Passwords are a big problem. Everyone keeps using the same weak passwords over and over again, and even then, we can't remember them. Worst of all, long, unique, strong passwords with lots of special characters and random capital letters aren't all that secure: they're vulnerable to phishing and other scams, and they're especially easy to forget.
A great password manager can fix some of these problems, but they're really just papering over the cracks in an outdated, insecure system. And if your password manager messes up, all your passwords could be compromised.
Fortunately, there will soon be a better way of securing some of your most important accounts. After almost a decade in development, passkeys are finally coming. Here's what you need to know.
What is a passkey?
A passkey is a new way of logging in to online accounts, services, and apps that's designed to be faster, easier to use, and more secure than passwords.
Passkeys rely on public-key cryptography (which I'll explain in a moment) to verify your identity rather than a username and password. This means you don't have to remember anything, so you can't forget them like a password, and your devices get a single-use login credential each time you sign in to an account, so your account details can't easily be stolen by a hacker or phishing attack. If all this sounds kind of complicated, don't worry—it all happens in the background. Logging in is actually really simple (again, more on that in a bit).
Passkeys were created by an industry group called the FIDO Alliance that includes companies like Apple, Google, Microsoft, Amazon, 1Password, Dashlane, American Express, Intel, Mastercard, Meta, PayPal, Samsung, Visa, and lots more. Seriously, passwords are widely considered to be a huge global problem, so there are a lot of companies interested in a better, more secure solution.
How do passkeys work?
Now that you've got some idea of what passkeys are, let's dive into how they work—and why they offer better security than passwords.
Passkeys are part of a new web standard called Web Authentication or WebAuthn. Instead of a username and password, WebAuthn uses a principle called public-key cryptography to verify your identity. It's the same solution that secure messaging apps use to encrypt your conversations and online payment processors use to make sure your credit card details don't get stolen, so it is well understood and widely used.
When you go to create an account for a service that uses WebAuthn, instead of you (or your password manager) creating a password that matches some awkwardly arbitrary criteria, your device will create a unique pair of mathematically related keys. One is called the public key, and the other is called the private key.
The public key isn't a secret. It gets stored on the service's servers, but it really doesn't matter if hackers steal it or it otherwise gets leaked. It can genuinely be public knowledge without it affecting your security.
The private key, on the other hand, gets stored securely on your device, and it has to remain a secret.
The next time you go to log in to that service, it will use the public key tied to your account to create a challenge for your device. Because the public key and private key are mathematically related, your device will be able to solve that challenge using its stored private key without revealing it to the server. That way, your device can verify your identity without any sensitive information changing hands—and so there's nothing for phishers or hackers to steal.
From a user perspective, things will be even simpler. When you log in to an account that uses WebAuthn, your device or web browser will prompt you to unlock your account using your pin or a biometric option like FaceID or TouchID. And that's it. All the public and private key stuff will happen automatically in the background.
Of course, right now this is a slightly idealized workflow—it's how things will work once passkey support is widespread. For now, there are a few caveats along the way.
What accounts support passkeys?
Passkeys only work with accounts that support them. So far, that's really just a few big names like Google, Microsoft, Shopify Pay, PayPal, Adobe, and TikTok, but wider support should be coming soon.
Unfortunately, because there are so many companies involved and passwords are so deeply ingrained in the online world, it's taken a while for the FIDO Alliance to get passkeys to get to the point where you can actually use them. And to be honest, we're only just about there now.
What devices support passkeys?
Right now, passkey support is still a bit messy. Because passkeys are created on a specific device, they can't be shared as easily as passwords. There are solutions and workarounds coming, but for now, they're not as cross-platform as passwords or password managers.
Apple has recently added passkey support to iOS and macOS devices, and Google has added passkey support to Android devices (and it's coming to ChromeOS). Microsoft has actually offered a limited version of passkeys in Edge for years but will be bringing them more natively to Windows later this year.
Apple passkeys
Apple currently has the most complete passkey implementation. They're supported on iPhones and iPads running iOS 16 or later and Macs running macOS Ventura or later. Crucially, passkeys are synced using iCloud Keychain, so if you create a passkey on your iPhone, you can log in using it on your Mac and vice versa—at least as long as you use Safari.
Windows passkeys
Passkeys are available on computers running Windows 10 and Windows 11 in Edge, Chrome, Firefox, and Brave through Windows Hello. But, at present, Microsoft hasn't implemented any kind of passkey sync or backup. This means that you can only log in with the passkey on the device you set it up with. Sync support is expected in the next major Windows update.
Google passkeys
Google has added support for passkeys to devices running Android 9. They're synced through Google Password Manager, so they're available on other Android devices. Support is coming to ChromeOS.
How to use passkeys
Passkeys are designed to be seamless and easy to use. The process of setting one up should be similar on most devices for most accounts. Here's a general overview, but to really get a feel for it, you should create a passkey yourself using Passkeys.io. It's a demo implementation of passkeys, so you can see just how easy they are, and how the process works on your device.
Creating a passkey for new accounts
When you sign up for a new account that supports passkeys, there'll be a button that says something like Sign up with passkey or Sign in with passkey.
Enter your email address (which isn't necessary for passkey validation, but most sites will still want it so they can contact you), click the button, and confirm your identity using your device's biometric or pin login.
And that's it.
Creating a passkey for existing accounts
If you already have an account with a service, you'll normally need to log in and add a passkey somewhere in the account settings. Check out the help docs of the specific service for a detailed guide.
Signing in using cross-device authentication
One of the key features of passkeys is that you'll still be able to sign in to your accounts on other devices (for example, a friend's smartphone or a public computer) using a process called cross-device authentication.
When you go to log in, you click Sign in with passkey, then Other sign in options. From that, you'll be able to select Sign in with another device (or something similar), which will then show a QR code.
Scan that QR code with a device that already has passkeys enabled, such as your iPhone or Android smartphone, and you'll be able to verify your identity on that device and log in on the second device.
Passkeys are the future
Passkeys are a significantly more secure alternative to passwords, and under ideal circumstances, they offer a much better user experience. In the coming years as passkey support spreads, they're likely to be the best options for important accounts. But passkey support isn't quite there yet, and there are still a few edge cases where things are incredibly awkward.
So far, only Apple has implemented genuine passkey use across smartphones and computers—and it is limited to Apple devices. Sync support is due to come to Windows and ChromeOS, but there will still be issues syncing passkeys between operating systems. Password managers like 1Password and Dashlane are attempting to solve this problem.
While passkeys promise to make signing up for an account and logging in from known devices easier, they make moving to a different operating system or new device more awkward. While they aren't yet widespread enough for this to really be a problem, expect setting up existing accounts on new devices (especially if you don't have your old device) or recovering an account to be more awkward than resetting a password.
While support for passkeys is coming to devices, it also has to be enabled by websites, apps, and other services. Passkeys are likely to become the standard for important accounts, but it's going to be a long time before they're anything close to universal.
So, although we've finally got something that looks like a possible solution to the password problem, it isn't a perfect fix—and we're going to be dealing with the transition for a while.
Related reading:
