Passwords, Codes, and Passkeys: What’s the Difference?
Online security gets explained badly. A lot. Terms get mixed up, people panic, and then everyone just reuses the same password again. Let’s fix that.
Passwords
A password is something you know.
It’s the oldest and weakest way to log in because:
- People reuse them
- They can be guessed or stolen
- They leak in data breaches
Why passwords still matter (even though we hate them)
A password is usually the first lock on your account. If it’s weak, everything else you add later is just a polite suggestion.
Bad passwords:
- Your name, pet, birthday, postcode
- “password123”
- The same password reused everywhere
If one website gets hacked, criminals try the same password on your email, bank, shopping sites, and social media. This works far more often than people like to admit.
Good passwords:
- Long rather than clever
- A few random words is better than symbols you’ll forget
Example: coffee-LAMP-bus(window)
You don’t need to remember dozens of these. That’s what password managers are for.
Long and unique passwords help, but they still need backup.
2SV – Two-Step Verification
2SV means there are two steps to log in.
Example:
- Enter your password
- Approve a notification or enter a code
Both steps might rely on the same type of proof. It’s better than a password alone, but it’s about steps, not strength.
2FA – Two-Factor Authentication
2FA means two different kinds of proof.
Common factors:
- Something you know: password
- Something you have: phone or code
- Something you are: fingerprint or face
Example:
- Password + code sent to your phone
This is much stronger because stealing one thing isn’t enough.
MFA – Multi-Factor Authentication
MFA is the umbrella term.
It means:
- Two or more factors
- Sometimes extra checks if something looks risky (new device, location, time)
Most modern accounts use MFA behind the scenes, even if they don’t call it that.
Passkeys
A passkey is a digital key stored on your device.
It replaces passwords entirely.
To use a passkey, you unlock your device with:
- Face recognition
- Fingerprint
- Or a device PIN
Important:
Your face, fingerprint, or PIN is not sent to the website. It only unlocks the passkey on your device. The website just gets proof that the correct key was used.
Are passkeys the same as biometrics?
No.
- Passkey = the digital key
- Biometrics or PIN = how you’re allowed to use that key
A helpful way to remember it:
The passkey is the key. Your face or fingerprint is the lock.
Are passkeys 2FA or MFA?
Effectively, yes.
A passkey already uses:
- Something you have (your device)
- Something you are or know (biometrics or PIN)
Even though it feels like one step, it’s already multi-factor in practice.
What about changing phones?
This is a common worry.
Many password managers can store passkeys, not just passwords. Built-in phone managers can also sync them securely. This means you can upgrade or replace a device without losing access to your accounts.
To summarise
- Passwords are weak on their own
- 2SV, 2FA, and MFA exist to protect passwords
- Passkeys remove the password entirely
- Biometrics unlock passkeys, they don’t replace them
- Passkeys are safer and easier for most people
Security finally moved in a direction that reduces mistakes instead of blaming users. About time.
Further Information:
Take your email security to another level
https://www.ncsc.gov.uk/cyberaware/home
Test your password strength
https://bitwarden.com/password-strength