The technology that replaces login passwords is now mainstream — but the security trade offs, especially around what happens when your phone is stolen, deserve a clear eyed look.
When Martin Avis from Chester wrote to the Guardian earlier this month asking why a simple smartphone PIN could be considered safer than a complex password, he was asking exactly the right question. The short answer is that passwords and passkeys protect against fundamentally different threat profiles — and that distinction is why security experts have broadly shifted toward recommending passkeys.
Traditional passwords are what the FIDO Alliance calls a "shared secret" — the same string of characters exists on both your device and the server you're logging into. That means any server breach exposes it, and any phishing site can harvest it.
Passkeys work differently. When you create a passkey, your device generates a cryptographic keypair: a private key that never leaves your device, and a public key that gets registered with the website or service. When you log in, the server sends a random challenge that your device signs with its private key — proof of possession without transmitting a secret. This is the architecture that makes passkeys phishing-resistant by design (FIDO Alliance, How Passkeys Work).
According to the 2024 Verizon Data Breach Investigations Report — which examined over 30,000 incidents — 68% of breaches involved a human element like falling for a phishing attack, and the median time for users to click on a phishing email is less than 60 seconds. A passkey cannot be typed into a fake website, making that entire attack class irrelevant.
This is the question Martin Avis asked, and it is the most legitimate challenge to the "passkeys are safer" narrative. When someone physically possesses your device, the threat model changes.
The answer lies in layers of protection that major platforms have built. Apple introduced Stolen Device Protection for iPhone, and Google introduced Identity Check for Android — features that require biometric authentication (Face ID or fingerprint) for sensitive actions like accessing passwords or making purchase decisions, even if an attacker knows the device PIN. These features are designed specifically to address the scenario where a phone and its PIN are simultaneously compromised.
On the question of PIN brute-forcing specifically: both iOS and Android implement escalating lockout policies after repeated incorrect PIN attempts, and the most sensitive operations require biometric confirmation that is difficult to spoof at scale. The private key material that underpins a passkey is stored in the device's secure enclave or trusted platform module — dedicated hardware designed to resist extraction even when the device itself is compromised.
The Guardian's reader column cited the National Cyber Security Centre as recommending passkeys, consistent with guidance from the FIDO Alliance and major platform vendors.
The account recovery question is a real consideration. If your phone is genuinely gone — not stolen, just lost — you need a path back into your accounts. This is where synced passkeys, stored in iCloud Keychain or Google Password Manager, provide a practical answer: your passkeys sync to your new device when you restore from a backup, maintaining access even if the original device is offline. Hardware security keys offer stronger security but require manual transfer of the physical key, making them better suited for high-value accounts than everyday use.
The term "unphishable" is sometimes used by the FIDO industry to describe passkeys, and it refers specifically to the phishing attack class. Because the cryptographic signing is bound to the specific domain you are authenticating to, a passkey will simply not respond to a sign-in request from fake-site.com, even if it is a near-perfect copy of the real domain. State-level actors with physical access to your device represent a different and more capable threat category — but that population faces risks that go well beyond online banking credentials.
The consensus among standards bodies and platform vendors is that passkeys represent a meaningful security upgrade for most users. The trade-off — accepting a new threat model centered on physical device security — is one that the broader security community considers a favorable exchange for the elimination of remote attack vectors that dominate today's breach landscape.