Skip to content

Passkeys: The Future of Logging In

Passkeys replace passwords with cryptographic key pairs that never leave your device, eliminating the phishing attacks and credential breaches that passwords and 2FA codes are both vulnerable to.

πŸ“– The Basics

What It Is

A passkey is a cryptographic credential that can replace your password. Instead of a string of characters you type in, a passkey is a pair of mathematically linked keys: a public key stored on the website's server, and a private key that lives securely on your device. When you log in, the server verifies the signature of your private key with the public key, and then you're done! All without sending a password, without sending a code, without anything that could be stolen in transit.

The consumer-facing name "passkey" was adopted by Apple, Google, and Microsoft to describe this technology for everyday users. But the underlying standards are FIDO2 and WebAuthn, which remain the foundation. While passkeys are still new, they are quickly expanding and commonly touted as the future of account security.

How It Works

Registration

When you set up a passkey for an account, your device generates a unique key pair for that specific site. The public key is sent to and stored by the service. The private key is stored in your device's secure hardware or software.

To unlock and use that private key, you authenticate locally with your biometrics (Face ID, fingerprint) or device PIN. Critically: your biometrics are not sent to a server. They never leave your device. They're used only to unlock the private key that's already there.

As of mid-2026, you have several options for services to create passkeys for you, from operating systems, to password managers, to browsers. We'll discuss these options shortly.

Logging In

When you return to log in, your device uses the private key to create a cryptographic signature and sends it back. The server verifies it against the public key it stored. Done.

There is no password to guess, no code to intercept, and no shared secret that could be stolen from either side. This makes passkeys inherently phishing-resistant.

How This Eliminates Phishing

The signature your device creates is mathematically bound to the exact origin of the site you're authenticating with. A convincing fake site at paypa1.com cannot receive and use a signature meant for paypal.com. This is what "phishing-resistant" means day-to-day, and it's what separates passkeys from standard passwords.

Where Passkeys Live, How To Get Started

Your passkey's private key needs to live somewhere accessible across your devices. The current main options in 2026:

  • Platform managers: iCloud Keychain (Apple), Google Password Manager, Windows Hello, and other platforms sync passkeys automatically within their ecosystems/operating systems. This is great if you live in one ecosystem, but it's less convenient if you use a mix of devices, since cross-platform portability has historically been limited.
  • Browsers: Chrome, Brave and Firefox can store passkeys directly. Safari on Apple devices defers to iCloud Keychain rather than managing passkeys itself. Browser-stored passkeys are convenient if you primarily use one browser across your devices, but tie you to that browser's ecosystem in a similar way to platform managers.
  • Password managers: Bitwarden, 1Password, Proton Pass, and most major managers now support storing and autofilling passkeys alongside your passwords. This gives you cross-platform access and keeps everything in one vault, regardless of which OS or browser you're on. Instead of your password manager autofilling a password in your browser, it will auto-suggest a passkey.

No matter which you choose, I suggest picking one place, being consistent, and to avoid mixing unless you have a reason to. The user experience of passkeys in 2026 is still maturing and it's not uncommon to get multiple prompts from your browser, OS, and password manager extension in sequence before authenticating. So stick with one option to avoid confusion.

Where Passkeys Don't Exist Yet

Adoption is substantial but still uneven. Major platforms like Google, Microsoft, Amazon, Apple, and PayPal have deployed passkeys, with Microsoft making passkeys the default for new accounts. But plenty of services still don't support them, so passwords aren't going away yet. Your password manager remains essential as the fallback for everything that hasn't made the transition.

Sharing Passkeys

This is a genuine limitation worth knowing about. Passwords are easy to share, you just copy a string and send it. Passkeys are identity-bound by design, which is most of what makes them secure, but it also means sharing isn't built in the same way.

Support varies significantly by where your passkey lives:

  • Apple iCloud Keychain: a solid sharing story right now. You can AirDrop a passkey directly to a nearby contact, or use Shared Groups to share passkeys with family or trusted contacts, with changes syncing across the group automatically.
  • 1Password: supports passkey sharing via shared vaults, available on Families and Business plans.
  • Most other managers: limited or not yet supported. Bitwarden has sharing on its roadmap but hasn't shipped it broadly.

The practical workaround for services that support both: most sites that offer passkeys still keep a password as a fallback.

What If I Lose My Device?

This can prevent people from adopting passkeys. The answer depends on where the passkey lives:

  • In iCloud Keychain, Google Password Manager, or another platform manager: your passkeys are synced to the cloud, encrypted with your account credentials. Sign into your account on a new device and they come back. Losing one device doesn't lose the passkey.
  • In a cross-platform password manager (Proton Pass, Bitwarden, 1Password): same idea. The passkey is stored in your vault, which syncs to whichever device you log in on next. Losing one device is recoverable.
  • On a hardware security key with no backup: this is the one case where loss can mean account loss. Always register a second passkey or security key, store a backup recovery code somewhere safe, and never rely on a single physical device for an account you'd hate to lose.

Most services that support passkeys also keep an account recovery path (email, backup codes, an alternative second factor). Keep recovery codes printed somewhere you can find them, and test your recovery process before you actually need it.

Passkeys vs. Hardware Security Keys: An Honest Comparison

Hardware security keys (like YubiKeys) and passkeys are related but distinct...and confusingly can also work together.

