Passwords have been the go-to technology for authenticating a user for over 65 years. We kept tinkering around the edges to try and beef up their security, but in today's cybersecurity landscape usernames and passwords are considered fundamentally flawed and obsolete.
Their time is up. They get stolen, phished, reused, guessed, and tricked out of us by fake websites and other sophisticated methods. They cannot provide the security we need in the next revolution, one that includes AI and quantum computing. Passkeys are the replacement that fixes most of these problems at once.
In many of the engineering gigs I am engaged in, I find a lot of confusion around passkeys. This is my plain-English guide to what a passkey is, how they work, and why it is harder to attack them than the trusty old password you are probably still using.
I want to encourage people to use them, implement them, and get away from passwords that - even with MFA - are not up to the job of protecting your digital assets.
TL;DR
A passkey is a login credential that lives on your device and replaces your password. Instead of you typing a secret that a website has to store and check, your device proves who you are using a piece of cryptography that never leaves your control. There is nothing to remember, nothing to type into a fake site, and nothing useful for an attacker to steal from the website's servers.
If you have ever unlocked your phone with your face or fingerprint, you already understand the experience. That same gesture is all it takes to sign in.
A password or passphrase is known as a secret, because for it to work it has to be shared with the service you are going to use it with. Anyone who overhears or guesses it can pretend to be you. Worse still, most people have shared that same secret with every website they use, so copies of it sit on servers all over the internet, waiting to leak.
A passkey works differently. Think of it as a matched lock and key. The website has the lock. Your device keeps the key, and the key never leaves your pocket. When you sign in, the website holds up its lock, your device quietly proves it has the matching key without sending the key to the website, and you are in. The key itself never travels across the internet, so there is nothing for anyone to intercept.
So where does your fingerprint or face fit in? Picture the key being kept in a small safe. Your biometric is the combination that unlocks that safe, and your face or fingerprint's only job is to convince your device that the right person is controlling it. Once the safe opens, the key inside does the real work of signing you in.
Your face or fingerprint never leaves your device. The match happens inside your device's secure hardware, and nothing about your biometric is ever sent across the internet. What travels to the website is proof that your device holds the matching key, and it is that proof, not your biometric, that the website checks and trusts. The lock on the safe is also interchangeable: swap the biometric for a PIN and the safe, the key, and every step of the login work exactly the same. It is also why a thief with your phone still cannot use your passkey. They can hold the safe, but they cannot open it.
The diagram below traces the whole journey. The thing to notice is the red line. Your biometric stays on your side of it, and only the cryptographic proof ever crosses to the website.
Two locks, two jobs: the biometric unlocks the safe, the passkey does the signing.
What actually happens under the hood
Passkeys are built on something called public key cryptography, which sounds intimidating but rests on the idea that keys come in matched pairs. When you create a passkey for a website, your device generates two keys that belong together.
- A private key, which stays locked on your device and is never shared with anyone.
- A public key, which is sent to the website and stored there. On its own it is useless to an attacker.
A passkey is one half of a matched pair: the private key never leaves the device.
The clever part is that a message scrambled by one key in the pair can only be checked using the other. So when you sign in, the website sends your device a one-off puzzle (a random "challenge"). Your device signs that challenge with the private key it has been guarding, and sends the signed answer back. The website checks the answer against the public key it stored earlier. If it matches, you must be holding the real private key, so you are let in. No secret is ever transmitted, which means there is nothing for an eavesdropper to grab.
This is the real break from passwords. A password is a shared secret. The actual secret has to travel to the server and be stored there, which is exactly why password databases are such a prize when they leak. A passkey removes that target completely, because the thing on the server is only ever the useless public half.
Why passkeys beat passwords
To understand why the industry is moving so quickly to passkeys, it helps to see the size of the problem. There are billions of leaked usernames and passwords circulating on the dark web, and because so many people reuse the same password across accounts, one leak can unlock many doors. According to the FIDO Alliance's 2025 consumer research, more than a third of people had at least one account compromised in the prior year because of weak or stolen passwords. Passkeys remove that entire category of risk rather than just reducing it.
They cannot be phished
Phishing is simple. An attacker sends you a link to a site that looks exactly like the real one, you type your username and password, and now they have them. A passkey shuts this down. Thanks to origin binding, your device will not even offer the passkey on a lookalike domain, and there is no password to type anyway, so there is nothing to hand over. A pixel-perfect copy of your bank's login page gets the attacker nothing.
This is also where passkeys beat the second factors people already rely on. A one-time code by SMS or from an authenticator app can still be phished, because a convincing fake site just asks you to type that code in too. A passkey has nothing you can be tricked into typing.
There is nothing worth stealing on the server
We touched on this above, and it is worth stating plainly as a benefit in its own right. The server only ever holds your public key. When a company gets breached, that is what walks out the door, and on its own it is worthless. There is no secret sitting there to steal.
