Passkeys are a modern, passwordless authentication method built on public-key cryptography. Developed by the FIDO Alliance and backed by companies like Apple, Google, and Microsoft, passkeys aim to eliminate the risks associated with passwords. So, are Passkeys safe? And can passkeys replace passwords?
Passwords have been the default authentication method for decades, but they’re also a major security risk. Data breaches, phishing scams, and poor password hygiene make traditional passwords a significant vulnerability. That’s where passkeys come in.
Instead of relying on a shared secret, passkeys use a private key stored securely on your device and a public key saved on the website’s server. Asymmetric cryptography prevents human errors and protects against phishing. The private key never leaves your device, and you never have to type anything – so fraudulent websites can’t trick you.
Biometric login options, such as Face ID or fingerprint unlock, make using passkeys easy. Meanwhile, cloud backup and device synchronization (via iCloud Keychain or Google Password Manager) allow you to access passkeys across all your devices.
Passkeys also give you a smoother user experience. You don’t need to remember anything or worry about password reuse and leaks. And you can finally forget about paying for a password manager.
In this guide, we’ll explain how passkeys work, how they compare to passwords, and why they could be a game-changer for your privacy, online security, and login experience.
What is a Passkey?
A passkey is a passwordless login credential designed to replace traditional passwords. It uses public-key cryptography to authenticate you securely without requiring you to remember anything.
When you create a passkey, your device generates a pair of cryptographic keys: a private key, which is stored securely on your device (phone, tablet, laptop, or even a dongle), and a public key, which is saved by the website or app you want to log into.
These keys are mathematically linked and only work together. When you log in, your device uses the private key to generate a unique signature that proves your identity. That confirmation is sent to the website, but the private key itself never leaves your device or travels over the internet. This means it can never be intercepted or compromised.
| Step | What Happens |
|---|---|
| 1. You try to login | You go to a website and click “login with passkey” |
| 2. Chellenge is sent | The website sends a challenge (a math-based secret question) to your device |
| 3. Private key signs it | Your device uses the private key (stored securely) to answer the challenge |
| 4. Public key checks it | The website confirms the answer using the public key |
| 5. You’re verified! | If the answer matches, the site knows it is really you – without seeing the private key itself. |
How do Passkeys work? A quick overview
Passkeys are built on the WebAuthn (Web Authentication) standard, which is maintained by the FIDO Alliance. This open standard allows websites and apps to offer passwordless authentication using biometrics (like Face ID or a fingerprint), your device PIN, or a hardware security key (dongle). These methods unlock the passkey stored securely on your device, allowing it to authenticate you without sending a password.
Two-factor authentication by default
Passkeys improve account security and reduce human error. As your private key stays locked on your device, passkeys offer phishing resistance and protection against fraudulent websites. Even if a hacker tries, you can’t be tricked into typing your passkey into a fake site. It only works when communicating with the genuine website that holds the public key.
Passkeys also natively support multi-factor authentication (MFA). They combine something you have (your device) with something you are (your biometric, like a fingerprint or facial scan) to unlock the private key, which then signs a secure challenge to confirm your identity.
This gives you two-factor protection by default: no codes, no SMS messages, no worrying about being tricked into giving someone your code, and no need to enable 2FA when creating a new account. Everything is ready right out of the gate.
Most passkeys are stored in your device’s keychain storage, and thanks to cloud synchronization, you can access them across different devices within the same ecosystem (like Apple’s iCloud Keychain or Google’s Password Manager).
However, device dependency and ecosystem compatibility are still causing some issues for users who regularly switch between platforms like Android and iOS. The good news? We expect these compatibility issues to reduce as support for passkeys continues to grow.
Are Passkeys safe? Security and usability benefits
Passkeys are designed to be both convenient and one of the safest ways to log in. Unlike traditional passwords, which are vulnerable to phishing, brute-force attacks, and data breaches, passkeys use public-key cryptography. Asymmetric encryption removes the need for shared secrets (passwords). This reduces the attack surface involved in protecting your accounts.
Your private key is stored securely on your device, protected by your biometric data or device PIN. This key never leaves your device, never gets transmitted online, and cannot be entered into a fake website – even by accident. As a result, using passkeys protects you against phishing attacks, credential stuffing, and social engineering.