A passkey typically lives in software: your device, a browser, or a password manager. A hardware security key is a physical device, and it can play two different roles depending on how it's used:

  • As a second factor alongside a password: you enter your password, then tap the key to access your account. This is the more common use-case covered in depth in the Two-Factor Authentication article.
  • As a passkey device itself: modern security keys can store passkeys directly on the hardware. In this case, the key acts as the passkey. Plug it in, tap it, done. No password, no biometric prompt on your device. This is the highest-security passkey setup available, since the private key never touches your phone or computer at all.

For most people, a software passkey stored in a password manager is a major security upgrade. For higher-risk users, storing passkeys on a dedicated hardware key kept separate from your main devices adds a layer that software passkeys don't provide. Just don't forget to find a way to establish backups in the event you lose your key.

Some accounts support both passkeys and a traditional password with a hardware security key as a second factor. If you're choosing between the two, the password-plus-hardware-key combination is arguably the more secure setup since it requires two separate things to be compromised (your password and your physical key), whereas a passkey is a single factor, even though it's phishing-resistant. Passkeys win on convenience; password plus a hardware security key wins on the security ceiling.

🎯 Why It Matters

In August 2022, Twilio and Cloudflare were hit by the same phishing attack on the same day. Employees received text messages directing them to fake login portals. Twilio employees entered their credentials and their TOTP codes into the fake site. Attackers relayed those in real time to the actual Twilio systems. The breach hit Twilio and over 125 of its downstream customers.

Cloudflare employees were using FIDO2 hardware security keys, the same standard that powers passkeys. When the phishing site attempted to relay authentication, the cryptographic binding to the legitimate domain blocked it. The phishing site's domain didn't match. Cloudflare was not breached.

Same attack, same day, same attackers. One company compromised, one not. This is why passkeys are so powerful! Passwords and TOTP codes are shared secrets, and because they're shared, they can be stolen, guessed, or intercepted in transit. Passkeys close this attack surface structurally, not just by making the secret harder to guess.

For everyday users, passkeys are both more secure than passwords and easier to use. No password to create, no code to type, no text to wait for. The security upgrade comes with a usability upgrade, which is a rare combo.

Passkeys probably won't fully replace passwords in the near term, but adoption is accelerating. Understanding what they actually are now means you can evaluate the tradeoffs clearly as they spread, rather than taking whatever default your browser or OS decides to push you toward.

πŸ’‘ Common Misconceptions

"Passkeys and security keys are the same thing."

This is the single most common point of confusion in this category. A passkey replaces your password, it becomes the credential itself. A security key (like a YubiKey) is typically a second factor on top of a password. The reason these get mixed up is that a hardware security key can also be used to store a passkey on some services.

"Passkeys mean my fingerprint or face is sent to the server."

No. Biometrics are typically used locally on your device to unlock the private key that's already there. Your fingerprint or face never leaves the device. The server only ever sees a public key and a cryptographic signature.

"Passkeys are going to replace passwords for me right now."

Probably not yet. Plenty of services still don't support passkeys at all, so passwords aren't going anywhere immediately. Treat passkeys as additive, adopt them where they exist, keep a password manager for everything else.

"Passkeys lock me into Apple, Google, or Microsoft."

That was a real concern early on. As of 2026, every major password manager like Proton Pass, Bitwarden, 1Password, and KeePassXC stores passkeys natively and syncs them across platforms, some even allowing import/export. You don't have to live in one ecosystem to use passkeys. The cross-platform path exists and works.

πŸ—£οΈ Henry's Take

If you're already using a password manager that generates 24-character random strings for every account, the upgrade from password-plus-TOTP to a passkey is still justifiable: they're phishing-resistant by design, no shared secret on the server, nothing to relay. The next time a service you use offers passkeys, take them up on it and see if you like the user experience.

My personal stack, top to bottom:

  1. Password + hardware security key: for accounts that support it. Two separate factors, highest ceiling. I use Proton Pass for password management and YubiKeys for my 2FA.
  2. Passkey in my password manager: the everyday default for everything else that supports it. I keep mine in Proton Pass. I've been actively migrating accounts off TOTP and onto passkeys where the option exists since the security is broadly comparable, but the convenience is meaningfully better, and the phishing resistance is real.
  3. Password + OTP: for everything that hasn't gotten passkey support yet.

Pick one place for your passkeys and stay there. Getting prompts from your browser, OS, and password manager extension all at once is the fastest way to give up on the whole thing.

βœ… Henry's Picks

Where to store your passkeys depends mostly on how mixed your device ecosystem is.

  • In your password manager, recommended for most people. Proton Pass, Bitwarden, 1Password, and KeePassXC all support storing and autofilling passkeys. Cross-platform, no ecosystem lock-in, and credentials stay in one vault.
  • In a platform manager. iCloud Keychain for Apple, Google Password Manager for Android/Chrome, or Windows Hello. The right pick if you live almost entirely inside one ecosystem and value the deepest possible integration.
  • On a hardware key. A YubiKey or Nitrokey can store passkeys directly. The highest security ceiling available, with the real cost that you have to carry the key (and ideally a backup).

To check whether a specific service supports passkeys before you set up an account, passkeys.io maintains a directory.

See the broader recommendation set at Techlore's SPA Tools.

πŸ”— Go Deeper

Related wiki articles:

Techlore content:

  • Go Incognito v2, Lesson 3.4β€”Passkeys & Passwordless Authentication

External sources:

Found an error? Report it here β†’