How I Switched to Passkeys

It’s 2025 and the Shai-hulud supply chain attacks are rolling over the npm ecosystem. It’s a wake-up call. The worm exposes how poorly many developers handle security. I too work with npm on a daily basis. I too use insecure practices all over my digital life. I’ve been thinking about improving matters since a while. Shai-Hulud was the last thing it needed to finally get me to take action.

What are Passkeys?

Passkeys are hardware security tokens that follow the FIDO2 / Webauthn standard. The come in the form of tiny USB-sticks with a button.

How are they used?

If you want to log into a supported website, you plug your passkey. The website performs a cryptographic validation of your key. You have to enter a PIN and touch the key to validate the operation. All of this takes 5 seconds. It works on phones, tablets and computers.

How are they better than passwords?

In many ways. Firstly, they are easier to use. The PIN is easy to remember, easy to type and shared between all websites. However, it is still safe, contrary to re-using the same password everywhere.

Secondly, the secret cannot be extracted from the key. Even if you’re using it on a compromised device. This is guaranteed by the hardware. Passwords can be copied and then they need to be changed.

Thirdly, they rely on strong cryptography. It’s impossible to brute-force a key secret.

Fourthly, they represent a form of 2-factor verification. The first factor is something you know, the PIN. The second factor is something you have, the physical key. This rules out all virtual attacks on your accounts. Criminals need access to the USB device. Stealing millions of passwords is easy. Stealing millions of physical USB devices is not.

What if I lose my key?

Then you can’t use it anymore to access your accounts. There are several workarounds. People usually buy two keys, similar to spare house keys. Both keys are enrolled with every website. In case of loss you can use the other key to remove the lost one and enroll a new spare.

What if my key gets stolen?

The thief can try to guess the PIN. If they succeed, they gain full access to your accounts. However, they can only try X times, usually 8. If they guess wrong one more time, they passkey will delete all secrets irrecoverably. In practice, this means these keys are uncrackable for random thiefs who know nothing about you.

Isn’t is impractical having to enroll both keys with every new website?

Frankly, yes. The solution is using a password manager and protecting it with the passkey.

Which ones did you get?

I got Yubikeys 5C. The hardware quality is very good. I’ve got the more expensive version that supports more protocols than FIDO2. I want to experiment with OpenPGP for example. For almost everyone the Security Keys do the trick and they cost only half.

There are many more though. I’ve also tried Winkeo2 Keys from Neowave. They work equally well and are produced in France. Finally, there is Nitrokey, who produce in Germany and are open-source. I’d buy from them if I hadn’t already bought my keys.