Passwords are dying. After decades of being told to create complex passwords, change them regularly, and never reuse them, we’re finally moving to something better. But the new world of authentication can be confusing — what are passkeys, how do hardware security keys work, and which should you use?
What are passkeys?
Think of a passkey as a digital handshake between you and a website that happens entirely behind the scenes. When you create an account with a passkey, your device generates a pair of cryptographic keys: one private (stays on your device) and one public (goes to the website). When you log in, your device and the website perform a cryptographic exchange that proves you have the private key without ever sending it over the internet. You simply unlock your device with your fingerprint, face, or PIN, and you’re in.
The beauty of passkeys is that there’s nothing to remember, nothing to type, and nothing for attackers to steal from a website’s database. Even if someone intercepts your login attempt, they can’t use it — the cryptographic signature is unique to that specific moment. Most passkeys are stored in your device’s secure storage and synchronized through iCloud Keychain, Google Password Manager, or a password manager like 1Password or Bitwarden, so they follow you to new devices automatically.
What are hardware security keys?
Hardware security keys — like YubiKey or Google’s Titan Key — take a different approach. They’re physical devices about the size of a USB drive that you plug into your computer or tap against your phone. When you authenticate, the key cryptographically proves its identity, and the private key never leaves the physical device. It can’t be copied, synced to the cloud, or remotely compromised. If someone wants access to your account, they need to physically steal the key.
Comparing the two approaches
Passkeys win on convenience — they’re always with you on your phone or computer, sync automatically, and can’t be lost without losing your device. Hardware keys have a slight security edge: because they never touch the cloud and require physical possession, they’re essentially immune to remote attacks. The trade-off is that forgetting your hardware key means being locked out until you return to it, and losing it requires using backup authentication methods or a second registered key.
On cost: passkeys are free, while hardware keys run €25–€75 each — and you should buy at least two, registering both as a safety net.
Which to use, and when
The practical answer for most people is both, used strategically. Passkeys are the right choice for everyday accounts: social media, email, shopping, streaming. They offer excellent security with maximum convenience. Hardware keys are worth the investment for your most critical accounts — banking, cryptocurrency wallets, server or work admin access, and the master accounts (Apple ID, Google account) that everything else depends on. Compromising those would be catastrophic; a hardware key makes it essentially impossible remotely.
If you prefer local storage without cloud synchronization, KeePassXC has experimental support for storing passkeys in its encrypted local database. Alternatively, a hardware key is itself local storage — the passkey lives on the physical device with no cloud involvement at all.
Key Takeaways
- Passkeys use device-based cryptography — nothing to remember, nothing to steal from a server database.
- Hardware keys store credentials physically and are immune to remote attacks, at the cost of convenience.
- Use passkeys for everyday accounts; add a hardware key for banking, admin access, and master accounts.
- Buy two hardware keys and register both — losing your only key means relying on recovery codes.
- Both are a major security improvement over passwords, and they work well together.
Image: generated by bacher-ai.com