Passwordly

Passkeys Explained: The Password Replacement You Need to Understand

🪪 Identity & Authentication

Passkeys Explained: The Password Replacement You Need to Understand

Passkeys are replacing passwords with phishing-resistant, biometric-backed authentication. Learn what passkeys are, how they work, and which services support them.

Passwordly Team
10 min read

What Are Passkeys

Passkeys are a new form of authentication designed to replace passwords entirely. Backed by Apple, Google, Microsoft, and the FIDO Alliance, passkeys use public-key cryptography to authenticate you — the same technology used by hardware security keys, but built into your devices with biometric verification.

Instead of remembering a password, you authenticate with your fingerprint, face scan, or device PIN. There's nothing to type, nothing to remember, and nothing that can be phished.

The key insight: Passwords are "shared secrets" — both you and the website know the password (or at least its hash). This means passwords can be stolen from either end (your device or the server). Passkeys are based on asymmetric cryptography — the website stores only your public key, which is useless to an attacker. The private key stays on your device and is never transmitted.

Industry support:

  • Apple: Passkeys in iCloud Keychain (synced across Apple devices via iCloud)
  • Google: Passkeys in Google Password Manager (synced across Android and Chrome)
  • Microsoft: Passkeys in Windows Hello (synced via Microsoft account)
  • Password managers: 1Password, Bitwarden, Dashlane, and others also support storing passkeys (enabling cross-platform sync)

How Passkeys Work

Passkeys use the WebAuthn standard (the same protocol used by hardware security keys) with one key difference: the credential is stored on your device (or synced across devices) rather than on a separate physical key.

Creating a passkey (registration):

  1. You visit a website that supports passkeys and choose "Create a passkey"
  2. Your device generates a unique key pair — a public key and a private key — for that specific website
  3. The private key is stored in your device's secure enclave (or synced to your cloud keychain)
  4. The public key is sent to the website and stored with your account
  5. Your device asks for biometric verification (fingerprint/face) or your device PIN to confirm

Signing in with a passkey:

  1. You visit the website and select "Sign in with passkey" (or the passkey prompt appears automatically)
  2. The website sends a challenge (random data) to your browser
  3. Your browser asks your device to sign the challenge with the stored private key
  4. You verify with your fingerprint, face scan, or device PIN (this unlocks the key)
  5. The signed challenge is sent to the website
  6. The website verifies the signature with the stored public key
  7. You're signed in — no password entered at any point

Security properties (same as hardware keys):

  • Phishing-resistant: The passkey is bound to the website's domain. It won't respond to a phishing site.
  • No server-side secrets: The website stores only your public key. A database breach does not compromise authentication.
  • Cannot be reused across sites: Each website gets a unique key pair. There's no "password reuse" equivalent.
  • Biometric verification is local: Your fingerprint/face data never leaves your device. The website only receives the cryptographic signature.

Passkeys vs Passwords

Here's how passkeys compare to passwords across every security dimension:

| Concern | Passwords | Passkeys | |---------|-----------|----------| | Phishing | Easily phished (user types password on fake site) | Phishing-proof (origin-bound cryptography) | | Data breaches | Password hashes can be cracked if server is breached | Only public keys on server; useless if breached | | Reuse | Users reuse passwords across sites | Unique key pair per site; no reuse possible | | Brute force | Weak passwords can be guessed | No password to guess; cryptographic challenge-response | | Credential stuffing | Reused passwords enable automated attacks | Not applicable; no shared secret to stuff | | Keyloggers | Capture every keystroke including passwords | Nothing typed; biometric or PIN is local | | Social engineering | "What's your password?" works (sometimes) | No password to reveal | | User friction | Must remember/type complex passwords | Fingerprint or face scan | | Account recovery | Password reset via email | Synced across devices; recovery through cloud account |

The convenience advantage: Passkeys are not only more secure — they're also easier to use:

  • No passwords to create, remember, or type
  • No 2FA codes to enter — the passkey replaces both the password and the second factor
  • Sign-in takes 2-3 seconds (biometric scan → done)
  • No password manager popup to fill — the OS handles everything natively

Does this mean passwords are dead? Not yet. The transition will take years. Passwords will coexist with passkeys for the foreseeable future as:

  • Not all services support passkeys yet
  • Some environments (shared computers, kiosks) don't work well with passkeys
  • Enterprise adoption requires policy and infrastructure changes
  • Users need time to understand and trust the new system

During this transition, strong passwords remain essential. Generate unique passwords for services that don't yet support passkeys using our password generator.

