Passkeys Are Killing the Password: What They Are, How They Work, and Why You Should Switch Now

Passwords are broken. They've been broken for years. We just kept patching them — adding complexity requirements, mandatory rotations, two-factor authentication on top — because we didn't have a viable replacement.

Now we do. And it's not theoretical or coming-soon technology. It's here, it's working, and the numbers are staggering.

Google reports that over 800 million accounts are already using passkeys. Amazon saw 175 million users create passkeys within the first year of offering them. Microsoft made passkeys the default for all new accounts in May 2025 and saw a 120% increase in passwordless authentication. TikTok data shows passkeys achieving a 98% success rate for logins, compared to passwords, which fail 98% of the time when users attempt to recall them under real-world conditions.

Those aren't marketing projections. Those are deployed, production numbers from the largest services on the planet.

Passkeys are the most fundamental change in how we prove our identity online since passwords were invented over sixty years ago. And unlike most "revolutionary" security technologies, this one actually makes your life easier at the same time.

Let me explain exactly how they work, why they matter, and how to start using them today.

Why Passwords Were Always a Bad Idea

Before we talk about the solution, let's be precise about the problem.

Passwords are "shared secrets." When you create an account, you send the service a secret (your password), and the service stores a version of it. Every time you log in, you prove your identity by demonstrating that you know the shared secret. The service checks what you sent against what it stored.

This model has three fundamental weaknesses that no amount of patching can fix.

The server stores your secret. Even if the service stores your password as a hash rather than plaintext, database breaches expose those hashes, and modern GPU-powered cracking rigs can reverse many of them. Every data breach is a potential password leak. And because people reuse passwords — despite decades of being told not to — a single breach often compromises accounts across dozens of services.

The secret travels over the network. Every time you type your password into a login form, it's transmitted from your device to the server. Phishing attacks exploit this by creating fake login pages that capture your password in transit. No matter how strong your password is, if you type it into a phishing page, the attacker has it. And modern phishing pages are nearly indistinguishable from the real thing.

Humans are terrible at managing secrets. We reuse passwords because we can't remember unique ones for every account. We choose weak passwords because strong ones are hard to type. We write passwords down, share them with coworkers, and store them in plaintext files. The cognitive burden of password management creates systemic vulnerabilities that no security policy can fully address.

Two-factor authentication was supposed to fix this. And it helped. But SMS-based 2FA is vulnerable to SIM swapping. TOTP-based 2FA (authenticator apps) can be phished through real-time proxy attacks. Even push-based MFA can be defeated through "prompt bombing" — sending repeated authentication requests until the exhausted user accidentally approves one. In 2024, prompt bombing accounted for 14% of social engineering incidents.

Passwords plus 2FA is better than passwords alone. But the entire architecture is fundamentally fragile because it still depends on a shared secret.

What Passkeys Actually Are (The Technical Reality)

Passkeys replace the shared secret model with public-key cryptography. This is the same mathematical foundation that secures HTTPS, encrypted messaging, and cryptocurrency. It's been proven secure for decades. The innovation is in applying it to login authentication in a way that's seamless for regular users.

Here's what happens when you create a passkey for a service:

Step 1: Key generation. Your device generates a unique pair of cryptographic keys — a public key and a private key. These are mathematically linked: data encrypted with one can only be decrypted by the other.

Step 2: Public key registration. Your device sends the public key to the service's server. This is the only key the server ever sees or stores. The public key is, as the name implies, not secret. Even if every public key in the server's database is stolen in a breach, an attacker gains nothing useful — public keys cannot be used to authenticate.

Step 3: Private key storage. The private key stays on your device, protected by your device's secure hardware (Secure Enclave on iPhone, Titan chip on Pixel, TPM on Windows). It never leaves the device. It's never transmitted over the network. It's never shared with the service.

When you log in:

Step 1: Challenge. The server sends a random challenge — a string of data — to your device.

Step 2: Local authentication. Your device asks you to verify your identity using biometrics (Face ID, fingerprint) or your device PIN. This unlocks access to the private key.

Step 3: Cryptographic signature. Your device uses the private key to sign the challenge, creating a unique digital signature. This signature proves that your device possesses the private key without revealing the key itself.

Step 4: Verification. The server uses your stored public key to verify the signature. If it checks out, you're authenticated.

The entire process — from the moment you tap "Sign in" to the moment you're logged in — takes about seven seconds. There's nothing to type. Nothing to remember. Nothing that can be phished.

Why Passkeys Are Phishing-Proof

This is the feature that matters most from a security perspective, and it's worth understanding why it works.

Passkeys are origin-bound. When your device creates a passkey for "google.com," that passkey is cryptographically tied to the domain "google.com." It will only respond to authentication challenges from google.com. If a phishing site at "g00gle.com" or "google.com.evil.net" sends a challenge, your device recognizes that the domain doesn't match and refuses to respond. The passkey literally cannot be used on the wrong site.

With passwords, you're the one who decides whether a site is legitimate. You look at the URL, you check for the padlock icon, you try to spot the fake. And humans are terrible at this — phishing succeeds precisely because fake pages look real enough to fool us.

With passkeys, the device makes the decision. The cryptographic binding between the passkey and the domain is absolute. A phishing page cannot trigger a passkey response, regardless of how convincing it looks. The private key never even gets involved because the domain check fails before authentication begins.

This eliminates the entire category of credential phishing — which, according to Verizon's 2025 DBIR, is still the single most common initial access vector in data breaches.

Synced Passkeys vs. Device-Bound Passkeys

There are two types of passkeys, and the distinction matters for understanding how they work in practice.

