Passkeys are the most significant change to online authentication since passwords were invented. Google, Apple, Microsoft, Amazon, GitHub, PayPal, and hundreds of other major websites now support them — and security experts universally agree they are safer than passwords. But what exactly is a passkey, how does it work, and should you start using them today? This guide explains everything in plain English, without cryptography degrees required.
A passkey lets you log in with your fingerprint, face, or device PIN — no password to remember, no password to steal, no phishing possible.
📋 In This Guide
What Is a Passkey?
A passkey is a digital credential that proves your identity to a website — but unlike a password, it is never something you type, remember, or transmit. Instead, a passkey is a pair of mathematically linked cryptographic keys:
- Private key — stored securely on your device (phone, laptop). It never leaves your device and is never shared with the website.
- Public key — given to the website when you create the passkey. The website stores this (just like it stores your username).
To log in, the website sends your device a challenge. Your device uses your private key to sign the challenge — but only after you verify your identity with Face ID, Touch ID, fingerprint, Windows Hello, or PIN. The website verifies the signature with the public key. If it matches, you're in. No password transmitted. No password stored anywhere that could be stolen.
How Passkeys Work — The Plain-English Version
Think of it like a padlock and key. You give the website a padlock (public key). You keep the key (private key) in your pocket — or more accurately, inside your phone's secure chip. When you want to log in, the website says "prove you have the key by unlocking this specific padlock." Your phone unlocks it (after verifying it's you via biometrics) and sends back the proof. The website sees the padlock was opened correctly and lets you in.
The critical security property: the key never leaves your device. Even if the website's database is completely stolen, the attacker only gets padlocks — useless without your key.
The Technical Layer (Optional Reading)
For readers who want more depth: passkeys use the WebAuthn/FIDO2 standard. The private key is generated inside the device's Trusted Execution Environment (TEE) or Secure Enclave (Apple) — hardware-isolated chips designed to store cryptographic material that cannot be extracted, even if the device's OS is compromised. When you unlock a passkey with Face ID, the biometric verification happens entirely within this secure chip — your face scan never leaves the chip, and the private key never leaves the chip. The authentication flow uses asymmetric cryptography (typically EC P-256).
Passkeys vs Passwords — Direct Comparison
| Security Factor | Password | Passkey |
|---|---|---|
| Can be phished | ✗ Yes — fake sites steal them | ✓ No — cryptographically bound to origin |
| Can be guessed | ✗ Yes — brute force | ✓ No — mathematically infeasible |
| Can be stolen from a DB breach | ✗ Yes — hashed passwords cracked | ✓ No — only public keys stored on servers |
| Reuse across sites is possible | ✗ Yes — dangerous | ✓ Unique per site by design |
| Requires 2FA for full security | ✗ Yes | ✓ 2FA built-in (biometric = possession + inherence) |
| Works without internet | ✓ Yes | ✓ Yes (device-local verification) |
| User needs to remember it | ✗ Yes (or use a manager) | ✓ No |
Which Websites Support Passkeys in 2025?
Passkey adoption has accelerated dramatically. Major sites that support passkeys as of 2025:
- Google — Sign in to your Google Account with a passkey (face/fingerprint on phone or laptop)
- Apple ID — Full passkey support on iOS 16+, macOS Ventura+
- Microsoft — Microsoft accounts support passkeys for Windows login and outlook.com
- Amazon — Passkey login on amazon.com and the mobile app
- GitHub — Developer-focused passkey support with full FIDO2 compliance
- PayPal — Passkey login for PayPal accounts on supported devices
- Shopify — Merchant and customer passkey support
- Adobe — Passkey login for Creative Cloud accounts
- Nintendo — Nintendo Account passkey support
- Best Buy, Target, Walmart — Major US retailers adding passkey support
The full list is growing rapidly. Check passkeys.directory for an up-to-date, searchable list of all passkey-supporting websites and apps.
