What Are Passkeys? A 2026 Guide to Going Passwordless
A passkey replaces your password with a cryptographic key pair that lives on your device and cannot be phished, reused, or leaked in a breach. In 2026 that's no longer a preview feature: Google reports more than 800 million accounts using passkeys, Microsoft is auto-enabling them for millions of people, and the FIDO Alliance estimates around 5 billion passkeys in active use worldwide. This guide explains what passkeys are, how they actually work, how to set one up, and the one real catch the vendor blog posts gloss over — what happens when you lose your device.
What is a passkey?
A passkey is a digital credential that signs you into an app or website using the same thing you already use to unlock your phone: your face, your fingerprint, or a device PIN. There's no password to type, remember, or reuse. Under the hood it's a pair of cryptographic keys, but in daily use it feels like nothing more than unlocking your device.
That shift — from "something you remember" to "something your device proves" — is the whole idea. A password is a shared secret you and the website both know, which means it can be stolen from either end. A passkey never shares a secret at all.
How passkeys actually work
When you create a passkey, your device generates two mathematically linked keys. The private key never leaves your device — it's stored in secure hardware (the TPM on a PC, the secure enclave on a phone) and is unlocked only by your biometric or PIN. The matching public key is handed to the website.
To log you in, the site sends a random challenge. Your device signs that challenge with the private key, and the site verifies the signature using the public key it stored at sign-up. No shared secret ever travels across the internet, so there's nothing for an attacker to intercept in transit or steal from the server's database. Even if the site is breached, the public key on its own is useless to an attacker.
Passkeys vs passwords: the real security difference
The headline advantage is phishing resistance. A passkey is cryptographically bound to the exact domain it was registered for. A passkey for netflix.com cannot be presented to netfIix-login.com — the browser simply won't offer it, because the domains don't match. That defeats the single most common account attack: tricking you into typing a genuine credential into a fake page.
Passwords have no such binding. You can type them anywhere, which is precisely the problem, and it's why breaches like the 16 billion passwords leaked story keep happening. FIDO-cited data puts passkey login success at around 93% versus about 63% for passwords, so the security win comes with a usability win too.
| Passwords | Passkeys | |
|---|---|---|
| Phishable | Yes | No — bound to the domain |
| Reused across sites | Often | Never — unique per site |
| Exposed in a breach | Yes (hashes or plaintext) | No secret stored server-side |
| What you do to log in | Type and remember | Face, fingerprint, or PIN |
Why 2026 is the tipping point
The numbers moved from "promising" to "mainstream." Google reports more than 800 million accounts using passkeys, and Amazon says 175 million users created one in the first year. Microsoft made passkeys the default sign-in for all new personal accounts in May 2025 and, per reporting from early 2026, began auto-enabling them for millions of existing users.
Zoom out and the FIDO Alliance's "State of Passkeys 2026" estimates around 5 billion passkeys in active use, with roughly 48% of the top 100 websites now supporting them — about double the 2022 figure. Awareness sits near 90%, around 75% of people have enabled a passkey on at least one account, and about 49% use them regularly. Treat the precise percentages as FIDO's own reported estimates, but the direction is unmistakable.
How to set up a passkey on iPhone, Android, and Windows 11
The exact taps change with every OS update, but the flow is consistent. On a site that supports passkeys, open your account or security settings, choose "Create a passkey" (or "Set up passkey"), and approve with your biometric or PIN. That's it — the passkey is created and stored for you.
- iPhone or iPad: passkeys are stored in iCloud Keychain (or a third-party manager), synced across your Apple devices, and unlocked with Face ID or Touch ID.
- Android: passkeys live in Google Password Manager, sync to your Google account, and unlock with your fingerprint, face, or PIN.
- Windows 11: passkeys sync across devices via Microsoft Password Manager with encrypted, per-device TPM protection, as detailed by the Windows engineering team. You can also keep a passkey on your phone and use it to sign in on a nearby PC by scanning a QR code.
Do passkeys replace your password manager?
No — and this trips people up. For two reasons. First, most password managers now store passkeys too, so your manager becomes the home for your passkeys rather than something you retire. Second, passkeys aren't on every site yet — only around 48% of top sites — so you still have a long tail of accounts that accept only passwords.
You'll need both for years. Keep the manager, let it hold passkeys where they're offered, and let it generate strong, unique passwords everywhere else.
The catch nobody explains: what happens if you lose your device
Here's the honest part. If your passkeys sync to a cloud account — iCloud Keychain, Google Password Manager, or your Microsoft account — losing a single device is not a crisis. Sign in to that cloud account on a new phone or laptop and your passkeys come with you.
The real trouble is losing access to every registered device and the syncing account at once. Because the underlying FIDO2 standard has no built-in recovery flow, sites fall back to whatever they had before — usually an email reset link. That is the exact weak point passkeys were supposed to eliminate, and it's why "just switch everything to passkeys" is incomplete advice without a recovery plan.