Passkeys also protect you against human error. Because you don’t need to create or remember anything, you never have to worry about password reuse or weak password combinations. You can also stop worrying about whether your password has been leaked online in a major data breach.
This makes passkeys a working solution to one of the most common causes of account compromise: bad password habits.
What are the dangers of passkeys?
Passkeys are far more secure than passwords, but they aren’t completely foolproof. Like any form of authentication, they come with trade-offs. Specifically, passcodes create concerns surrounding physical access and personal trust.
Passkeys rely on your device’s built-in security to protect your logins. That means your fingerprint, face scan, or device PIN is all you need. In practice, this makes things more secure and convenient. However, passkeys can backfire if someone already knows your device unlock PIN.
Many couples share device passcodes. Whether they are in the car and want to quickly change music while their partner is driving, or they need to use an app for some reason, it is pretty normal for couples, housemates, and other close friends or family members to share device unlock codes.
With passkeys, that same PIN unlocks more than just the phone. It can also provide access to your email, cloud storage, financial apps, and other sensitive accounts.
Biometric logins like Face ID or fingerprint scanning are the best solution, but even these have limitations. For example, you could fall asleep next to your phone, potentially allowing someone to access your passcodes with your finger without your consent.
Depending on your circumstances, passcodes could potentially introduce new arguments or tensions around boundaries, consent, and digital trust.
If you decide to use passkeys, it is worth taking a moment to consider who knows your device PIN and whether that level of access still makes sense. Our advice? Stick to biometric unlock or change your PIN so that nobody knows it.
Can a hacker steal a public key and use it to phish you?
Public key cryptography relies on a mathematical link between the public and private keys. This leads some astute individuals to question: Could a hacker steal the public key that works with my private key?
In theory, a hacker could copy the public key from a website and load it onto a fake site. However, passkeys are designed to prevent this attack vector with an extra layer of security (that works on top of the public/private keys): origin binding.
What is origin binding?
When a passkey is created, it’s cryptographically tied to a specific website origin, such as Even if a hacker steals the public key and puts it on a lookalike site like your browser or device won’t respond with the private key, because the origin doesn’t match.
This makes stealing public keys useless unless the attacker also controls the original domain. While not impossible, that kind of attack is extremely rare and technically complex.
Are passkeys easy to use?
Yes. Passkeys offer one of the smoothest and fastest login experiences available.
You can log in securely using Face ID, fingerprint, or your device PIN. This allows you to sign in quickly, without needing to remember dozens of passwords (or needing to unlock a password manager with a master password).
As long as you sync your passkeys with iCloud Keychain or Google Password Manager, you can use them across all your linked devices. This ensures that you can log in easily from your phone, tablet, or computer.
The catch? Passkeys are still relatively new and don’t always work smoothly across different operating systems. This can make it harder to switch between platforms, such as Apple and Windows, or iOS and Android.
Why passwords are broken
Passwords seem like a convenient way to secure accounts. In practice, however, they create the biggest weaknesses in digital security.
As more services move online, consumers must create and remember unique passwords for dozens or even hundreds of accounts. With a password manager, this can be handled in a relatively safe way.
Unfortunately, the reality is that passwords cause many people to make mistakes:
- Reusing the same password across multiple sites
- Choosing passwords that are easy to remember
- Storing passwords insecurely (writing them on a sticky note, etc.)
Even if you pick a strong, unique password and make every effort to stay secure, you could still fall victim to hackers. Phishing, data breaches, and keylogging malware can all expose your login credentials. If your password is stolen, it could be sold on the dark web, potentially giving your credentials to hundreds of hackers.
Two-factor authentication (2FA) helps. However, it’s not always available, and it adds extra steps to your logins, which puts many people off. That’s why security experts consider passwords “broken.”
Remember: A truly secure password is too complex to remember, which is why you must use a password manager. The best password managers generate strong, unique passwords for every account and store them safely, so you don’t have to.
Storing Passkeys: Device vs. cloud vs. hardware
One of the best things about passkeys is that they are stored securely on your device. This allows passkeys to authenticate you without requiring you to remember or type anything.
But what if you want to log in to your accounts on a laptop, desktop, smartphone, and other devices like game consoles? Passkeys theoretically allow for all of these access points via synchronization, but it isn’t fully seamless… yet.
Device-based Passkey storage
By default, passkeys are stored locally on your device. A locally stored private key is vastly more secure than a password stored on company servers. This is because it can’t potentially be leaked, hacked, or accessed by company employees.
