Passkeys have been getting a lot of attention in the last few years. Tech giants Apple, Google, and Microsoft are all pushing them as the next step beyond passwords. If you follow security discussions, you’ll get the impression that passwords are on their way out and everything will soon be replaced with a simpler and more secure alternative: passkeys.
From a technical point of view, that direction makes sense. Passwords have always been the weakest link. In WordPress, you can install Melapress Login Security to enforce a variety of strong password and login security policies. You can add two-factor authentication with WP 2FA, and at that stage your website is quite secure.
However, even with these improvements and the use of password managers, users still reuse and share passwords, phishing attacks still work, and users still fall for social engineering attacks. With the rise of AI, phishing and other social engineering / psychological attacks are expected to increase drastically.
Nowadays, the easiest way to hack someone or a website is not by exploiting technological flaws, but by exploiting psychological flaws; the users. So the real question is not what passkeys are. It is what they mean in practice.
How Passkeys work and why they are better
Passkeys are based on a public/private key authentication mechanism using WebAuthn. There is no shared secret like a password. The private key stays on the user’s device, or is synced across the user’s devices, while the public key is stored on the server. Authentication happens by proving possession of that private key.
That alone removes a large class of problems. There are no passwords or password hashes to steal, reuse, leak, or crack. Phishing attacks are also much harder to exploit because authentication is tied to a domain. Even if a user lands on a fake site, the browser will not complete the authentication process with the passkey.
Different types of passkeys
There are two types of passkeys:
Device-bound passkeys, which are tied to a specific device, such as a hardware key or your laptop. They are more secure but less forgiving. Lose the device, and you have a problem.
Synced passkeys, which are stored in cloud-based systems like iCloud Keychain or Google Password Manager. They are far more convenient, but they introduce dependency on those third-party platforms.
Passkeys and WordPress websites
Out of the box, WordPress authentication is simple; the good old username and password. Passwords are stored as hashes in the database. Everything else is built on top of that through plugins. Both two-factor authentication and passkeys work this way.
Tip: Use the WP 2FA plugin to harden your WordPress website’s authentication by adding two-factor authentication and passkeys.
No standard implementation, yet
Since passkeys are handled at the plugin level, there is no standard way of implementing them. Different plugins can take different approaches, and the user experience varies from plugin to plugin and site to site.
On top of that, even though WebAuthn is standardized, Apple, Google, Microsoft, and every other service that supports passkeys handle things slightly differently. This is a major problem because you are mostly dealing with non-technical users.
Multisite networks add another layer of complexity
Multisite networks introduce additional complexity. Passkeys are tied to users, not individual sites. That can be helpful, but it can also create confusion when different sites on the network have different policies. Users expect consistent behavior across the network; however, this might not be the case.
So if a person has one user account to access multiple sites on the network, the login process to each website might be different.
Managing passkeys at scale
As a website owner, managing passkeys sounds simple and straightforward. However, if you have ever managed a website with users, you know that this will quickly turn into a management problem:
- Users forget what they registered
- Devices get lost or replaced
- Old credentials are forgotten
- And the list goes on
Unfortunately, passkeys are still something that you need to actively manage.
What We Learned Building Passkeys in WP 2FA
When we started adding passkeys in WP 2FA, on paper the process looked straightforward. To be honest, the technical aspect of it was simple. The biggest challenge was handling edge cases, user expectations, and inconsistent behavior across devices.
Users still do not understand passkeys
The biggest issue with passkeys is that users do not really understand them or how they work. I do not mean technically, but even logically. Everyone knows what a password is and what it is used for.
Passkeys? Few people know. “Add a passkey” does not mean much to most people. When users see prompts from their browser or operating system, they either click through without understanding what they are doing or stop because they are unsure what is happening.
So this is a big challenge, and as plugin developers, it forces us to rethink how we present and explain the feature. As a matter of fact, we already have a number of UI and UX improvements for passkeys in WP 2FA.
User experience is still fragmented
Each user’s experience with setting up passkeys and using them to log in to WordPress varies a lot because it depends on the combination of device and browser. While on some setups it might feel smooth and seamless, on others it might feel like things are broken or not working properly.
These types of inconsistencies are difficult to handle, but hopefully, we will keep improving as we get more feedback from users. If you are curious about how users can set up and use passkeys on WordPress, watch this short video.
Passkeys problem: recovery
Recovery is where passkeys fall short compared to passwords. There is no typical “forgot passkey” recovery process like there is for passwords. You still need other fallback mechanisms to change your account passkey, such as backup codes, email recovery, or administrator intervention.
Passkeys remove passwords and are more secure, but they are also more complex. This increases user frustration, support load, and dependency on technical people. In fact, passkeys do not eliminate some of the admin problems, they shift them towards website administrators and helpdesk teams.
Users and their devices
Most users have more than one device. They access the website from their work laptop or computer, personal laptop, tablet, and mobile. So as a website owner, you need to support multiple passkeys per user. However, this adds more complexity and friction.
Also, the distinction between synced and device-bound passkeys is not obvious. It becomes an issue when users register only one device and only realise the limitation when they lose access to that device or it stops working.
So, are passkeys ready for WordPress?
Technically, yes. Browser support is there, device support is there, the standards are solid, and there are a number of plugins that already support them. However, that is only part of the picture. User understanding is still limited and is the biggest showstopper. Also, the user experience is not consistent.
Should you implement and use passkeys on your WordPress website?
Passkeys are a good fit if:
- Your users are comfortable with modern devices
- You are willing to guide users through setup
- You or your team can handle an increase in helpdesk issues
- You want to take security to the next level
You should NOT implement passkeys if:
- Your website users already struggle with basic login issues
- There is no clear and easy-to-follow recovery process
- You expect a fully hands-off solution
Where are we heading with passkeys, WordPress, and WP 2FA?
We added passkeys support in WP 2FA because they are a solid solution and this is the direction things are moving in, not because they replace everything else.
Passkeys can:
- Act as a primary authentication method
- Be part of a broader two-factor setup
For some sites, enabling passkeys today makes sense. For many others, a gradual rollout alongside traditional two-factor authentication and strong password and login security policies is still, by far, the most practical approach.
The goal with passkeys is not to force a new method, but to give site owners better options without breaking usability.
My final thought
Passkeys are a real improvement. They remove entire classes of attacks that we have been dealing with for years. But they are not a silver bullet, and passwords are here to stay, at least for the next few years.
Passkeys introduce new trade-offs and new user experience and operational challenges. In WordPress, we are in that in-between phase. The technology is ready, but the ecosystem and the users are still catching up.
If you’d like to learn more about this subject specifically, I’d recommend watching this Melapress Show podcast episode I had with Tim Nash about passkeys.