Security

What Is a Passkey? The Complete Guide to Passwordless Login

By · · Updated June 22, 2026

What Is a Passkey?

Passkeys replace passwords with cryptographic keys stored on your device

A passkey is a new type of login credential that replaces your password entirely. Instead of typing a secret phrase, you authenticate using a cryptographic key pair stored on your device, confirmed with biometrics (fingerprint or face) or your device PIN.

Passkeys are built on the FIDO2/WebAuthn standard, developed by the FIDO Alliance (a consortium including Apple, Google, Microsoft, Amazon, and others). They're designed to be simultaneously more secure and easier to use than passwords.

How Passkeys Work

Passkeys use asymmetric cryptography, the same technology that secures HTTPS websites. Here's the process:

Registration (Setting Up a Passkey)

  1. You visit a website and choose to create a passkey
  2. Your device generates a key pair: a private key (stays on your device, never shared) and a public key (sent to the website)
  3. The website stores the public key associated with your account
  4. Your private key is protected by your device's biometric or PIN

Authentication (Logging In With a Passkey)

  1. You visit the website and tap "Sign in with passkey"
  2. The website sends a cryptographic challenge to your device
  3. Your device asks you to verify your identity (Face ID, fingerprint, or PIN)
  4. Your device signs the challenge with your private key and returns the signature
  5. The website verifies the signature using your stored public key
  6. You're logged in, no password transmitted

Why Passkeys Are More Secure Than Passwords

  • Phishing-proof: Your private key never leaves your device, and the signature only works for the exact website that requested it. A fake phishing site cannot trick your device into signing in to another domain.
  • Not reusable across sites: Each passkey is unique to each website. A breach at one site doesn't affect others.
  • No password to steal: There's nothing in a database to breach. The website only stores your public key useless without your private key.
  • No password to forget: You never need to remember or type anything.
  • Brute force impossible: Private keys are mathematically impossible to brute-force (256-bit cryptography).

Passkeys vs Passwords vs 2FA

Feature Password only Password + TOTP 2FA Passkey
Phishing resistant No Partial Yes
Breach resistant No Partial Yes
Requires memorisation Yes Yes No
Works offline Yes Yes Yes (with device)
Login speed Slow Slowest Fastest
Adoption Universal Wide Growing

Where You Can Use Passkeys Today (2025)

Passkey support has grown rapidly. Major services supporting passkeys include:

  • Google — sign in to your Google account with a passkey
  • Apple — iCloud, App Store (built into iOS 16+, macOS Ventura+)
  • Microsoft — personal Microsoft accounts
  • GitHub — full passkey support
  • PayPal — passwordless login
  • Shopify
  • Best Buy, Walmart, Target
  • Hundreds more via password managers (1Password, Bitwarden)

Test whether your browser supports passkeys using our free Passkey Tester.

Where Are Passkeys Stored?

  • iPhone/iPad: iCloud Keychain (syncs across Apple devices)
  • Android: Google Password Manager (syncs across Android devices)
  • Windows: Windows Hello credential store
  • Password managers: 1Password, Bitwarden, Dashlane (cross-platform)

Do Passkeys Replace 2FA?

Passkeys effectively replace both your password and your 2FA in one step. They satisfy two factors simultaneously: possession (your device with the private key) and inherence (biometric confirmation). This means passkey login is considered equivalent to or stronger than password + TOTP.

For accounts that still only support passwords and TOTP (which will be the majority for years), TOTP 2FA remains essential. You can generate TOTP codes instantly with our free 2FA generator.

Frequently Asked Questions

What happens if I lose my device with my passkeys?

Because passkeys sync to iCloud Keychain or Google Password Manager, they automatically restore when you sign into your account on a new device. You can also revoke passkeys from a lost device in your account's security settings.

Can I use passkeys on multiple devices?

Yes, in two ways: (1) Synced passkeys via iCloud, Google, or a password manager sync automatically to all your devices in the same ecosystem. (2) Cross-device authentication, you can use your phone to authenticate on another device (like a laptop) by scanning a QR code.

Are passkeys truly more secure than a strong password + TOTP?

Against phishing attacks: yes, passkeys are definitely more secure because they're phishing-proof. Against other attack vectors: they're comparable or better. A strong password + TOTP is still excellent security; passkeys just remove the phishing vulnerability.

What if I don't have biometrics on my device?

Passkeys fall back to your device PIN or password if biometrics aren't available. The security model is that your device is the authenticator; how you unlock your device is a separate question.

Will passkeys completely replace passwords?

Eventually, that's the stated goal of the FIDO Alliance. The transition will take many years because billions of existing accounts use passwords. The most likely near-term outcome is passkeys becoming the primary method for major platforms while passwords remain as fallbacks.

Shoyeb Akter

Written by

Security Tools Developer and creator of 2FA Fast — a privacy-first browser-based authenticator and security tools platform.