However, this type of device-based passkey storage only works on one device. Your passkey won’t automatically follow you to other devices, and if your device is lost, stolen, or wiped, you could lose access to all your accounts (unless you’ve set up a backup).
Cloud-synced Passkey storage
Cloud synchronization allows passkeys to work across your devices. That means you can log in from your phone, tablet, or laptop without setting everything up from scratch. Apple uses iCloud Keychain, while Google offers Password Manager for syncing passkeys within their platforms.
In these systems, your private key is encrypted and synced through your cloud account, then decrypted locally only after you authenticate with your device. The private key stays protected and never leaves your device in readable form, even during syncing.
This approach is convenient, but it does rely on trusting your provider’s encryption and backup infrastructure. While today’s encryption is robust, there are long-term concerns that future threats (like quantum computing) could eventually weaken it.
That said, passwords face the same risks. And right now, passkeys remain the more secure, privacy-focused option for cross-device login.
Hardware security keys
If syncing across devices seems too risky, you could carry a hardware device with you at all times on a keychain. By storing your passkey on a physical device that is used solely for the purposes of authentication, you can easily log in on any device.
Hardware security keys like YubiKey or Google Titan let you store passkeys safely, and then plug into your computer or connect wirelessly to a mobile device via Near Field Communication (NFC).
Hardware security keys offer excellent security, as nothing leaves the key, and authentication can’t be faked or phished. However, you’ll need to carry and protect the key at all times. If it’s lost and you don’t have a backup, you could be locked out of your accounts.
How to set up a Passkey
Setting up a passkey is both fast and easy, as long as you’re using a modern phone, tablet, or browser. You do not need to install anything special or memorize anything. Instead, your device will create the cryptographic key in the background and save it behind your device-level biometrics for future use.
To explain the process of setting up passkeys, we have included the steps below:
- Visit a website or app that supports passkeys. You’ll usually see the option during sign-up, when adding a new login method, or in your account’s security settings.
- Choose to create a passkey. Your device will begin generating the key pair behind the scenes.
- Confirm your identity. You’ll be prompted to use Face ID, fingerprint unlock, or your device PIN.
- Save your passkey. It’s stored securely on your device and may sync via cloud backup (if supported and enabled).
On iPhones and iPads, passkeys are stored in iCloud Keychain. On Android, they sync through Google Password Manager. Chrome, Safari, and Edge also support passkeys, but you may need to enable syncing in your browser settings.
If you want to test a synced passkey, try logging into the same service on a second device. If cloud sync is enabled, your passkey should work instantly as soon as you provide your biometric ID or PIN code.
Once setup is complete, you will be able to log in by authenticating with your device. No need to type a password or remember anything.
Passkey troubleshooting tips
Some users run into issues depending on their device or platform. To help you out and make switching to passkeys as seamless as possible, we’ve included a list of troubleshooting steps in the table below:
| Problem | Explanation | How to fix it |
|---|---|---|
| Your device does not support passkeys | Older operating systems and devices may not support WebAuthn or passkey sync features | Update to the latest version of iOS, Android, Windows, or macOS. Make sure you are using a supported browser like Chrome, Firefox, Edge, or Safari. |
| Passkey is not syncing across devices | Sync may be turned off, or devices are logged into different accounts | On iPhone, check Settings > Apple ID >iCloud > Passwords and Keychain. On Android, go to Settings > Google > Autofill > Password Manager > Sync. Make sure all devices are logged into the same account. |
| Cannot find the passkey login option | Some websites do not clearly label the passkey login button, or require your emoving your password login first | Look under login options or account secueity settings. If you already have a password-based login, you may need to remove it or switch login methods manually. |
| Lost access to the device with you passkey | If your passkey is stored only on one device, losing that device could lock you out | Use cloud backup and recovery settings to restore access. Apple and Google offer account recovery. If all else fails, contact the site’s support team to reset your login credentials. |
Where can I use Passkeys?
Wondering where passkeys are accepted? Passkeys are still an emerging technology, and although they solve many security problems, they aren’t available everywhere. The good news? A growing number of services are beginning to support authentication via passkeys.
