Passwords are terrible. You know it. I know it. Security researchers have known it for decades. People reuse them, make them weak, forget them, and fall for phishing attacks that steal them. Passkeys are the industry’s answer — a password replacement backed by Apple, Google, and Microsoft that’s cryptographically stronger, phishing-proof, and easier to use. They’re rolling out across major services right now, and within a few years, passwords will feel as quaint as fax machines.
How Passkeys Work
When you create a passkey for a website, your device generates a pair of cryptographic keys. The private key stays on your device and never leaves it. The public key goes to the website. When you log in, the website sends a challenge, your device signs it with the private key, and the website verifies it with the public key. You authenticate with biometrics (Face ID, fingerprint) or your device PIN. No password is ever transmitted, stored on a server, or vulnerable to phishing.
This is why passkeys are phishing-proof. Even if you land on a fake login page, there’s nothing to steal — no password to type, and the cryptographic challenge only works with the real website. A phishing site can’t replicate the cryptographic handshake.
Where Passkeys Work Today
Google, Apple, Microsoft, Amazon, PayPal, eBay, WhatsApp, TikTok, GitHub, Shopify, Best Buy, Kayak, and hundreds of other major services support passkeys. Apple stores passkeys in iCloud Keychain and syncs them across all your Apple devices. Google stores them in Google Password Manager. 1Password and Dashlane support passkeys in their password managers for cross-platform use. The list of supported services grows weekly.
Setting Up Passkeys
On most services, go to account security settings and look for “Passkey” or “Sign in with passkey.” Click create, authenticate with biometrics, and you’re done. The next time you log in, you’ll see a passkey prompt instead of a password field. Tap it, verify with Face ID or fingerprint, and you’re in. The whole process takes about 3 seconds. No typing, no remembering, no password manager lookup.
Passkeys vs Passwords vs 2FA
Passwords are something you know. They can be guessed, stolen, phished, or leaked in data breaches. 2FA adds a second factor (something you have) but still relies on a password as the first factor. Passkeys replace both with a single cryptographic authentication that’s inherently two-factor: something you have (your device) and something you are (biometrics). Passkeys are more secure than password + 2FA combined, and they’re faster to use.
The Limitations (For Now)
Cross-platform sync is still messy. If you use an iPhone and a Windows PC, your passkeys don’t automatically sync between Apple’s ecosystem and Windows. Third-party password managers like 1Password bridge this gap, but it adds complexity. Not all services support passkeys yet. Major services do, but smaller websites and apps still rely on passwords. Shared accounts are harder. Passkeys are tied to your biometrics and device, making it difficult to share login credentials with family members or teammates. Recovery requires planning. If you lose all your devices and don’t have a backup method configured, account recovery can be difficult.
The Verdict
Set up passkeys on every service that supports them. Start with your most important accounts: email, banking, and cloud storage. Keep your existing passwords as backup until passkey support is universal. This is one of those rare technology transitions that makes your life simultaneously easier and more secure. That almost never happens.
Frequently Asked Questions
What happens if I lose my phone? Passkeys sync to the cloud (iCloud Keychain, Google Password Manager, or a third-party manager). When you set up a new device with the same account, your passkeys are restored automatically.
Can passkeys be hacked? The cryptographic foundation is extremely secure. An attacker would need physical access to your device AND the ability to bypass your biometrics. Remote attacks like phishing are impossible with passkeys.
Do I still need a password manager? For now, yes. Not all services support passkeys, and you’ll need passwords for those that don’t. Password managers like 1Password also store passkeys alongside passwords, giving you one place for everything.
Are passkeys the same as Face ID or fingerprint login? Not exactly. Biometrics are the authentication method you use to unlock the passkey. The passkey itself is a cryptographic key pair, which is the actual security mechanism.
Will passwords disappear completely? Eventually, but it will take years. Passkey adoption is accelerating fast, but the long tail of smaller websites and legacy systems will keep passwords alive for a while.
