Passkeys Explained: The Future of Passwordless Login and How to Use Them

What Is a Passkey?

A passkey is a cryptographic credential that replaces your password entirely. Instead of typing a string of characters, your device generates a unique key pair: a public key stored on the website's servers and a private key stored only on your device, protected by your biometrics (Face ID, fingerprint, or PIN). When you log in, your device signs a challenge from the server using your private key — proving your identity without ever sending a password across the internet.

This design makes passkeys fundamentally different from passwords. There is no shared secret for an attacker to steal from a database. There is no password to phish out of you with a fake login page. And because the private key never leaves your device, man-in-the-middle attacks are ineffective. Passkeys are built on the FIDO2/WebAuthn standard, developed by the FIDO Alliance with input from Apple, Google, Microsoft, and hundreds of other organizations.

Why Passkeys Are More Secure Than Passwords (and Even 2FA)

Passwords have two fundamental weaknesses: they can be guessed or stolen. Even with two-factor authentication, attackers can run real-time phishing sites that capture your password and 2FA code simultaneously, then relay them to the real site before the code expires. This is exactly how many high-profile account takeovers happen in 2026.

Passkeys eliminate both problems. The private key is bound to the specific website's domain, so even if you are tricked onto a convincing fake site, your passkey will refuse to authenticate — the domain does not match. Combined with the fact that there is no password to leak or reuse, passkeys represent the first authentication method that is genuinely phishing-resistant by design rather than by user vigilance. Use our free password generator for accounts that don't yet support passkeys — until then, a long unique password remains your best defense.

Where You Can Use Passkeys Today

Passkey support has expanded dramatically since 2023. As of 2026, these major platforms support passkeys as a sign-in method:

Google Accounts: Sign in to your Google Account settings, go to Security, and select Passkeys. Google will guide you through creating one on your current device. Once set up, you can sign into Gmail, Google Drive, and all Google services with a fingerprint or Face ID.

Apple ID and iCloud: Apple has built passkey support directly into iOS 16+, macOS Ventura+, and iPadOS 16+. Your passkeys sync automatically across all Apple devices via iCloud Keychain with end-to-end encryption. When a site supports passkeys, Safari will offer to save one automatically — just like it offers to save passwords.

Microsoft accounts: Go to account.microsoft.com, then Security → Advanced Security Options → Passwordless Account to set up a passkey. Works for Outlook, Xbox, and all Microsoft 365 services.

Other major sites: PayPal, GitHub, Shopify, Best Buy, Home Depot, Nvidia, Adobe, DocuSign, and hundreds more now support passkeys. Check passkeys.directory for a current list.

How to Set Up a Passkey Step by Step

The exact process varies slightly by site, but the general flow is consistent:

Step 1: Log into your account using your existing password. Navigate to Security Settings or Account Settings — look for "Passkeys," "Sign-in options," or "Passwordless sign-in."

Step 2: Click "Create a passkey" or "Add a passkey." The site will send a WebAuthn request to your browser.

Step 3: Your device will prompt you to authenticate — typically Face ID, Touch ID, Windows Hello, or your device PIN. This confirms you have physical possession of the device.

Step 4: The passkey is created and stored on your device (and synced to your password manager or iCloud/Google Password Manager). The site stores only your public key.

Next time you log in, simply click "Sign in with passkey" and authenticate with biometrics. No typing required.

Managing Passkeys Across Multiple Devices

One of the most common concerns with passkeys is what happens when you get a new phone or need to log in on a device that doesn't have your passkey. The answer depends on your sync setup:

iCloud Keychain: If you use Apple devices, passkeys sync automatically across iPhone, iPad, and Mac as long as you're signed into the same Apple ID. Getting a new iPhone? Sign in to iCloud on setup and your passkeys follow you automatically.

Google Password Manager: On Android and Chrome, passkeys sync to your Google account. Available across all your Android devices and Chrome installations.

Third-party password managers: NordPass and 1Password both support passkey storage as of 2025, giving you cross-platform sync that works regardless of whether you're on Apple, Android, or Windows.

Cross-device authentication: If you need to sign in on a device that doesn't have your passkey, most sites allow you to authenticate from a nearby device using a QR code. Your phone scans the QR code, you authenticate with biometrics on your phone, and the session is approved on the other device over a secure local channel — your private key still never leaves your phone.

Passkey Setup Checklist

Set up passkeys on these accounts this week, in order of impact: (1) Your Google or Apple account — this protects your primary identity. (2) Your password manager, if it supports passkeys. (3) Your email provider. (4) Financial accounts that support them. (5) Any account where you have sensitive personal data. For everything else, keep using unique, strong passwords stored in your password manager until passkey support arrives.

Recommended Tools

For accounts that don't yet support passkeys, you still need a strong unique password for each one. Use our free password generator to create them, then store them in a password manager. We recommend NordPass (zero-knowledge encryption, free tier available, passkey support) or 1Password for family or team use — both handle passkeys and passwords in one place.

See our full security tools guide for more recommendations.