How to Create a Passkey — Step by Step
On iPhone (iOS 16+)
- Go to the website (e.g., google.com) → Security Settings → find "Passkeys" or "Sign-in options"
- Click "Create a passkey" or "Add passkey"
- A dialog appears asking if you want to save the passkey — tap "Continue"
- Authenticate with Face ID or Touch ID
- Done — your passkey is saved in iCloud Keychain and synced to all your Apple devices
On Android (Android 9+)
- Go to the website in Chrome → Security → Passkeys → Create passkey
- Google Password Manager prompts to save the passkey
- Authenticate with fingerprint or face
- Passkey saved and synced across your Android devices via Google Password Manager
Using a Password Manager (Cross-Platform)
1Password (version 8+) and Bitwarden (2024+) can store passkeys and sync them across all your devices — including cross-platform (iPhone + Windows, Android + Mac). This is the best approach for users who want passkeys to work regardless of which device or OS they're on.
Do You Still Need a Password Manager With Passkeys?
Yes — for several reasons:
- Not all sites support passkeys yet. The vast majority of websites still use passwords. You need a password manager for all of those.
- Password managers now store passkeys too. 1Password and Bitwarden can store and sync passkeys cross-platform — unlike iCloud Keychain (Apple-only) or Google Password Manager (Android/Chrome-centric). If you use multiple device ecosystems, a password manager provides universal passkey access.
- Transition will take years. Security researchers estimate 5–10 years for passkeys to fully replace passwords across the web. In the meantime, you'll have a mix of passkeys (new sites) and passwords (legacy sites). A password manager handles both.
- Other sensitive data. Password managers store credit cards, secure notes, software licenses, and SSH keys — things passkeys don't replace.
1Password and Bitwarden both now support passkeys natively — they'll become even more valuable as the passkey transition accelerates.
Risks and Limitations of Passkeys
- Device dependency: If you lose your phone and don't have a recovery method set up, you may be locked out of sites. Mitigation: store passkeys in a syncing manager (iCloud Keychain, Google Password Manager, or 1Password) rather than only on a single device.
- Cross-platform friction: A passkey on an iPhone doesn't automatically work on Windows. Solutions: use QR code proximity authentication (scan your phone's passkey from a Windows laptop via Bluetooth/camera), or use a cross-platform password manager like 1Password.
- No password fallback on some sites: A few sites that implement passkeys remove the password option entirely, which can be problematic if you lose your device before setting up backup authentication.
- Corporate/enterprise complexity: IT provisioning of passkeys for employees and shared accounts is still evolving. Passwords remain the enterprise standard in most organizations for now.
Frequently Asked Questions
Can passkeys be hacked?
In theory, if someone gains physical access to your unlocked device, they could use your passkeys. In practice, this requires both physical device theft AND bypassing biometric/PIN authentication. This is vastly harder than stealing a password from a phishing email or database breach. Passkeys have no practical equivalent of "weak password" — there's no variation in strength.
What happens if I get a new phone?
If your passkeys are stored in iCloud Keychain (iPhone), they automatically migrate to your new iPhone when you restore from backup or sign in with your Apple ID. Same with Google — passkeys restore to new Android devices via Google Account sync. With a password manager like 1Password, simply sign in on the new device and all passkeys are available.
Are passkeys available on older devices?
iOS 16+, Android 9+, Windows 10+ with Windows Hello, and macOS Ventura+ all support passkeys. For older devices, you can use a phone as a passkey authenticator via QR code (your phone authenticates and proves your identity to the browser on an older device over Bluetooth proximity).
Should You Start Using Passkeys Now?
Yes — for supported sites, always choose passkeys over passwords. For Google, Apple, Amazon, GitHub, and any other site that offers them, creating a passkey takes 30 seconds and immediately eliminates phishing risk for that account. There is no downside for the user — passkeys are faster (one touch vs. typing a password), more secure, and require no memorization.
Keep your password manager for the (many) sites that don't yet support passkeys. Think of this as a transition period: passkeys where available, strong passwords + 2FA everywhere else. The full passwordless future is coming — but probably 5+ years away from being universal.