Passkey Storage Providers

Passkeys need to be stored somewhere secure and (ideally) synced across your devices. The major providers:

Apple iCloud Keychain:

  • Syncs passkeys across all Apple devices (iPhone, iPad, Mac) via iCloud
  • End-to-end encrypted — Apple cannot access your passkeys
  • Protected by device biometrics (Face ID, Touch ID) or device passcode
  • Limitation: Primarily works within the Apple ecosystem. Can be used on Windows/Android via QR code (but not as seamless)

Google Password Manager:

  • Syncs passkeys across Android devices and Chrome browsers
  • End-to-end encrypted with the Google Password Manager PIN
  • Works in Chrome on any platform (Windows, macOS, Linux, ChromeOS)
  • Limitation: Best experience on Android and Chrome. Other browsers have varying support.

Windows Hello:

  • Stores passkeys locally on the Windows device
  • Protected by Windows Hello (PIN, fingerprint, face recognition)
  • Limitation: Does not sync across devices by default (device-bound). Microsoft is working on cross-device sync.

1Password:

  • Stores passkeys alongside traditional passwords
  • Syncs across all platforms (iOS, Android, Windows, macOS, Linux, browser extensions)
  • End-to-end encrypted
  • Advantage: Cross-platform sync works everywhere, regardless of Apple/Google/Microsoft ecosystem
  • Limitation: Requires a 1Password subscription ($36/year)

Bitwarden:

  • Open-source password manager with passkey support
  • Syncs across all platforms via browser extension and apps
  • End-to-end encrypted
  • Advantage: Open source, cross-platform, free tier available
  • Limitation: Passkey support added more recently; experience is evolving

Our recommendation: Use your platform's native provider (Apple/Google) for the seamless experience within that ecosystem. If you use devices across multiple ecosystems (e.g., iPhone + Windows laptop), store passkeys in a cross-platform password manager like 1Password or Bitwarden.

Services Supporting Passkeys

Passkey adoption has accelerated rapidly. As of early 2026, major services supporting passkeys:

Full passkey support (can replace password entirely):

  • Google
  • Apple
  • Microsoft
  • GitHub
  • Shopify
  • Best Buy
  • Kayak
  • PayPal
  • eBay
  • Nintendo
  • Robinhood
  • WhatsApp

Passkey as additional sign-in method (password still required for some operations):

  • Amazon
  • Adobe
  • Coinbase
  • LinkedIn
  • X (Twitter)
  • TikTok
  • Discord
  • Uber
  • Target
  • Cloudflare

Password managers supporting passkey storage:

  • 1Password
  • Bitwarden
  • Dashlane
  • NordPass
  • Enpass

Checking current support: Visit passkeys.directory for a comprehensive, regularly updated list of services supporting passkeys.

The number of supporting services roughly doubles each year. By the time you read this, the list may be significantly longer.

How to Set Up Passkeys

Setting up a passkey on Google:

  1. Go to myaccount.google.com → Security → Passkeys
  2. Click "Create a passkey"
  3. Your browser/OS will prompt you to verify with biometrics or PIN
  4. The passkey is created and stored in your iCloud Keychain, Google Password Manager, or password manager

Setting up a passkey on Apple ID:

  1. On iPhone: Settings → [Your Name] → Sign-In & Security → Passkeys
  2. On Mac: System Settings → [Your Name] → Sign-In & Security
  3. Follow the prompts to create a passkey, verified with Face ID or Touch ID

Setting up a passkey on GitHub:

  1. Settings → Password and authentication → Passkeys
  2. Click "Add a passkey"
  3. Verify with your device biometrics
  4. The passkey is registered

General passkey setup flow (any service):

