The German government has set out plans to replace passwords with passkeys as the main authentication method, with the latter being seen as more secure, phishing-resistant and user-friendly.
A BSI (Germany’s Federal Office for Information Security) announcement was complemented by draft guidelines (BSI TR-03188), detailing how passkeys compare a public key stored on the website with a private key stored on the user’s device.
Device-bound passkeys (stored locally and linked to a device) and synced passkeys (stored in encrypted cloud for multi-device access) were both noted as acceptable authentication methods.
You may like
Germany wants to standardize passkey use
Because passkeys are account-specific, they cannot be reused across multiple sites, instantly boosting security. Despite best practice guidance, it’s a fact that many of us still use the same passwords across multiple accounts for ease. But being stored on-device or in the cloud means users won’t need to remember passkeys for every account.
Passkeys are also resistant to man-in-the-middle attacks and phishing attempts, because they require a user’s own private key to be used from an approved device.
“We must make cybersecurity as simple as possible and at the same time robust. Passkeys are a perfect example of how to meet technical challenges with technical solutions. The future belongs to them,” BSI President Claudia Plattner said (translated).
Still, the BSI recognizes that there’s a long way to go. A 2024 report found that only 38% were familiar with passkeys, and adoption only stood at 18%. There’s also the fact that passkeys were slow to take off, with few websites offering the option to generate a passkey-based login during the early days.
Today, though, Germany’s government isn’t the only body recognizing the benefits.
In May 2025, Microsoft declared it would be making all new accounts passkey-accessible by default – eventually this is expected to extend to existing accounts too.