There is nothing to remember or reuse
Passkeys cannot be forgotten, cannot be written on a sticky note, and cannot be reused across sites the way people reuse passwords. Each one is unique to its website and generated automatically. The mental load that password managers tried to ease simply disappears.
One step instead of two
Because a passkey already proves both that you have your device and that you passed a biometric or PIN check, it can replace the password and the second-factor step in a single action. You get stronger security and a faster login at the same time, which is a rare combination.
Two flavours of passkey
Not all passkeys are stored the same way, and the difference matters for how you recover access if you lose a device.
Synced passkeys are backed up and copied across your devices through a credential manager, such as your operating system's keychain or a password manager. Create one on your laptop and it is available on your phone. If you lose a device, you sign in to your credential manager on a new one and your passkeys come with you. This is the convenient, everyday choice for most people.
Device-bound passkeys are locked to a single piece of hardware, typically a physical security key, and cannot be copied off it. They can still be used across different computers, but you have to physically connect the key each time. If the key is lost, you fall back to a backup key or an account recovery process. This is the high-assurance option favoured in government and high-security enterprise settings, where the inconvenience is the point.
Both flavours are equally phishing-resistant. The choice is about the trade-off between convenience and how tightly you want the credential pinned to one object.
At a glance, the two share the same cryptographic floor and differ only in whether the private key can be copied. The graphic below is the quick way to see it: shared traits in the overlap, and the trade-offs that actually drive the decision - recovery and vendor lock-in included - out on each side.
Synced vs device-bound passkeys: identical phishing-resistant cryptography in the overlap, a different trust and recovery model on each side.
Want to go under the hood? This is the plain-English half of the story. If you want the mechanics - the WebAuthn assertion field by field, the registration and authentication ceremonies, discoverable credentials, and the phone-based QR and Bluetooth flow - read the technical companion: How Passkeys Really Work: WebAuthn, FIDO2 and the Anatomy of an Assertion.
Common questions
Do I have to use my fingerprint or face to use a passkey?
No. Biometrics are the default on most devices because they are quick, but a device PIN or passphrase works just as well for the verification step. Whatever you choose, the biometric itself stays on your device and is never sent to the website. Just remember that a biometric unlock is generally stronger than a short PIN or passphrase.
What if I lose my phone?
- If your passkeys are synced through a credential manager, you can sign in to that credential manager on a replacement device and your passkeys are still accessible.
- If you used device-bound passkeys on a hardware key, you will need to rely on a backup key or the site's account recovery capabilities.
This is why thinking about recovery up front is worth some effort.
Can my family or team share one passkey?
Passkeys are designed for individual sign-in, because the private key is tied to a specific device or vault. They are meant to identify an individual or a single system, and they are not designed to be passed around like a shared password.
Are passkeys locked to Apple or Google?
They do not have to be. If you store them in your platform's own keychain, they live in that ecosystem. If you store them in a cross-platform password manager instead, they travel with you when you switch between iPhone, Android, Windows, and macOS. And even within a platform keychain, a QR-code flow lets you use a passkey from your phone to sign in on a nearby computer that does not have it.
Will passkeys replace passwords entirely?
Eventually, almost certainly. Adoption is growing quickly across major platforms and services. For now we are in a transition period, where many sites offer passkeys alongside passwords and let you choose, but the direction of travel is very clear.
Common misconceptions
A few reasonable-sounding beliefs about passkeys come up again and again. Each contains a grain of truth, which is what makes them sticky, so it is worth walking through them.
"A passkey and a hardware security key are the same thing"
They are related but not the same, and mixing them up causes real confusion. A passkey is the credential - the key pair scoped to a website. A hardware security key is just one place that credential can live. The same kind of passkey can sit in your phone's secure hardware, your laptop, or a password manager instead. In other words, a hardware key is one kind of authenticator, and a passkey is the thing an authenticator holds. You do not need to buy any special hardware to use passkeys, though a hardware key is there if you want a credential pinned to a single physical object for high-security systems.
"It is a biometric passkey, so my fingerprint or face is the passkey"
You will sometimes hear passkeys described as "biometric passkeys," and the phrase quietly plants a wrong idea that your face or fingerprint somehow is the credential, or that it gets sent to the site to log you in. Neither is true, and the distinction matters.
The passkey itself is purely cryptographic. It is the private and public key pair we have been describing, and it has nothing to do with biology. What your fingerprint or face actually does is unlock the private key locally so it can be used to sign the challenge. It is the gesture that authorises the authenticator to act, not the thing that proves your identity to the website. The biometric is the lock on the safe the key is kept in, not the key itself.
Two things follow from that, both worth understanding:
- First, your biometric never leaves your device and is never sent to the website. The site only ever receives the signature and learns, through the flags in the authenticator data, that a verification check passed.
- Second, biometrics are not compulsory. A device PIN or local password unlocks the passkey as well, which is why passkeys work fine on hardware with no fingerprint reader or camera.
So a passkey is not "a biometric" - it is a cryptographic key that a biometric, or a PIN, happens to unlock.

