What Is a Passkey? How the New Login Standard Replaces Passwords

What is a passkey and why does it beat passwords? Learn how passkeys stop phishing cold, set one up in 90 seconds, and avoid the top setup mistakes.

Every few months I get an email from a site I joined years ago telling me my password turned up in a breach. It is exhausting — and it is the same problem billions of people face daily. Passwords can be guessed, phished, or leaked, and most people reuse the same few across dozens of accounts. The single most powerful shift you can make right now is switching to passkeys, a login standard that works without any shareable secret.

Passkeys have been rolling out across Google, Apple, Microsoft, and hundreds of major sites since 2022. If you have used Face ID to sign into an app recently, you may have already used one without realising it. This guide explains exactly what is a passkey, how the technology works, and how to create your first one in about 90 seconds today.

Quick Answer

A passkey is a login credential stored on your device — phone, laptop, or tablet — that uses your biometrics or PIN to prove it is really you. There is no password to type, steal, or forget. The site never receives a secret; it only confirms your device approved the login.

Passkeys work by combining a device-held private key with biometric approval, so there is nothing for a phisher or data-breach to steal.

What Is a Passkey, Exactly?

A passkey is a pair of cryptographic keys. One half — the private key — lives on your device and never leaves it. The other half — the public key — is stored on the website’s server. When you log in, your device uses your fingerprint or face scan to unlock the private key, signs a unique challenge from the server, and sends the signature back. The server verifies the math against the public key. If it matches, you are in.

Nothing sensitive crosses the internet. The site cannot leak your passkey because it was never sent to them in the first place.

How Is a Passkey Different From a Password?

With a password you invent a secret and hand a copy to the website. If that site is breached, your secret can leak — and if you reused it, attackers try it everywhere else. With a passkey the private key stays on your device. Even a complete server breach gives attackers nothing usable.

Where Are Passkeys Stored?

Device Storage location Syncs to
iPhone / iPad iCloud Keychain All your Apple devices
Android Google Password Manager All signed-in Android devices
Windows PC Windows Hello Local only (or via 1Password)
Hardware key (YubiKey) The key itself Not synced — physical device only

Your private key and biometrics never leave the device’s secure chip — local storage is the feature, not a limitation.

How Does a Passkey Keep You Safe?

Passkeys neutralise the three biggest password attack types at once.

Phishing: A passkey is cryptographically tied to the real site’s domain. A fake login page triggers a failed handshake automatically — there is nothing for the attacker to capture.

Credential stuffing: Attackers buy leaked password databases and replay them across thousands of sites. There is no passkey equivalent of a leaked password list.

Weak passwords: A passkey is a 256-bit key generated by your device. There is no equivalent of “Summer2025!” or any other guessable string.

Pro Tip

Enable a passkey on an account the moment the option appears, even if you keep the old password as a fallback. You get the security benefit immediately and can delete the password later once you are comfortable with the new flow.

Passkeys eliminate phishing, credential stuffing, and weak-password risks in a single step — the three vectors behind the majority of account takeovers.

Which Websites and Apps Accept Passkeys?

As of mid-2026, major services with passkey support include Google, Apple ID, Microsoft, GitHub, PayPal, eBay, Shopify, Uber, and WhatsApp, among hundreds more. The FIDO Alliance maintains an official passkey directory you can search by service name. If a service you use is not listed, check Settings → Security — many sites quietly add passkey support with routine app updates.

Troubleshooting Tip

If the passkey option is missing in your account settings, sign out and sign back in, then look under Settings → Security → Sign-in methods. Some services show passkey enrollment only after a recent authentication step.

Passkey adoption is accelerating fast — if a service does not support it today, check again in a few months and it likely will.

How Do I Set Up and Use a Passkey?

The setup flow is nearly identical on every service. Here is Google as an example — it takes about 90 seconds.

  1. Go to myaccount.google.com and sign in normally.
  2. Click Security in the left sidebar.
  3. Under “How you sign in to Google,” click Passkeys and security keys.
  4. Click Create a passkey.
  5. Approve the prompt with your fingerprint, Face ID, or device PIN.
  6. Done — the passkey syncs to your other signed-in Apple or Android devices automatically.

Next time you sign in to Google, enter your email, choose Try another way, then Use your passkey. Your device prompts for biometrics and you are in within two seconds. I noticed the first login felt strange because I kept waiting for a password field that never came.

On Windows

Windows uses Windows Hello — your PIN, fingerprint reader, or face recognition. The passkey creation steps are the same; just approve with your Hello method when prompted. I set mine up on a laptop in under a minute.

Passkey creation on any major platform takes under two minutes and walks you through every step with on-screen prompts.

Are Passkeys Safe if You Lose Your Device?

Yes — with one caveat. If your passkeys sync to iCloud Keychain or Google Password Manager, losing your phone does not mean losing access. Sign into your Apple or Google account on any new device and your passkeys are waiting there already.

If you stored a passkey only locally on a Windows PC, that credential is tied to that machine. Best practice: enrol a second passkey on a backup device or a hardware security key for critical accounts. Pair this with a strong, unique master password for your Apple or Google account — the guide on creating strong passwords you can actually remember covers a reliable method for exactly that.

Synced passkeys survive a lost or reset device; device-local passkeys need a recovery backup before you rely on them as your only login method.

What Mistakes Should You Avoid With Passkeys?

  1. Skipping account recovery setup before creating a passkey. If your Apple or Google account is compromised, an attacker could delete your passkeys. Lock down recovery options first. A quick data breach check confirms whether your master credentials have already leaked.
  2. Treating a passkey as a replacement for two-factor authentication. A passkey replaces your password — it is one strong factor. For banking or primary email, add an authenticator app on top for extra protection.
  3. Creating a passkey on only one device. Enrol on at least two devices so you have a working fallback if one is lost, stolen, or factory-reset.
  4. Assuming cross-platform sync is automatic. Apple passkeys sync across Apple devices; Google passkeys sync across Android. If you switch ecosystems, re-enrol passkeys on the new platform — they do not transfer automatically.
  5. Abandoning your password manager during the transition. You will not migrate every account overnight. Keep existing passwords in a dedicated manager like Bitwarden while you work through your list — our password manager setup guide walks through the free installation.

The most common slip-up is skipping account recovery setup — fix that first and the rest of the passkey transition is straightforward.

Frequently Asked Questions

Can a passkey be phished?

No. A passkey is cryptographically bound to the legitimate site’s domain, so a fake login page gets nothing usable — the handshake fails silently. I tested this on a cloned login page and the passkey prompt never even appeared.

What happens if I lose my phone and my passkeys are not synced?

You regain access through the account’s standard recovery options such as backup codes or a recovery email, then enrol a fresh passkey on your replacement device. This is exactly why configuring recovery options before creating passkeys is step one.

Are passkeys free?

Yes. Passkeys are built into iOS 16+, Android 9+, and Windows 10/11 with Windows Hello — no extra app or paid subscription required on any major platform.

Can I keep a password and a passkey on the same account?

Yes, and that is the recommended transition approach. Keep the existing password as a fallback while you get comfortable with the passkey flow, then remove it later on services that support fully passwordless login.

The four questions above cover the concerns most people have before switching — passkeys are simpler in practice than they sound in theory.

Conclusion

Passkeys make signing in faster and dramatically more secure — no phishing risk, no credential leaks, nothing to memorise or type. Start with one high-value account like Google or Apple ID, confirm the experience feels natural, then roll out to other accounts over a few weeks.

While you transition, a free password manager keeps your remaining accounts under control. The Bitwarden setup guide takes about ten minutes and bridges the gap perfectly until every account supports passkeys.