Passwords are broken. Not conceptually — the idea of a secret you know is sound — but in practice. People reuse them, forget them, type them into phishing sites, and expose them in breaches. In 2026, passkeys have moved from an experimental standard to mainstream deployment across Apple, Google, Microsoft, and hundreds of services. Here’s what passkeys are, why they’re genuinely more secure, and how to start using them today.
What Is a Passkey?
A passkey is a cryptographic key pair — a private key stored on your device and a public key stored on the server. When you log in, your device signs a challenge from the server using the private key. The server verifies the signature with the public key. Your private key never leaves your device, and there’s no password to steal, phish, or breach.
This is based on the FIDO2/WebAuthn standard, developed by the FIDO Alliance (Apple, Google, Microsoft, and others). Passkeys are not a proprietary technology — they’re an open standard, though implementation details differ between platforms.
Why Passkeys Are More Secure Than Passwords
Phishing-resistant by design. A passkey is cryptographically bound to the specific domain it was created for. If you created a passkey for paypal.com, it will not work on paypa1.com or any other fake site. You literally cannot hand your passkey to a phishing site — the cryptographic binding prevents it.
No shared secret to breach. With passwords, the server stores a hash of your secret. Database breaches expose hashes that can be cracked. With passkeys, the server stores only your public key — mathematically useless to an attacker without your private key.
No credential stuffing. Since every passkey is unique per site, there’s nothing to stuff. Even if one service is compromised, no other account is affected.
Biometric convenience. Unlocking a passkey typically uses Face ID, Touch ID, Windows Hello, or your phone’s PIN. This is faster than typing a password and counts as multi-factor authentication (something you have: the device; something you are: biometrics).
How Passkeys Work in Practice
When you register a passkey on a site like GitHub:
- GitHub sends your browser a cryptographic challenge
- Your device generates a new public/private key pair for GitHub
- The private key is stored in your device’s secure enclave (Secure Enclave on Apple, TPM on Windows)
- The public key is sent to GitHub and stored in your account
- Your biometric (Face ID, fingerprint) authorizes the key to be used
When you log in:
- GitHub sends a challenge
- Your device asks you to verify with biometrics
- The private key signs the challenge
- GitHub verifies the signature with your stored public key — you’re in
The entire process takes under two seconds.
Where to Enable Passkeys
Google Account: google.com/account → Security → Passkeys → “Use passkeys.” Your passkey is synced to other devices via Google Password Manager.
Apple ID: System Settings → [Your Name] → Sign-In & Security → Passkeys. Passkeys sync to iCloud Keychain across all your Apple devices.
Microsoft Account: account.microsoft.com → Security → Advanced Security Options → Passkeys.
GitHub: Settings → Password and authentication → Passkeys → Add a passkey.
1Password, Bitwarden, Dashlane all support storing and filling passkeys as of 2024–2025 builds. If you use a cross-platform password manager and don’t want to be locked into Apple or Google’s ecosystem, storing passkeys in Bitwarden (v2024.2+) lets them sync across Android, iOS, Windows, and macOS.
Passkey Syncing and Cross-Device Access
One concern people raise: what happens if you lose your phone?
Platform passkeys sync automatically:
- Apple: Synced via iCloud Keychain — recoverable on any signed-in Apple device
- Google: Synced via Google Password Manager — available on any Android or Chrome
- Windows: Stored in Windows Hello credential store, not synced by default (use a third-party manager for cross-device)
Third-party managers like 1Password and Bitwarden sync passkeys across all platforms, making them the best choice if you use a mix of devices.
Passkeys vs. Hardware Security Keys
Hardware security keys (YubiKey, Google Titan) also use FIDO2, but they store the private key on the physical device itself — not synced anywhere. This is maximally secure but requires carrying the key and can be locked out if you lose it without a backup.
Passkeys on your phone or synced through iCloud/Google offer slightly less physical security but are far more practical for everyday use. For most users, synced passkeys represent the right trade-off. For high-security accounts (cryptocurrency, sensitive work accounts), a hardware key remains the gold standard.
Current Limitations
- Not universally supported yet. Many sites still require a password as a fallback. The transition is happening but not complete.
- Recovery can be tricky if you lose access to all your devices and your cloud account simultaneously. Always have a recovery method set up.
- Enterprise environments may have delays — corporate IT policies often lag behind consumer technology.
Getting Started Today
Start by enabling passkeys on your highest-value accounts: Google, Apple ID, Microsoft, GitHub, and any financial services that support them. You don’t have to abandon passwords everywhere at once — passkeys work alongside your password manager during the transition.
Check passkeys.directory for a regularly updated list of services with passkey support. The list has grown from a few dozen in 2023 to over 1,000 services in 2026.
Passwords won’t disappear overnight, but for any account that matters — one worth protecting — enabling a passkey today is the single highest-ROI security action you can take.