You can already use passkeys to log in to many major platforms: Apple, Google, and Microsoft all support passkey logins for accounts. In addition, most newer devices now offer passkey creation:
- iOS 16 and above
- Android 9 or higher
- Windows
- macOS
Passkeys also work with popular browsers like Chrome, Safari, Firefox, and Edge (as long as you are running the latest version and have syncing turned on).
The list of websites and services that accept passkeys is growing steadily. Below, we’ve included some of the services that already accept passkeys:
- Google Accounts
- Apple ID
- Microsoft accounts
- GitHub
- PayPal
- eBay
- Best Buy
- TikTok
- Shopify
- Kayak
- Yahoo Japan
- Adobe
- Amazon
- Canva
- Discord
- Coinbase
- Cloudflare
- Dropbox
- DocuSign
- Kayak
- Uber
- Robinhood
- Nvidia
- Okta
- Docomo (Japan)
- 1Password
- Dashlane
- NordPass
- Bitwarden
- Proton Pass
Support for passkeys is expanding fast, and the FIDO Alliance maintains an up-to-date list of compatible platforms. You can use the list or check under account settings to see whether you can enable passkey logins for the services you use.
Can I use passkeys to access my password manager?
Yes. This is one of the smartest ways to put passkeys to use right now. Using passkeys to log in to a secure password manager (with a zero-knowledge framework) ensures that you can easily access highly robust passwords for all your accounts, without needing to remember a complicated master password.
As a result, you get all the benefits of modern password management, including secure password audits, auto-fill, and dark web leak checks – while using a hardware-backed private key as the key to your password vault. Using a passkey as the master to a password vault removes your reliance on a memorized master password, which could potentially be hacked.
Below, we have included a list of password managers that support passkey login either as a full replacement for the master password or as an optional authentication method:
What if I lose my device? Passkey recovery methods
Right now, there’s no universal recovery system for passkeys. What happens if you lose your device depends on how you’ve stored it, and whether your provider offers encrypted backup with account recovery.
Users with iCloud Keychain (Apple) or Google Password Manager (Android/Chrome) can usually restore passkeys by signing into their cloud account on a new device. Your encrypted keys sync automatically, assuming you’ve set up two-factor authentication.
Using a hardware security key like a YubiKey or Titan? Just plug it into your new device to authenticate. These physical keys act as secure offline backups—but they’re easy to lose. That’s why we recommend keeping a spare.
Got multiple devices in the same ecosystem? You may still have access from a secondary device (like your iPad or MacBook), even if your phone is gone.
Remember: if your passkeys are stored on a single device, without sync or backup enabled, you’ll likely need to reset each account manually. This usually involves email verification, two-factor prompts, or contacting support.
You can avoid all of this frustration by turning on sync, storing a backup key, or using a password manager that supports passkeys.
The future of authentication
Passwords have been the default authentication method since computers first appeared. Unfortunately, they cause many weaknesses, which is why the IT industry is rushing to replace them.
Thanks to passkeys, biometric login, and secure device-bound credentials, the shift over to passwordless authentication is well underway! The password isn’t just dying – it’s being replaced by something safer, smarter, and far easier to live with.
Big tech platforms like Apple, Google, and Microsoft are in favor of a future where you never have to create, remember, or manage a password again. Instead, your device will become your trusted key, with your fingerprint, face, or PIN all you need to log in to your accounts.
As more websites and apps adopt passkeys, logins will become faster, safer, and less frustrating. For the time being, we recommend combining a password manager with a passkey for the best security across all platforms.
Related: How do authenticator apps work?
Passkeys FAQs
Can I share Passkeys across family devices?
Only if the devices are linked to the same cloud account. For example, you can sync passkeys across your family’s Apple devices using iCloud Keychain, or across Android devices using Google Password Manager. Please note that anyone with access to your device and PIN can also access your passkeys. So sharing requires a high level of trust.
What happens to my passkey if I lose my device?
If you’ve enabled cloud sync, your passkeys will be backed up and available on your other linked devices. You can also restore them when setting up a new phone. If you don’t have sync or backup enabled, and your only copy is lost, you’ll need to recover access manually. This usually requires you to reset your login on each site. That’s why enabling sync or setting a recovery option is advisable.
What is the WebAuthn standard (Web Authentication)?
WebAuthn is a web standard that lets websites and apps offer secure, passwordless login. It’s the foundation behind passkeys, allowing your device to authenticate you without sending a password over the internet.