If you have logged into a major website recently, you may have seen a prompt asking whether you want to save a “passkey.” Most people dismiss it. That is understandable — a new login concept buried in a dialog box is easy to ignore — but passkeys are worth stopping for, because they represent the first serious, broadly deployed replacement for the password in the thirty-year history of the web.

The short version is this: a passkey lets you log in with your fingerprint, face, or device PIN, and it is engineered so that the secrets involved never leave your device and cannot be stolen in a database breach. If you have ever had an account compromised through a phishing email or a leaked password list, passkeys are designed specifically to prevent both of those scenarios.

What a Passkey Actually Is

A passkey is a cryptographic key pair — two mathematically linked keys, one stored on your device and one registered with the website. When you create a passkey for a service, your device generates both keys locally. The website receives and stores only the public key. The private key never leaves your device, full stop.

When you log in, the website sends a one-time challenge. Your device signs that challenge with the private key and returns the signature. The website verifies the signature against the public key it already has. If the signature is valid, you are in. At no point does your device transmit anything that could be replayed or stolen — there is no password, no code, no shared secret crossing the wire.

The standard underpinning all of this is FIDO2 (Fast Identity Online), developed by the FIDO Alliance, a consortium that includes Apple, Google, Microsoft, and hundreds of other technology companies. FIDO2 is also the foundation for hardware security keys like YubiKey, which have been used in corporate and government settings for years. Passkeys bring the same fundamental technology to consumer devices without requiring extra hardware.

How This Differs From Two-Factor Authentication

Two-factor authentication (2FA) adds a second check on top of your password. It makes accounts harder to compromise, but the password is still the first factor, which means it can still be phished or leaked. A passkey replaces the password entirely. The biometric or PIN you use to unlock the passkey is just a local check to confirm you are present at the device — it is never sent anywhere, and the website never sees it.

Why Passkeys Beat Passwords on Every Security Dimension That Matters

Passwords fail in three main ways: people reuse them across sites, they get leaked in breaches, and they get phished. Passkeys address all three.

Reuse is not possible. Each passkey is unique to a single website and generated fresh for that site. There is nothing to reuse elsewhere.

Breaches cannot expose them. The website stores only your public key. If the site’s database is stolen, the attacker gets a public key — which is mathematically useless without the private key sitting on your device.

Phishing does not work. This is arguably the most important property. A passkey is cryptographically bound to the exact domain it was created for. If you are tricked into visiting goog1e.com instead of google.com, your device will refuse to sign the login challenge — there is no passkey registered for that domain. The authentication simply fails before you can be deceived. The FIDO Alliance has documented this phishing-resistance as a core design requirement, not an incidental benefit.

NIST’s Digital Identity Guidelines (SP 800-63B) have long identified phishing-resistant authentication as the gold standard for consumer accounts. Passkeys are the first widely available implementation of that standard for ordinary users.

How to Start Using Passkeys Right Now

Setup takes roughly two minutes on any modern device. Here is the practical path for the three main platforms.

iPhone and iPad (iOS 16 or later)

Apple stores passkeys in iCloud Keychain, which syncs across all your Apple devices. When a supported site offers to save a passkey, accept the prompt and authenticate with Face ID or Touch ID. The passkey is saved and synced automatically. You can view all saved passkeys in Settings > Passwords. Apple’s Platform Security documentation explains the hardware-level protections (Secure Enclave) backing this storage.

Android (Android 9 or later)

Google Password Manager handles passkey storage and syncs through your Google account. The flow is identical: when a site offers a passkey, accept the prompt and use your fingerprint or screen lock. Google has also opened the Android Credential Manager API so third-party password managers like 1Password and Dashlane can store passkeys as well.

Windows 11 and macOS

Windows Hello supports passkeys natively on Windows 11 23H2 and later, storing them using the device’s TPM chip. On macOS Ventura and later, passkeys sync through iCloud Keychain the same as on iPhone. Chrome and Edge on both platforms also support device-bound passkeys that stay local to the machine and do not sync — useful if you prefer not to tie credentials to a cloud account.

Sites with strong passkey support as of mid-2026 include Google, Apple ID, Microsoft accounts, GitHub, PayPal, Shopify, and an increasing number of financial institutions. Check passkeys.directory (maintained by the FIDO Alliance community) for an up-to-date list.

The Honest Catches

Passkeys are better than passwords, but the ecosystem is still maturing. There are three friction points worth knowing before you go all-in.

Account recovery is messier. If you lose all your devices and do not have backup access methods, recovering your accounts is harder than resetting a password via email. Most sites still let you fall back to a password or recovery code, but you need to set those backup methods up before you need them. Do this now, not when you are locked out.

Syncing has platform walls. Apple passkeys sync within Apple devices. Google passkeys sync within Android and Chrome. If you regularly switch between an iPhone and an Android phone, or between Safari and Firefox, you will hit friction. The FIDO Alliance and browser vendors are actively working on cross-platform passkey transfer standards, but the tooling is not seamless yet.

Not every site supports them. Adoption is growing fast, but plenty of smaller services and enterprise apps still rely entirely on passwords. Passkeys complement good password hygiene rather than replacing it overnight.

What to Do

The practical recommendation is straightforward. For your highest-value accounts — email, banking, Google, Apple ID, Microsoft — create a passkey the next time the site offers one, and do it now rather than dismissing the prompt again. These accounts are the primary targets of phishing and credential-stuffing attacks, and passkeys eliminate both vectors for them immediately.

For everything else, keep using a password manager with long, unique passwords and 2FA on any account that matters. Passkeys will gradually replace the password layer over the next few years as more services adopt them; the transition is not something you need to force all at once.

The broader shift is real and it is happening. The FIDO Alliance reported that over a dozen major platforms and hundreds of services had deployed passkey support by 2025, with billions of passkeys created across consumer devices. This is not vaporware or a niche security feature anymore — it is the new default authentication method on the most-used computing platforms in the world. The question is not whether to adopt it, but how quickly to do so for the accounts that matter most to you.