Passwords are terrible. Playing the always changing game of cybersecurity whack-a-mole with your most essential accounts is worse than forgetting them. This is when passkeys are useful. With industry titans like Google, Microsoft, and Apple promoting a password-less future that the FIDO Alliance—a consortium formed to “help lessen the world’s over-reliance on passwords”—has been working to achieve for more than ten years, the so-called “war on passwords” has exploded in the last two years.
Whether you like it or not, you will eventually be asked to generate a passkey, which you probably have already done. That’s fortunate because passkeys are not only far secure than standard passwords, but they’re also much easier to use. Everything you need to know about using them is right here.
What is a passkey?
A Passkey: What Is It? Passkeys provide a method of verifying your identity without having to memorize a lengthy, complex password and in a way that is impervious to popular password attacks such as dictionary and phishing attacks.Andrew Shikiar, executive director and CEO of the FIDO Alliance, tells WIRED that passkeys are designed to completely replace passwords and antiquated two-factor authentication methods. They are a unique advancement in cybersecurity that is safer and simpler to utilize than earlier techniques.
On a different device, log into your Google Account. With a passkey, you can use a device you’ve already validated to access your account without having to input a password. By using your phone as a passkey, you may access your Google Account right away without ever having to input a password. The most effective passkey implementations do not even require a username.
Because passkeys operate in a fundamentally different way than passwords, they ultimately prove to be safer and more convenient. In the realm of cybersecurity, passwords are referred to as “shared secrets.” Both you and the service you are logging into are aware of the secret. The issue is that you must keep that secret in mind, and you don’t have complete control over it, asThe service you’re utilizing requires you to provide that secret. You didn’t even do anything wrong; all it takes to have your account hacked is a data breach and a little decryption time.
Public-key cryptography is used by passkeys. Public-key cryptography matches a pair of keys—a private key that is only accessible by you and a public key that is visible to everyone—instead of a shared secret. It’s simpler since your private key is linked to a device you own and is typically secured with biometrics, and it’s safer because only you have access to it.
Are passkeys much protective
Even more secure than a lengthy, arbitrary password are passkeys. Your public key, which is saved as a representation of you as a user, is one of the few pieces of information you submit to the service you’re logging into when you use a passkey. This information is insufficient on its own.
You will need to complete a “challenge” on the device where you generated the passkey in order to unlock your private key, which is typically some sort of biometric authentication. The challenge is signed and returned to the service you are attempting to access if it is successful. You are then granted access once that challenge is compared to the public key. Crucially, this authentication takes place on your device rather than a distant server.While biometric authentication is the standard method of interacting with passkeys on a mobile device, it is not mandatory. For instance, on Windows, you must authenticate using Windows Hello, which may utilize the PIN on your device. You can use a pattern or pin on Android.An attacker has a great deal of opportunity to obtain your password when you use one. Your password may be compromised by data breaches, and even encrypted passwords might be deciphered. Hackers aiming to acquire credentials can easily exploit phishing methods. Additionally, there are countless instances of passwords being revealed as plaintext in security breaches that have occurred in the past if you’re utilizing a service with lax security measures.
2FA,MFA against Passkeys
Passkeys are challenging because they violate long-standing security norms, such as multifactor authentication (MFA) and two-factor (2FA). Passkeys employ multifactor authentication by default, but you don’t have to copy something from an authenticator app or enter a code from a text message. It simply happens so quickly that it’s simple to overlook.
Adding more security layers on top of your password is what MFA is all about. For example, you need a code texted to you along with your password. That’s how passkeys already operate. In addition to matching the public-private key combination, you must verify that you are the owner of the private key. Unlike 2FA, it’s not “something you know and something you own.”is typically explained, however there are still two authentication stages.
When you sign in, the service presents a cryptographic challenge that can only be solved with the private key on your device, which is validated by something you own (like your laptop or phone) and frequently something you are (like a biometric), according to Shikiar. A phishing-resistant login with no reusable credentials to steal is the end result.