  1. Navigate to the service's security/authentication settings
  2. Look for "Passkey," "Passwordless," or "FIDO2"
  3. Click "Add passkey" or "Create passkey"
  4. Your browser triggers the WebAuthn ceremony
  5. Your OS/password manager asks you to verify (fingerprint, face, PIN)
  6. The passkey is created and stored

Tips for a smooth setup:

  • Keep your OS and browser updated (passkey support improves with each update)
  • If using a password manager for passkeys, ensure its browser extension is active
  • Create passkeys on the device you use most for that service
  • Keep your password as a fallback until you're confident passkeys work reliably
  • Register passkeys in multiple providers (e.g., both iCloud Keychain and 1Password) for redundancy

Current Limitations

Passkeys are the future of authentication, but the present has real limitations:

Cross-platform complexity. If you create a passkey on your iPhone (stored in iCloud Keychain) and want to use it on your Windows laptop, you need to scan a QR code with your phone. This works but is less convenient than a native experience. Using a cross-platform password manager solves this.

Shared devices. Passkeys don't work well on shared or public computers. You can sign in via your phone (QR code + Bluetooth proximity), but it's slower than typing a password.

Not all services support passkeys. Major services are adopting quickly, but your bank, local utility, government portals, and smaller services may still only support passwords.

Enterprise adoption is complex. Organizations need to manage passkey policies, recovery, and provisioning at scale. Enterprise MDM (Mobile Device Management) solutions are catching up but aren't all fully ready.

Recovery if all devices are lost. If you lose every device with your passkey and don't have a cross-device sync (or your sync account is locked), recovery depends on the platform:

  • Apple: Recover iCloud Keychain with Apple ID recovery
  • Google: Recover with Google account recovery methods
  • Password manager: Recover with master password + 2FA

This is an improvement over hardware-key-only scenarios (where losing the key means loss), but it shifts the security to your cloud account — which must itself be well-protected.

Bluetooth requirement for cross-device. When using a passkey from your phone on a computer (via QR code), Bluetooth is required for proximity verification. Some environments (corporate offices, older hardware) may have Bluetooth restrictions.

The Future of Passkeys

Where passkeys are heading:

Universal adoption. The FIDO Alliance's goal is to make passkeys the default sign-in method for all web services. With Apple, Google, and Microsoft aligned, the infrastructure is in place. Services will increasingly offer "Sign in with passkey" as the primary option, with passwords as a legacy fallback.

Improved cross-platform experience. The QR code + Bluetooth flow for cross-device authentication is functional but not ideal. Expect improvements in the protocol and in OS-level support to make cross-ecosystem passkeys more seamless.

Third-party passkey providers. Password managers as passkey providers (1Password, Bitwarden) solve the cross-platform problem definitively. Expect this to become the standard approach for users with mixed-ecosystem devices.

Passkey portability. Currently, moving passkeys between providers (e.g., from Apple to Google) is difficult. The FIDO Alliance is working on a credential exchange protocol that would allow exporting and importing passkeys between providers.

Enterprise integration. MDM solutions, identity providers (Okta, Azure AD, AWS IAM), and enterprise security tools are adding passkey management features. Organizations that currently require hardware security keys may transition to managed passkeys.

Passwordless by default. Some services have already started offering passwordless account creation — no password is ever set. This eliminates the "password as fallback" problem and fully commits to passkey-based authentication.

What to do now:

  1. Create passkeys on every service that supports them
  2. Keep your passwords strong (via our password generator) for services that don't yet support passkeys
  3. Use a cross-platform password manager if you have devices across multiple ecosystems
  4. Stay informed — the passkey landscape evolves rapidly

Passkeys represent the most significant improvement in consumer authentication since the invention of passwords. They're phishing-proof by design, eliminate the entire category of password-related breaches, and are actually easier to use than the passwords they replace. While the transition is still underway and cross-platform friction exists, the direction is clear: passwords are being replaced. Start creating passkeys today on every service that offers them, and keep strong passwords for the rest.

Share:

Tags

passkeysFIDO2WebAuthnpasswordlessauthentication

Related Articles

Continue exploring related topics