Passkeys, explained
Passkeys are a new, password-free way to log in that is more secure and easier than passwords. Here is what they are and how they work.
Passkeys are a newer way to log into websites and apps — without typing a password at all. Instead, you use your phone's Face ID, fingerprint, or PIN to prove it's you. They are more secure than passwords and significantly harder to steal or phish.
You may have already seen passkeys offered by Google, Apple, Microsoft, PayPal, and many other services.
Quick summary
A passkey replaces your password with your device's biometrics (Face ID, fingerprint) or PIN. The login is tied to your device, so it cannot be phished or stolen remotely. When a service offers a passkey, it is worth using — it is more secure than a password plus 2FA in most cases.
Why passkeys are more secure than passwords
Passwords have two fundamental weaknesses:
- They can be stolen — through phishing, data breaches, or malware
- People reuse them — so one breach affects many accounts
Passkeys solve both problems. Here is how:
- A passkey is two linked keys. One lives on your device; one is stored on the website. Neither is useful without the other.
- Nothing is transmitted that can be stolen. When you log in, your device proves it has the private key using cryptography — without sending the key itself.
- Phishing doesn't work. Even if you're on a fake site, it doesn't have the server-side key that matches your device's key, so login fails.
- Your biometrics stay on your device. The website never receives your fingerprint or face data — only the cryptographic proof that your device approved the login.
What logging in with a passkey looks like
In practice, using a passkey is very simple:
Go to the website's login page.
Click "Sign in with passkey" or enter your username and select the passkey option.
Your device prompts you for Face ID, Touch ID, fingerprint, or your device PIN.
You're in. That's it.
No password to type. No 2FA code to look up. Fast and secure.
Where passkeys are stored
Passkeys sync through your device's ecosystem:
Passkeys on iPhone, iPad, and Mac are stored in iCloud Keychain. They sync automatically across all your Apple devices signed into the same Apple ID.
If you get a new iPhone, your passkeys transfer automatically. You can view and manage passkeys in Settings → Passwords on iOS, or in System Settings → Passwords on macOS.
On Android, passkeys are stored in Google Password Manager and sync across your Android devices signed into the same Google account.
You can also use third-party managers like 1Password or Bitwarden to store passkeys across platforms.
On Windows, passkeys can be stored in Windows Hello (tied to your Windows account) or in a third-party password manager like 1Password or Bitwarden.
Microsoft is continuously expanding passkey support across Windows and Microsoft accounts.
Creating a passkey
When a site offers a passkey, you'll usually see the option during sign-up or in your account's security settings:
Log into your account using your existing password.
Go to Security settings and look for 'Passkeys" or "Add a passkey."
Click to create a passkey. Your device will prompt you to verify with Face ID, fingerprint, or PIN.
The passkey is created and saved to your device automatically.
Do I still need a password after setting up a passkey?
It depends on the service. Some services — like Apple, Google, and GitHub — allow you to go fully passwordless and use only a passkey. Others keep your password as a fallback.
Even if a password exists as a backup, you should still make it strong and unique. See How to create strong passwords.
Do passkeys replace 2FA?
Passkeys are considered equivalent to or stronger than a password plus 2FA — because they combine "something you have" (your device) with "something you are" (your biometrics). Many security experts consider a passkey to be a strong single-factor login on its own.
That said, some high-security accounts still layer passkeys with additional verification. Follow the recommendations of each service.
Common questions
Related guides
- Two-factor authentication, explained
- Using an authenticator app
- Why you need a password manager
- Choosing a password manager
- Your business security checklist
Need a hand?