Synced passkeys are encrypted and backed up through your platform's cloud keychain — iCloud Keychain (Apple), Google Password Manager (Google/Android), or Windows Hello (Microsoft). When you create a synced passkey on your iPhone, it's automatically available on your iPad, Mac, and any other Apple device signed into the same iCloud account. Google does the same across Android devices and Chrome.

This solves the "what if I lose my phone?" problem. Your passkeys are recoverable because they're encrypted in the cloud. The end-to-end encryption means even Apple or Google can't read your private keys — they're encrypted with a key derived from your device passcode, which only you know.

Device-bound passkeys are tied to a specific piece of hardware and cannot be synced or copied. Physical security keys like YubiKey create device-bound passkeys. These are the highest-security option because the private key exists in exactly one place and can never be extracted, even by the device manufacturer.

For most people, synced passkeys provide the best balance of security and convenience. For high-security scenarios — admin accounts, cryptocurrency exchanges, enterprise systems — device-bound passkeys on hardware security keys add an additional layer of protection.

How to Start Using Passkeys Right Now

The setup process is simpler than creating a password. Here's how to get started on each platform.

On iPhone / iPad / Mac (Apple ecosystem)

Apple supports passkeys through iCloud Keychain. Any device running iOS 16+, iPadOS 16+, or macOS Ventura+ can create and use passkeys.

When you visit a service that supports passkeys (like Google, Amazon, or PayPal) and create a new account or go to the security settings of your existing account, you'll see an option to create a passkey. Tap it, authenticate with Face ID or Touch ID, and you're done. The passkey is created and synced across all your Apple devices via iCloud Keychain.

On Android / Chrome (Google ecosystem)

Android supports passkeys through Google Password Manager on Android 9+. Chrome on desktop supports passkeys on Windows, macOS, and Linux.

The process is the same: visit a supported service, look for the passkey option, and authenticate with your fingerprint, face, or screen lock. Google syncs passkeys across your Android devices and Chrome browsers.

On Windows

Windows supports passkeys through Windows Hello on Windows 10 and 11. You can use your fingerprint reader, face recognition camera, or PIN to create and use passkeys.

Cross-Platform (Using Your Phone as a Passkey)

Here's something many people don't know: you can use your phone to sign in on devices that don't have your passkey. The service displays a QR code on the screen. You scan it with your phone. Your phone authenticates you via biometric, and you're logged in on the other device. This works across ecosystems — you can use an iPhone to sign into a service on a Windows computer.

This is called the FIDO2 "caBLE" (cloud-assisted Bluetooth Low Energy) protocol, and it's how passkeys work on shared or public devices where you don't want to store credentials.

Which Services Support Passkeys in 2026?

The list is growing rapidly. As of early 2026, passkeys are supported by:

Google, Apple, Microsoft, Amazon, PayPal, eBay, Best Buy, Shopify, TikTok, GitHub, Nvidia, Dashlane, 1Password, Bitwarden, WhatsApp, X (Twitter), LinkedIn, Uber, Kayak, Air New Zealand, Robinhood, Gemini, Coinbase, and hundreds more.

The FIDO Alliance maintains a directory of services that support passkeys, and it's expanding weekly.

For services that don't support passkeys yet, continue using your password manager with unique, randomly generated passwords and your strongest available 2FA method. As passkey support expands, migrate services to passkeys one at a time.

Common Concerns and Honest Answers

"What if I lose all my devices?" If you use synced passkeys (Apple, Google, or Microsoft cloud sync), your passkeys survive device loss. You recover access by signing into your cloud account on a new device. If you use device-bound passkeys only, you need backup options — which is why most security experts recommend having at least two security keys registered for critical accounts.

"Can I still use my password manager?" Yes. Modern password managers like 1Password, Bitwarden, and Dashlane are evolving into passkey managers. They can store and sync passkeys alongside your existing passwords, providing a single interface for all your credentials regardless of whether a service uses passwords or passkeys.

"Does this replace 2FA?" For accounts where you use passkeys, yes — passkeys are inherently stronger than password plus 2FA because they eliminate the shared secret and are phishing-resistant by design. NIST's updated Digital Identity Guidelines now recognize synced passkeys as phishing-resistant authentication. However, for accounts where passkeys aren't available, continue using your existing 2FA.

"What about shared accounts?" This is a genuine limitation. Passkeys are tied to individual devices/accounts, which makes sharing login credentials with family members or coworkers more complicated than sharing a password. Some services are developing solutions for this, and password managers that support passkey sharing are emerging, but it's still a friction point.

"Are passkeys really more secure than a strong password with a hardware security key?" A hardware security key creating a device-bound passkey is essentially the strongest possible version of what we're describing. The passkey standard encompasses hardware security keys — they're not competing technologies, they're the same standard at different security tiers.

The Transition Period

We're in a transition period right now. Passwords won't disappear overnight. Many services don't support passkeys yet, and legacy systems will take years to upgrade. You'll need both passwords (in a password manager) and passkeys for the foreseeable future.

But the direction is unmistakable. Every major platform is pushing toward passkeys as the default. Regulatory frameworks in the EU and US are discouraging password-only authentication. The FIDO Alliance — whose members include every major tech company — has standardized the protocol.

The question for you isn't whether to adopt passkeys. It's whether to start now — when you can migrate at your own pace — or wait until you're forced to.

I'd recommend starting now. Go to the security settings of your Google account, your Apple ID, your Amazon account, and your Microsoft account today. Create passkeys for each of them. The process takes less than a minute per service. And once you experience logging in with a fingerprint instead of typing a password, you'll understand why this technology is going to win.

The password had a good run. Sixty years. But its time is up, and its replacement is better in every way that matters.