Passkeys Explained: The Future of Passwordless Login and How to Use Them
Passkeys are replacing passwords across Google, Apple, Microsoft, and hundreds of major sites — and for good reason. They are phishing-proof, can't be stolen in data breaches, and are faster than typing a password. This guide explains exactly how passkeys work, which accounts support them, and how to set them up today.
What Is a Passkey?
A passkey is a cryptographic credential that replaces your password entirely. Instead of typing a string of characters, your device generates a unique key pair: a public key stored on the website's servers and a private key stored only on your device, protected by your biometrics (Face ID, fingerprint, or PIN). When you log in, your device signs a challenge from the server using your private key — proving your identity without ever sending a password across the internet.
This design makes passkeys fundamentally different from passwords. There is no shared secret for an attacker to steal from a database. There is no password to phish out of you with a fake login page. And because the private key never leaves your device, man-in-the-middle attacks are ineffective. Passkeys are built on the FIDO2/WebAuthn standard, developed by the FIDO Alliance with input from Apple, Google, Microsoft, and hundreds of other organizations.
The technology has been maturing since the FIDO2 specification was finalized in 2018, but 2023 marked the inflection point when Apple, Google, and Microsoft simultaneously rolled out consumer-facing passkey support across their platforms. By 2026, passkeys are supported on over 1,000 websites and apps, and the major platforms have made it seamless enough that most people can set up their first passkey in under two minutes.
Why Passkeys Are More Secure Than Passwords — and Even 2FA
Passwords have two fundamental weaknesses: they can be guessed or stolen. Even with two-factor authentication, attackers can run real-time phishing sites that capture your password and 2FA code simultaneously, then relay them to the real site before the code expires. This is exactly how many high-profile account takeovers happen in 2026.
Passkeys eliminate both problems. The private key is bound to the specific website's domain, so even if you are tricked onto a convincing fake site, your passkey will refuse to authenticate — the domain does not match. Combined with the fact that there is no password to leak or reuse, passkeys represent the first authentication method that is genuinely phishing-resistant by design rather than by user vigilance.
Consider the threat model in concrete terms. In a standard password + SMS 2FA scenario, an attacker who runs a phishing site can capture your credentials in real time and log in before the SMS code expires. Against passkeys, that same phishing site gets nothing useful — the challenge-response cycle is cryptographically tied to the legitimate domain, and any attempt to replay the authentication on a different domain fails at the protocol level. No amount of social engineering can extract a passkey from a device because there is no human-readable secret to extract.
Passkeys are also immune to credential stuffing. Since nothing is stored on the server that can be reversed into a usable credential, a breach of the website's user database exposes only public keys — mathematically useless to an attacker without the corresponding private key on your device.
Where You Can Use Passkeys Today
Passkey support has expanded dramatically since 2023. As of 2026, these major platforms support passkeys as a sign-in method:
Google Accounts: Sign in to your Google Account settings, go to Security, and select Passkeys. Google will guide you through creating one on your current device. Once set up, you can sign into Gmail, Google Drive, and all Google services with a fingerprint or Face ID.
Apple ID and iCloud: Apple has built passkey support directly into iOS 16+, macOS Ventura+, and iPadOS 16+. Your passkeys sync automatically across all Apple devices via iCloud Keychain with end-to-end encryption. When a site supports passkeys, Safari will offer to save one automatically — just like it offers to save passwords.
Microsoft accounts: Go to account.microsoft.com, then Security → Advanced Security Options → Passwordless Account to set up a passkey. Works for Outlook, Xbox, and all Microsoft 365 services.
Other major sites: PayPal, GitHub, Shopify, Best Buy, Home Depot, Nvidia, Adobe, DocuSign, X (Twitter), LinkedIn, TikTok, Nintendo, Sony PlayStation, and hundreds more now support passkeys. Check passkeys.directory for a current, maintained list. Banks including Bank of America, Citi, and Coinbase have also rolled out passkey support for mobile and web sign-in.
The rate of adoption is accelerating: most major consumer platforms have either shipped passkeys or announced timelines. By the end of 2026, industry analysts expect passkeys to be available on over 90% of top-100 consumer websites.
How to Set Up a Passkey Step by Step
The exact process varies slightly by site, but the general flow is consistent and takes under two minutes:
Step 1: Log into your account using your existing password. Navigate to Security Settings or Account Settings — look for "Passkeys," "Sign-in options," or "Passwordless sign-in."
Step 2: Click "Create a passkey" or "Add a passkey." The site will send a WebAuthn request to your browser.
Step 3: Your device will prompt you to authenticate — typically Face ID, Touch ID, Windows Hello, or your device PIN. This confirms you have physical possession of the device.
Step 4: The passkey is created and stored on your device (and synced to your password manager or iCloud/Google Password Manager). The site stores only your public key.
Step 5: Next time you log in, simply click "Sign in with passkey" and authenticate with biometrics. No typing required.
A practical note: most sites don't immediately remove your password when you add a passkey. They typically leave both options available, letting you build confidence with passkeys before fully committing. Some sites, like Google, now prompt you to upgrade to passkey by default at next login on supported devices.
Managing Passkeys Across Multiple Devices
One of the most common concerns about passkeys is what happens when you get a new phone, lose a device, or need to log in somewhere that doesn't have your passkey stored. The answer depends on your sync setup — and getting this right is critical before you rely on passkeys for important accounts.
iCloud Keychain: If you use Apple devices, passkeys sync automatically across iPhone, iPad, and Mac as long as you're signed into the same Apple ID. Getting a new iPhone? Sign in to iCloud on setup and your passkeys follow you automatically. Apple's sync is end-to-end encrypted — even Apple cannot see your private keys.
