As a CISO, I spend an unreasonable amount of time thinking about passwords, MFA and the messy world of access and authentication. It’s the kind of mental overhead that never really goes away, because passwords never really go away.
They’re reused. They’re weak. They’re phished. They’re forgotten. They’re reset. They’re stored in spreadsheets. They’re shared in Slack. They’re the root of so many security headaches.
So when I first learned about passkeys, it sounded too good to be true.
No more passwords? No more phishing? No more “forgot my password” loops?
I was skeptical. Then I tried them. And I fell in love.
What Are Passkeys?
They are a modern, phishing-resistant way to log in to websites and apps, without ever needing to type a password. They’re built on public-key cryptography and standardized by the FIDO Alliance, meaning they work across platforms and devices.
Here’s how they work:
- When you create a passkey, your device generates a private key (stored securely on your device) and a public key (shared with the website).
- When you log in, the site challenges your device to prove it has the private key.
- You authenticate using biometrics (Face ID, fingerprint) or a PIN.
- No password is typed. No secret is transmitted. No phishing is possible.
It’s fast, secure, and surprisingly delightful.
Why They Are So Cool
- No passwords to remember
- You log in with your face, fingerprint, or device PIN. That’s it.
- Phishing-resistant by design
- Passkeys only work on the site for which they were created. Fake login pages? Useless.
- Cross-device sync
- Passkeys sync across your devices using iCloud Keychain, Google Password Manager or Windows Hello.
- No shared secrets
- Unlike passwords, your private key never leaves your device. Even if a site is breached, your passkey can’t be stolen.
- Faster logins, fewer support tickets
- No more “reset my password” emails. No more MFA fatigue.
Passkeys at Assumed
At Assumed, we implemented MFA from day one. However, we wanted to provide a better experience for our users, especially those using Assumed Seeds to vet vendors and monitor data behavior.
So we rolled out support for this new technology as early as we could.
It’s now the default login method for our platform.
No passwords. No friction. Just secure, seamless access.
Our users love it. And honestly, I get frustrated when other apps I use don’t support passkeys yet.
Apps That Should Support Passkeys (But Don’t)
LLet me vent for a second.
I use the AWS Console daily. It’s 2025. And as far as I can tell, it still doesn’t support passkeys, at least not in Identity Center. I’d love to log in with Face ID instead of juggling long passwords and MFA codes.
Other popular apps that still haven’t embraced passkeys (but should):
- Slack – Still password-based, even for enterprise users.
- Zoom – MFA is available, but no passkey support is provided.
- Banking apps – Many banks still rely on passwords and SMS codes.
We’re in a transition period. But the sooner these platforms adopt passkeys, the better for everyone.
Apps That Do Support
Here’s a short list of major SaaS platforms and apps that already support passkeys:
- Microsoft
- Apple
- Amazon
- GitHub
- Discord
- Shopify
- Uber
- X (Twitter)
- Passkeys Directory – A community-driven index of websites and apps that support passkeys.
How to Set Up a Passkey
Setting up a passkey is easier than you think. Here’s the general flow:
- Go to your account’s security settings (e.g., Google > Security > Passkeys).
- Click “Create a passkey.”
- Choose where to store it—your device will suggest iCloud, Google Password Manager, or Windows Hello.
- Authenticate with Face ID, fingerprint, or PIN.
- Done. You’ll now see “Sign in with passkey” next time you log in.
You can create passkeys on multiple devices for the same account. That way, you’re never locked out if you lose one.
For a general walkthrough of passkeys, refer to this beginner’s guide.
Final Thoughts
These new login methods aren’t just a cool feature; they’re a more secure way to authenticate.
They reduce risk, improve user experience and eliminate the weakest link in most security programs: passwords.
If you see the option to “Sign in with this new method,” try it.
If your favorite app doesn’t support this yet, ask them why not.
And if you’re building a product, make this part of your roadmap.
At Assumed, we’re all in.
Because security should be simple, and this new method makes it so.
Create a free Assumed account and try logging in.
No passwords. No friction. Just clarity.
