A lively reader debate has erupted in The Guardian’s long-running Notes and Queries column after a reader from Chester posed a question that has been quietly nagging at many people navigating the increasingly confusing landscape of digital security: how can a passkey, which can be as simple as a smartphone PIN or facial recognition scan, genuinely be safer than a complex password combined with two-factor authentication? The question cuts to the heart of a widespread public scepticism surrounding passkeys despite their enthusiastic endorsement by bodies including the UK’s National Cyber Security Centre, and prompted a range of responses from readers spanning genuine technical insight, pragmatic scepticism, and outright suspicion that the whole thing is a scheme by software companies to sell products nobody actually needs.
The most technically substantive responses centred on a fundamental weakness built into the traditional password model known as the shared secret problem. When a user logs into a website using a password, that password must be transmitted to and verified by the website’s server, meaning a copy of it, or a value derived from it, necessarily exists on infrastructure outside the user’s control. If that server is compromised, the password can be extracted and reused by an attacker without the account holder ever knowing. Passkeys sidestep this problem entirely through a mathematical approach in which only the result of a cryptographic calculation is sent to the website during authentication, never the passkey itself, meaning a server breach yields nothing an attacker can use to impersonate the account holder elsewhere. The passkey remains stored locally on the user’s device and is unlocked through a PIN or biometric, combining strong underlying cryptographic security with everyday convenience.
Several readers raised practical concerns that reflect the genuine friction points passkeys introduce for ordinary users, including the implications of a stolen or lost phone, the challenge of accessing accounts across multiple devices, and the difficulty of recovering access when all devices have been lost simultaneously. One reader noted that while a hacked password may go undetected for months or years, a stolen phone is typically noticed almost immediately, allowing the owner to revoke associated passkeys before they can be abused, a meaningful practical advantage that the raw technical comparison between PINs and passwords tends to obscure. Others remained unconvinced, with one reader expressing preference for passwords written on paper in a coded format stored across separate locations, voicing a broader suspicion that the push towards passkeys serves the commercial interests of technology platforms more than it serves ordinary users.
The debate shows that despite passkeys representing a genuine security advancement, widespread adoption will depend not just on technical superiority but on building public understanding and trust in a concept that remains counterintuitive to many people conditioned to equate security with complexity and length of passwords.