Passkey portability and the cross-ecosystem mess
Cross-ecosystem portability is still imperfect. iCloud Keychain, Google Password Manager, and browser-based stores don't all hand credentials to each other, so people end up registering multiple passkeys per site — one for Apple, one for Google, one for Windows.
Progress is real. Apple added passkey export to third-party managers through the Credential Exchange standard in iOS 26, reported for September 2025, where before it was locked to iCloud Keychain. But "create a passkey on your iPhone and use it natively on Windows" still isn't fully there. For now, the practical move is to register a passkey in each ecosystem you actually use.
Are passkeys actually safe?
Lead with the caveat, because most articles bury it. For the login itself, passkeys are dramatically safer than passwords — unphishable, unique per site, and nothing to steal from a breached server. The weak link isn't authentication; it's recovery.
As 1Password's Head of Passwordless, Anna Pobletts, reportedly put it, recovery is "definitely the weak link… right now it's just whatever already existed with passwords." So the accurate security story is this: passkeys make the front door far stronger, but the back door — account recovery — is only as strong as the email account or backup method sitting behind it. Harden those, and you close the gap.
Should you switch now? A simple starter plan
- Turn on passkeys for your most important accounts first — email, then banking, then your password manager itself.
- Make sure those passkeys sync to a cloud account so a lost phone isn't a lockout.
- Register a passkey in each ecosystem you actually use, such as your phone and your laptop.
- Keep strong, unique passwords for everything that doesn't support passkeys yet.
- Harden your recovery: a strong email password plus a second factor, because recovery is the genuine weak point.
Meanwhile, strengthen the passwords you still have
Passkeys aren't on every site yet, which means the passwords you still rely on matter more than ever — they're now guarding the accounts passkeys haven't reached. Generate unique ones with our password generator, and audit the ones you already use with the password strength checker so the long tail of password-only sites doesn't become your weakest link.
Passkeys are the biggest upgrade to everyday login security in years, and 2026 is the year they went mainstream for real. They're safer than passwords in every way that matters at sign-in. Just go in clear-eyed about the catch: sync them, register them in each ecosystem, and lock down your recovery — then start switching your most valuable accounts today. This is general security guidance, not personalized advice, so adapt the steps to the accounts and devices you actually depend on.
Try the tool from this post
Password Strength Checker
Test how strong a password is.
Open Password Strength CheckerFrequently asked questions
A passkey is a pair of cryptographic keys that signs you into a site using your fingerprint, face, or device PIN instead of a password. The private key never leaves your device's secure hardware, and only a signature is sent to the site, so no shared secret travels over the internet.
Yes, for the login itself. Passkeys are phishing-resistant because each is bound to one exact domain, they're unique per site, and there's no secret stored server-side to steal in a breach. FIDO-cited data shows around 93% login success for passkeys versus about 63% for passwords.
If your passkeys sync to a cloud account like iCloud Keychain, Google Password Manager, or your Microsoft account, you just sign in on a new device and they follow you. The real risk is losing every registered device and the syncing account at once, because FIDO2 has no built-in recovery and sites fall back to an email reset.
No. Most password managers now store passkeys, so the manager becomes their home rather than obsolete. And because only around 48% of top sites support passkeys, you still need strong passwords for the long tail of accounts that don't.
Not seamlessly yet. iCloud Keychain, Google Password Manager, and browser stores don't all share credentials, so people register multiple passkeys per site. Apple added passkey export via the Credential Exchange standard in iOS 26 (reported September 2025), but full cross-ecosystem use isn't there.
On a site that supports passkeys, open your account or security settings, choose Create a passkey, and approve with your biometric or PIN. On iPhone it's stored in iCloud Keychain, on Android in Google Password Manager, and on Windows 11 it syncs via Microsoft Password Manager with per-device TPM protection.
The passkey itself is highly resistant to phishing because it only works on the exact domain it was registered for, and there's no secret to steal from a breached server. The realistic weak point is account recovery, which often falls back to email — so harden your email and backup methods.
Adoption is growing fast: the FIDO Alliance's State of Passkeys 2026 estimates around 48% of the top 100 websites now support them, roughly double the 2022 figure. Google reports over 800 million accounts using passkeys, and Amazon says 175 million users created one in the first year.
Sources
Share this article
Send it to a teammate or save the link for later.
Related tools
Related articles
Is the AI Bubble Bursting? Big Tech's $725B Reckoning
Is the AI bubble bursting in 2026? Big Tech is set to spend ~$725B on AI as the Magnificent 7 shed $2.3T — the bull and bear case, no hype, no advice.
Read articleApple Lost a Major EU Antitrust Fight: What It Means
Apple lost a major EU antitrust ruling on July 8, 2026, upholding DMA rules on the iPhone. What's decided, what's still pending, and what changes for you.
Read articleBest AI Browser 2026: Comet vs Dia vs Chrome (Atlas Dies)
The best AI browser in 2026? Comet is free and cross-platform, Chrome adds Gemini, and ChatGPT Atlas shuts down Aug 9 — plus the safety risks.
Read article