Passkeys are replacing passwords — and the transition is already well underway. Google, Apple, Microsoft, PayPal, Amazon, and hundreds of other services now support passkeys as a sign-in method. If you have not set one up yet, this guide explains what passkeys are, how they work, and how to get started on the platforms you already use.
What Is a Passkey?
A passkey is a digital credential that replaces your password. Instead of typing a string of characters into a website, you authenticate using the same method you use to unlock your phone — a fingerprint, face scan, or PIN.
Behind the scenes, a passkey uses public-key cryptography. When you create a passkey for a website, your device generates a matched pair of keys: a private key that stays on your device and never leaves it, and a public key that is stored on the website’s server. When you sign in, the website sends a challenge, your device signs it with your private key, and the website verifies it with the public key. No password is ever transmitted, stored, or potentially leaked.
Why Passkeys Are More Secure Than Passwords
Most successful account takeovers happen through one of three routes: phishing (tricking you into entering your password on a fake site), credential stuffing (using leaked passwords from other breaches), or weak/reused passwords. Passkeys eliminate all three.
- Phishing-resistant — passkeys are bound to the exact domain they were created on. A passkey created for google.com will not work on g00gle.com. There is nothing to steal.
- No password to leak — the website only holds your public key. Even if their database is breached, attackers cannot sign in with a public key alone.
- No reuse problem — each passkey is unique to each website. There is no “using the same password everywhere” risk.
- Biometric protection on your device — your private key is protected by your device’s secure hardware (Secure Enclave on Apple, TPM on Windows) and requires your biometric or PIN to use.
Passkeys vs Passwords vs Two-Factor Authentication
Here is how the three approaches compare:
| Password | Password + 2FA | Passkey | |
|---|---|---|---|
| Phishing risk | High | Medium (can be bypassed) | None |
| Credential stuffing risk | High | Low–Medium | None |
| Requires remembering something | Yes | Yes | No |
| Server-side breach risk | High | High | None (public key only) |
| Ease of use | Low | Low | High |
Two-factor authentication (2FA) was a major step forward, but it is not fully phishing-resistant. A sophisticated attacker can still intercept an SMS code in real time using a “real-time phishing” attack. Passkeys do not have this vulnerability.
How to Set Up a Passkey on Google
Google was one of the first major platforms to push passkeys widely. Here is how to set one up:
- Go to myaccount.google.com and sign in
- Select Security from the left menu
- Scroll down to How you sign in to Google and click Passkeys and security keys
- Click Create a passkey
- Follow the prompt — your device will ask you to verify with fingerprint, Face ID, or PIN
Once created, you can sign into your Google account on any supported device just by verifying with your biometric. No password required.
How to Set Up a Passkey on an Apple Device
Apple has built passkey support into iOS 16, iPadOS 16, and macOS Ventura (and later). Passkeys are stored in iCloud Keychain and sync across all your Apple devices automatically.
When you visit a website that supports passkeys on Safari, you will see a prompt offering to save a passkey when you create an account or add it in your account settings. Tap to confirm with Face ID or Touch ID and you’re done.
To see which passkeys you have saved:
- On iPhone/iPad: Settings → Passwords
- On Mac: System Settings → Passwords
- Passkeys are listed alongside saved passwords and show a key icon
How to Set Up a Passkey on Windows (Microsoft Account)
Microsoft has added passkey support to Windows 11 and Microsoft accounts. Windows Hello (fingerprint, face recognition, or PIN) is used as the authentication method.
- Go to account.microsoft.com and sign in
- Go to Security → Advanced security options
- Under Ways to prove who you are, click Add a new way to sign in or verify
- Select Face, fingerprint, PIN, or security key
- Follow the steps to set up Windows Hello if not already configured
Passkeys on Windows are stored in Windows Hello and are protected by your device’s TPM (Trusted Platform Module) chip.
Where Are Passkeys Stored?
Passkeys are stored on your device, typically in your platform’s password manager:
- Apple devices — iCloud Keychain (syncs across all your Apple devices)
- Android devices — Google Password Manager (syncs across your Android devices)
- Windows — Windows Hello credential store
- Third-party password managers — 1Password, Bitwarden, Dashlane, and others now support storing passkeys and can sync them cross-platform
Using a third-party password manager for passkeys is particularly useful if you work across both Apple and Windows devices and want your passkeys available on both.
What Happens If You Lose Your Device?
This is the most common concern people have about passkeys, and it is a legitimate one. The answer depends on how your passkeys are stored.
If your passkeys are in iCloud Keychain, they will be available on any new Apple device you sign into with the same Apple ID — including after replacing a lost or stolen phone. The same applies to Google Password Manager on Android.
If you use a third-party password manager like 1Password or Bitwarden, your passkeys travel with your account. Sign into the password manager on a new device and they are available immediately.
The edge case is passkeys stored only on a device with no cloud sync (for example, a Windows device with no Microsoft account). In this scenario, losing the device means losing those passkeys. For most users, cloud-synced passkeys are the practical approach.
Passkeys vs YubiKeys: Which Is Better?
Both passkeys and YubiKeys use the same underlying FIDO2/WebAuthn standard — the difference is where the private key is stored.
- Passkeys — stored on your device or in a cloud password manager. Convenient, syncs automatically, works on any supported device.
- YubiKey — stored on a physical hardware token. Never leaves the device. Cannot be extracted or remotely compromised. Requires physical possession to authenticate.
For most people, passkeys offer excellent security with far greater convenience. For high-risk accounts (company admin accounts, finance systems, privileged IT access), a YubiKey adds a layer of protection that cannot be socially engineered away — even if an attacker has full access to your device and your cloud accounts.
The two can also be used together: a YubiKey as your primary authenticator and a passkey as a backup, or vice versa.
Which Sites Support Passkeys?
Passkey adoption is growing rapidly. Major platforms with passkey support as of 2026 include:
- Google (Gmail, YouTube, Google Account)
- Apple ID
- Microsoft (personal accounts, Azure AD)
- Amazon
- PayPal
- GitHub
- Shopify
- X (Twitter)
- Adobe
- 1Password, Bitwarden, Dashlane (for accessing the password manager itself)
The site passkeys.directory maintains an up-to-date list of all services that support passkeys.
Should You Switch to Passkeys Now?
Yes — for any account that supports them. The security benefits are significant and the user experience is genuinely better once you are set up. You do not need to switch everything at once; start with your most sensitive accounts (email, banking, Google/Apple/Microsoft) and add passkeys as you encounter other supported services.
Passwords are not going away overnight — most services will still let you use a password as a fallback for some time. But passkeys are where authentication is heading, and early adoption puts you ahead of the vast majority of users who are still relying on reused or weak passwords.
