Skip to content
Article

Written by Oscar

What are Passkeys and why should you use them?

The single best way to secure your website is to ensure that anyone with access to the CMS uses multi-factor authentication (MFA) with their username and password or passkeys.

However, which authentication method should you use?

This is a common question I receive, so I’ll provide a concise non-technical explanation here. In the following section, I will use Craft CMS as the example content management system.

The short answer:

Multi-factor authentication

To verify that the username and password you entered are yours, you are asked to provide an additional code that only you have access to.

Passkey

A unique key on your device that only you can use to log into your website or app. It is secured by your devices pin or face/fingerprint.

The longer version...

The authentication problem we’re solving

If we rely on just a username and a password, they could be used by someone else. For example, they’re shared via email, stored in a plain text file on a computer, or written down.

We therefore need a way to ensure that someone can’t access the website if they manage to get hold of your username and password.

Two common options to make it more secure include:

Option 1: Add a second way to prove your identity (multi-factor authentication)

You’re probably already using multi-factor authentication, also known as 2FA (two-factor authentication).

With this setup, you verify that this is indeed your username and password by providing a time-sensitive code you receive via SMS, email, a physical device, or an Authenticator app.

Option 2: Log in with a Passkey instead of a username and password

This has been billed as the future of how we log in to websites, and in theory, it is easier to use. Except it has caused a fair amount of head scratching, hence this article!

A Passkey is like a key to the door that only you have. And the lock on the door can’t be picked!

And you can use a different key for each device you use to log in to the respective website, or store your key in a password manager accessible on each device.

It relies on the key being protected by a local password or verified with biometric data (e.g., your face or fingerprint).

Why a Passkey is more secure

With MFA, people understand that your phone (or computer) will produce a one-time code, or you’ll receive a text. You can use this code on any device or even share it with someone else.

With a Passkey, you have to be physically there to approve the use of the actual key to unlock the website. You can’t approve the key if it’s not on a device you are using.

And this is why Passkeys are more secure: they are more resistant to phishing attacks. MFA’s weakness is that you could be deceived into giving your authentication code to someone elsewhere. For example, you click a link in an email to sign in, enter your details, and then enter your one-time code. You may not realize the website was fake, and within the 30-second window, an attacker logs in to the real site. With a Passkey, an attacker cannot steal your key.

From the chats I’ve had, some people’s fear about using Passekeys stems from confusion about how to log in to the same website on different devices. The best way to overcome this is to try it out using a test account and get the hand of using the Passkey.

Conclusion

  • Use Passkey to log in whenever the option is available.
  • Store keys securely in your chosen password manager, whether it's cloud-based, device-based, or hardware-based.
  • If a Passkey is not an option, then MFA is still a great way to secure your account, but be aware of phishing attacks. If unsure, always go directly to a website in a browser rather than clicking links sent to you.

Using a Passkey with Craft CMS

As a quick reminder, if you are already using MFA to log into your website, the process looks as follows:

To use a Passkey, click on the "Sign in with a passkey":

This will bring up a dialog box in your browser. Exactly how it looks will depend on your browser and how you decided to store your Passkey. You will likely either be using the built-in browser password manager or a separate password manager that has an extension for your preferred browser.

Once you've clicked "Sign-in" you'll be into the CMS and ready to go!

How to set up a Passkey with Craft CMS

The first thing to do is sign in using your standard username and password you set up when you activated your account.

Step 1: Navigate to the Passkey settings

You'll find this in your account section:

  • Click on your user icon top right.
  • Click your email address which takes you to your profile.
  • Select "Passkeys" in the "Account & Security" section in the second menu column from the left.

Step 2: Click "Add a passkey"

You will be prompted to verify your account. If you already had MFA set up, you'll need to use your authenticator too.

Step 3: Give your Passkey a name

This allows you to identify the key in your Craft control panel. It could be the name of the device or password manager you're using.

Step 4: Save your Passkey

This will depend on your exact set up. But if you have a password manager set up, you will be prompted to save it, either to a new or existing log in.

Step 4: Save your Passkey

Step 5: You're done, just check it appears in your list!

You will now see your new key listed as a new Passkey. We recommend testing it out by logging out your account and logging in again using your new Passkey.

Step 5: Check your passkey appears in your list
Things We've Written
Articles

From hosting to user access: a team approach to website security

Read now
Articles

Tips for content editors using Craft CMS

Read now