Passwords have been the foundation of digital authentication for over 50 years, and for nearly that entire time, we have known they are deeply flawed. People choose weak ones, reuse them across sites, fall for phishing attacks, and forget them constantly. The industry has tried to patch passwords with complexity requirements, two-factor authentication, and password managers -- all worthwhile improvements, but all workarounds for a fundamentally broken model. Passkeys aim to replace that model entirely.
What Are Passkeys?
Passkeys are a new authentication standard built on the FIDO2 and WebAuthn protocols, developed collaboratively by the FIDO Alliance, Apple, Google, and Microsoft. Instead of a shared secret (like a password that both you and the server know), passkeys use public-key cryptography to authenticate you without ever transmitting anything that could be stolen.
When you create a passkey for a website, your device generates a pair of cryptographic keys:
- Private key: Stays on your device (or synced across your devices through your platform's credential manager). It never leaves your control and is never shared with the website.
- Public key: Sent to the website's server and stored there. Even if an attacker breaches the server and steals every public key, those keys are useless for logging in -- they can only verify authentication attempts, not create them.
The passkey is also bound to the specific domain of the website where it was created. This is a critical design feature: a passkey created for bank.com will simply not work on b4nk.com or any other lookalike domain, making passkeys inherently phishing-resistant.
How Passkeys Work
The authentication flow is elegant in its simplicity, even though powerful cryptography operates behind the scenes:
- Registration: When you first set up a passkey on a website, your device generates the key pair. The public key is sent to the server. The private key is secured in your device's hardware-backed secure storage (Apple Secure Enclave, Android TEE, or Windows TPM).
- Authentication: When you return to log in, the server sends a random cryptographic challenge to your device. Your device uses the private key to sign that challenge and sends the signed response back. The server verifies the signature using the stored public key. If it matches, you are authenticated.
- Local verification: Before your device signs the challenge, it verifies your identity locally -- typically through a biometric scan (Face ID, fingerprint) or a device PIN. This ensures that even if someone has physical access to your device, they cannot use your passkeys without also passing local authentication.
The entire process takes about a second and feels as natural as unlocking your phone. No password is typed, transmitted, or stored on any server.
Passkeys vs. Passwords
The advantages of passkeys over passwords are not incremental improvements -- they represent a structural shift in how authentication security works:
- Nothing to remember or steal: There is no password to forget, to write on a sticky note, or for an attacker to extract from a phishing page. The cryptographic key exists only on your device, protected by hardware.
- Phishing-resistant by design: Because passkeys are bound to the exact domain where they were created, a fake website cannot trigger the passkey. This is not a feature that relies on user vigilance -- it is mathematically enforced by the protocol.
- Immune to credential stuffing: There is no password database on the server to breach. Even if an attacker compromises a server, the public keys they find cannot be used to authenticate on any site.
- Automatically unique per site: Every passkey is a unique key pair. There is no concept of "reusing" a passkey across sites the way people reuse passwords. Each site gets its own cryptographic relationship with your device.
- No server-side secret to protect: With passwords, the server must store password hashes, and a breach exposes those hashes for offline cracking. With passkeys, the server stores only public keys, which have no value to an attacker.
Current Support
Passkey adoption has accelerated rapidly since Apple, Google, and Microsoft all committed to the standard in 2022. Here is where things stand:
- Apple: Passkeys sync across all Apple devices through iCloud Keychain. Supported in Safari and across iOS, iPadOS, and macOS. Apple has also enabled cross-device authentication, allowing you to scan a QR code on a nearby Apple device to log in on a non-Apple platform.
- Google: Passkeys are supported through Google Password Manager on Android and Chrome. Google accounts themselves support passkey login, and the feature syncs across Android devices.
- Microsoft: Windows Hello supports passkeys through the Windows TPM. Microsoft accounts and Azure AD support passkey authentication.
- Major websites: Google, Apple, Microsoft, GitHub, Amazon, PayPal, eBay, Best Buy, Kayak, and dozens more now support passkeys. The list grows monthly.
- Password managers: Bitwarden, 1Password, and Dashlane now support storing and syncing passkeys, providing a cross-platform solution that is not tied to a single ecosystem.
Challenges and Limitations
Despite their clear advantages, passkeys face real adoption challenges that will take time to resolve:
- Account recovery complexity: If you lose all your devices and do not have your passkeys synced to a cloud account, recovering access to your accounts becomes difficult. This is the inherent trade-off of eliminating shared secrets -- there is no password to "reset." Services are developing recovery flows, but the problem is harder than password reset.
- Cross-platform sync is still evolving: If you use an iPhone, a Windows PC, and a Chromebook, your passkeys may live in different ecosystems that do not sync with each other natively. Third-party password managers that support passkeys are the current solution, but the experience is not yet seamless everywhere.
- Not universal yet: Many websites and services still do not support passkeys. During this transition period, you will need to manage both passwords (with a password manager) and passkeys simultaneously.
- User education: Passkeys are a new concept for most people. The mental model of "signing in with your face" instead of typing a password requires adjustment, and some users are hesitant to adopt something they do not fully understand.
Despite these challenges, the trajectory is clear. Passkeys solve the most fundamental problems with password-based authentication -- phishing, reuse, and server-side breach risk -- at a protocol level. Every major platform vendor and an increasing number of services have committed to the standard. For now, the practical advice is to enable passkeys wherever they are offered, keep your password manager for sites that have not adopted them yet, and look forward to a future where "forgot my password" is a relic of the past.