Browsers and Devices That Accept Passkeys
At the operating system level, passkeys are extensively integrated. You can still utilize passkeys if you’re running an operating system (like Linux) that doesn’t support them natively. To verify yourself, you will need to use a third-party password manager or another device, such as your phone, to scan a QR code.
The following operating systems have complete passkey support:iOS 16 or later, macOS 13 (Ventura) or later, Android 9 or later
Microsoft Windows 10/11 23H2 or later Passkeys for native apps and your browser are supported by all of these operating systems. The great majority of browsers, including Brave, Opera, Vivaldi, and Google Chrome, are supported by Chromium thanks to its support for passkeys. Version 122 or later of Mozilla Firefox, the popular non-Chromium browser, also supports passkeys.
How Passkeys Are Made and Stored
Passkeys must be kept somewhere in order to be used. Although they aren’t all made equal, the main operating systems that allow passkeys already have a mechanism to store them.
Windows 11
To utilize passkeys on Windows 10 or 11, you must first configure Windows Hello. You may have enabled it during installation, but if not, select Accounts > Sign-in choices in the Settings app to activate it. You must authenticate with Windows Hello using your face, fingerprint, or PIN each time you wish to use a passkey.
Every time you try to log in to a supported service on a compatible browser (or through a native Windows app), Windows 10 or 11, version 23H2 or later, will ask you to enter a passkey. These passkeys are not synchronized across your devices, in contrast to other operating systems. Your Windows device is the only one that can use them.
IOS
When it comes to Passkeys, iOS adheres to the same guidelines as macOS. They are synced across all of your devices and kept in your iCloud Keychain. Passkeys can be managed in the dedicated Passwords app on iOS 18 and later, or in your settings in earlier versions.
Android
Passkeys are supported by Android 9 and later versions, however in different formats. The Google Password Manager, which is connected to your Google Account and synchronizes across all of your devices, is what Android passkeys will automatically utilize. You have the option to keep your passkeys somewhere else, like in a third-party password manager, on Android 14 and later.
You need a password manager if you want all of your passkeys on every device, regardless of the operating system. You can save and sync passkeys on almost any device with the majority of the top password managers. Although passkeys are supported by services like NordPass, Bitwarden, and Dashlane, I primarily use 1Password. Password managers for iOS and Android allow you to generate and save passkeys.
Applications That Accept Passkeys
While many services use passkeys for sign-in, there aren’t many locations where you can store and sync them. Although Microsoft, Adobe, Amazon, Google, and Apple are the traditional suspects, many websites and applications still do not support passkeys.
A fast Google search will yield a few directories that claim to have a comprehensive list of apps that support passkeys. One directory is maintained by 1Password, while a few B2B providers, such as one from OwnID and another from Hanko, also maintain one. These lists are not exhaustive. For instance, even if meta apps like Facebook and Instagram added support for passkeys in June 2025, they are not included.In Sweden, a nonprofit organization called 2factorauth has the greatest directory I’ve found. It is hosted on GitHub, is regularly updated, and—most importantly—is kept up to date by the community. It’s the most recent I’ve come across, and the apps are even categorized so you can choose a VPN service that accepts passkeys, for example.
Passkeys Will Replace Passwords in the Future
We are now in the midst of a protracted and difficult transition to replace passwords with passkeys. It mandates that all applications, gadgets, and operating systems abandon a decades-old authentication architecture and embrace a new one for the entirety of our digital existence.
However, the turning point has already begun. Passkeys are being adopted by major services, so you may use them for all of your most critical accounts. At the very least, it makes sense to utilize passkeys on accounts that are linked to other accounts, such your Facebook or Google account if you use social sign-on capabilities.
Passkeys are not a (pardon the pun) turnkey solution for improved security, even if they have obvious security benefits. Shikiar states, “The main door is secured by passkeys, but organizations stillmust solidify the complete identity journey, from session management to onboarding and recovery.
