Why passkeys were created

Passwords were never really designed for the way we work today. They came from an era of shared computers, long before cloud platforms or email phishing existed. Over time we added complexity rules, password managers and multi‑factor authentication (MFA). These helped, but didn’t solve the problem that passwords can be tricked out of people.

Passkeys were introduced as a way of avoiding this. Instead of typing anything into a login box, your device proves who you are on your behalf. There’s no password to steal, because you never type one.

How a passkey works

When you sign into a service that supports passkeys, your phone or computer stores a secure key for that account. The next time you sign in, you simply unlock the device in the usual way, either with your face, fingerprint or device PIN. The device then confirms your identity to the service.

The key point is that the passkey stays on your device. It isn’t sent across the internet, so it can’t be captured by a fake login page.

Where PINs fit into the picture

PINs and passkeys often get bundled together, but they’re not doing the same job.

A PIN unlocks the device, not your online accounts. It never leaves the device and isn’t transmitted anywhere. If you imagine your device as a building, the PIN is the lock on the front door.

A passkey unlocks your account with a particular service. It sits safely inside the device, and the device uses it to identify you online. Sticking with the same analogy, the passkey is a key to one of the rooms inside the building, kept securely out of sight.

Both are important. Without a PIN or screen lock in place, anyone who picks up an unlocked device could use your passkeys. With a strong screen lock, your passkeys remain protected even if the device is lost.

So, to summarise:

The PIN unlocks your device.

The passkey unlocks your account.

They work together, but they’re not the same thing.

Why passkeys are useful for small charities

Charity staff often work quickly across email, document systems and databases. Many juggle multiple roles, switch devices or work remotely. Passkeys remove much of the burden of managing passwords and reduce the chances of someone being caught out by a phishing email.

They also speed things up. Signing in with a fingerprint or face scan is far quicker than trying to remember a long, complex password, especially when you’re working under pressure.

For small teams with limited IT support, this can reduce the number of account lockouts and password reset requests.

A few things to keep in mind

Passkeys are becoming widely supported but they’re not everywhere yet. Some specialist charity systems still rely on traditional passwords.

If your organisation uses shared laptops, you may need to think about how those devices are set up, as passkeys are linked to individual accounts.

It’s also important that devices have a proper lock screen enabled. Passkeys are only as secure as the device they sit on.

Consider backing up or synchronising your passkeys, as there are implications should the device storing passkeys be lost or break.

Where you can use them today

Many of the tools charities rely on already support passkeys, including:

• Microsoft 365
• Google accounts
• Password managers such as 1Password and Bitwarden
• Some banking and authentication apps

If a service supports passkeys, it will usually offer the option the next time you sign in. You choose the device you want to store the passkey on and follow a short setup process.

Before you begin, check that the device has a PIN or biometric lock and that it’s backed up.