-resistant authentication. He is an experienced senior executive with a background in engineering and strategy consulting and over 30 years’ experience in the global ICT industry. Geoff has a Bachelor of Engineering (Honours) and MBA and is also a qualified Company Director (FAICD).

Top image credit: iStock.com/aprott