May 1, 2025, marked the first World Passkey Day, replacing what had been recognized for over a decade as World Password Day. This annual security awareness day has been observed on the first Thursday of May and was originally launched in May 2013 by Intel to promote better password practices.

The renaming of the security awareness holiday in 2025 reflects a broader shift in focus from encouraging stronger password practices to advancing more secure alternatives, such as passkeys, that eliminate the need for passwords entirely.

This change follows years of growing industry support for password-less authentication, including the use of biometrics, device-based authentication and standards such as FIDO2. An early example of this direction can be seen in Microsoft’s 2018 blog post Building a world without passwords, which outlined its support for moving away from password-based systems toward more secure alternatives.

Why Passkeys?

Passkeys are being adopted across websites, mobile applications, desktop environments and email platforms. They are intended to address common weaknesses in the use of passwords, while offering a more secure and user-friendly login experience.

Passwords have several limitations:

1. Repetition: Many users reuse the same password across multiple sites. A breach on one service can expose other accounts to risk.
2. Weakness: Passwords are often simple or follow predictable patterns, making them vulnerable to automated guessing or brute-force attacks.
3. Theft: Passwords can be stolen through phishing, malware or leaked in data breaches. If someone obtains your password, they can log in as if they were you.

The core problem is that passwords are shared secrets. They are pieces of information known to both the user and the system they are logging into. Logging in means transmitting this secret for verification. So if someone else gains access to it, they can do the same.

Accordingly, simply entering a username and password does not provide strong assurance that the person logging in is who they claim to be, which is the goal of robust authentication.

Passkeys are different. When a passkey is created:

1. A pair of keys is generated: a private key and a public key. The public key is shared with the online service. The private key stays on the user’s device.
2. The private key is protected by the user’s fingerprint, face recognition or PIN, depending on the device settings.
3. When the user tries to sign in, the service sends a one-time request to the device.
4. The device uses the private key to respond to the request, and the service uses the public key to verify that the response is valid.

The public key is not secret. It is meant to be shared. What matters is that only the private key can generate the correct response.

This method avoids sending shared secrets during authentication. It is designed to reduce the risks associated with passwords, including phishing, reuse of credentials and automated attacks.

What Is FIDO2?

Passkeys are based on the FIDO2 standard, developed by the FIDO Alliance and the World Wide Web Consortium (W3C).

FIDO2 enables password-less sign-ins using methods such as biometrics or PINs. It ensures that the information used to verify identity is unique to each service and not reused elsewhere.

A Call to Action

The shift toward stronger authentication is both technical and strategic. The continued use of passwords, with their known weaknesses, exposes individuals and organizations to unnecessary risk.

“Now is the time for change,” said Lee Kim JD CISSP CIPP/US, Senior Principal Cybersecurity and Privacy, HIMSS. “We must move away from legacy passwords and support robust phishing-resistant multi-factor authentication or robust password-less authentication. Identity is the foundation of security.”

This transition requires a commitment to solutions that improve the security of user accounts while also enhancing usability. Moving forward, authentication must provide both assurance and ease of use without relying on secrets that can be stolen or guessed.