Google Password Manager: On Android and Chrome, passkeys sync to your Google account. Available across all your Android devices and Chrome installations. Like iCloud Keychain, the sync is end-to-end encrypted and Google cannot access the private keys.
Third-party password managers: NordPass and 1Password both support passkey storage, giving you cross-platform sync that works regardless of whether you're on Apple, Android, or Windows. This is the best choice if you regularly use multiple platforms or want a single tool managing both passkeys and traditional passwords.
Cross-device authentication: If you need to sign in on a device that doesn't have your passkey — say, a work computer where you haven't set one up — most sites allow you to authenticate from a nearby device using a QR code. Your phone scans the QR code, you authenticate with biometrics on your phone, and the session is approved on the other device over a secure Bluetooth/proximity channel. Your private key still never leaves your phone, and the authentication is still phishing-resistant.
Passkeys vs. Password Managers: Do You Still Need Both?
Yes — at least for now. Passkeys are winning the long game, but they aren't yet available everywhere, and a transition period will last several more years. You still need a password manager for the hundreds of sites that haven't yet adopted passkeys, for generating unique strong passwords, and for storing recovery codes.
The good news is that the best password managers have evolved to handle both. NordPass stores and autofills both passkeys and traditional passwords, with a zero-knowledge architecture that keeps your vault encrypted on-device. 1Password takes the same approach and adds a Travel Mode feature that's useful if you cross borders and are concerned about device search.
For accounts that don't yet support passkeys, use our free password generator to create a unique 16+ character random password for each. Store every one in your password manager. Never reuse. That's still the correct approach for the majority of your accounts in 2026.
See our passkeys vs. passwords comparison for a deeper look at how the two approaches stack up, and our 2FA guide if you're not yet using two-factor authentication and want an intermediate step while you wait for passkey support to arrive.
What to Do If You Lose Your Device
Losing the device that holds your passkeys feels alarming, but it is not catastrophic if you've planned ahead. Here is what to do:
If you use iCloud Keychain: Sign in to iCloud.com and use Find My to remotely erase the lost device. Your passkeys remain on your other Apple devices and will re-sync to a replacement. Log in to any important accounts using a backup device or the cross-device QR code flow described above, then optionally revoke the old device's passkeys from each site's security settings.
If you use Google Password Manager: Go to myaccount.google.com → Security → Your devices and sign out all sessions on the lost device. Your passkeys on other Android/Chrome devices are unaffected. You can also use account recovery options to regain access to the Google account if needed.
If you use a third-party manager: Log in to your NordPass or 1Password account from another device and access your vault normally — the passkeys stored there remain available across your other devices.
Always set up passkeys on more than one device. Add passkeys on your phone and your laptop for critical accounts. This gives you redundancy: if one device is unavailable, the other still works. Most sites also let you add multiple passkeys — one per device — rather than requiring a single shared credential.
Common Passkey Questions
Can someone steal my passkey if they steal my phone? Not easily. The private key is locked behind your biometrics or PIN. On modern smartphones, the key is stored in a hardware-backed secure enclave (Apple's Secure Element, Android's StrongBox) — even if the phone is forensically analyzed, the private key cannot be extracted without the biometric unlock.
What if I forget my PIN? On most platforms, your account recovery process (email recovery, backup codes, or identity verification) still applies. Passkeys are a sign-in method, not your only recovery option. Always save backup codes when a site offers them.
Are passkeys truly phishing-proof? Yes, by design. The WebAuthn protocol binds the authentication to the exact origin (domain + protocol). A phishing site at fake-google.com cannot trigger a passkey challenge for accounts.google.com — the protocol rejects the request before it even reaches your device's biometric prompt.
Do passkeys work offline? The private key is stored locally, so the biometric verification happens on-device without internet. However, the authentication challenge from the server requires an internet connection to reach the site. You cannot log in offline to an online service, but your private key isn't dependent on any cloud infrastructure to exist.
Passkey Setup Checklist
Set up passkeys on these accounts this week, in order of impact: (1) Your Google or Apple account — this protects your primary identity. (2) Your password manager, if it supports passkeys. (3) Your email provider. (4) Financial accounts that support them. (5) GitHub, Shopify, PayPal if relevant to your work. (6) Any account where you have sensitive personal data. For everything else, keep using unique, strong passwords stored in your password manager until passkey support arrives. Check your password security audit checklist for a full review of which accounts need attention.
Recommended Tools
For accounts that don't yet support passkeys, you still need a strong unique password for each one. Use our free password generator to create them, then store them in a password manager. We recommend NordPass (zero-knowledge encryption, free tier available, full passkey support) or 1Password for family or team use — both handle passkeys and passwords in one place, so you never need to think about which type of credential you're managing.
See our full security tools guide for more recommendations on protecting your online accounts in 2026.
Recommended next step
See recommended security tools
Use the generator for new credentials, then store them in a manager built for long-term password hygiene.
See recommended security tools →Keep Improving Your Account Security
- Browse the phishing hub for the complete set of related guides.
- Are Passkeys Replacing Passwords in 2026? What You Need to Know
- MFA Fatigue Attacks: How Push Notification Abuse Bypasses Two-Factor Authentication
- How to Secure Your Facebook Account: The Complete 2026 Guide
- How to Secure Your Microsoft Account: Passwords, 2FA, and Recovery Options