What the heck is a Passkey?
If you're like me, you've probably been seeing prompts to set up a passkey for about a year now. And if you're also like me, you may have been hitting "not now" every time you see them.
Every few weeks Google asks me. Then Amazon. Then Microsoft. The prompt shows up, says something about using my face or fingerprint to sign in instead of a password, and I am always in the middle of something else. Maybe later. Click. Move on.
Recently I've noticed more and more websites are giving Passkey prompts when logging in. I realized I had been avoiding a security measure I'd likely recommend to users. So I figured I'd finally read into Passkeys.
The short answer
A passkey is a way to sign into a website or app without typing a password. You unlock your phone or laptop the way you normally do (Face ID, fingerprint, PIN), and that is it. You are in.
The "passkey" is actually a small piece of data that is stored locally on your device. The website then stores a matching piece of data to keep on their end. When those two pieces of data match up, you get to log in without ever putting in a password.
While this technology is not new, recently companies have been using it differently.
How it works
When you create a passkey, your device generates two related pieces of math called a key pair. One half stays on your device, locked. The other half goes to the website.
The next time you sign in, the website sends your device a small puzzle. Your device solves it using its half of the pair. The website checks the answer against its half. If you match, you're in. No password required.
There is no password to steal. Even if the website is compromised and their entire user database gets leaked, their half is worthless without your half. The half the website stores is public information. Think of your half as a key, and theirs as a lock.
The passkey is tied to the exact website it was made for. If a scammer sends you a link to a fake Amazon page, your Amazon passkey will not work there. The browser checks the actual domain before it will let your device respond to the puzzle. Phishing pages stop being a threat because there is nothing to type in.
Why this matters
Passwords have one big design flaw: they are shared secrets. Whatever your password is, you know it and the website's server knows it. Anyone who steals it can use it. Anyone who tricks you into typing it on a fake page can use it. Anyone who reuses an old leaked password from a different site can sometimes use it.
That is why we all ended up with password managers, 2FA codes, security questions, and years worth of password changes. All of that existed because your password was a shared secret.
Passkeys remove the need for a shared secret. The data stays on your local device, locked behind your face, fingerprint, or PIN. There is nothing a scammer can trick you into giving them.
The FIDO Alliance (the standards body behind passkeys) reports that Google has over 800 million accounts using them. Amazon hit 175 million in the first year. Microsoft made passkeys the default for new accounts in May 2025.
What's the catch?
Passkeys are tied to a device, or to an ecosystem account that syncs them across your devices (think Google or Apple accounts). That trade-off has a few implications.
If you only set up a passkey on one device and you lose that device, you can be locked out. The way most people avoid this is by letting their phone or password manager sync passkeys across multiple devices. Apple does this through iCloud Keychain. Google does it through Google Password Manager. Microsoft does it through Windows Hello plus a Microsoft account. Most third-party password managers (1Password, Bitwarden, Dashlane) handle it across all three.
Apple and Google do not directly sync to each other. If your life is split between an iPhone and an Android, or between a Mac and a Windows PC, you will probably want a third-party password manager handling passkeys so they show up everywhere.
Not every site supports passkeys. As of early 2026, around half of the top 100 websites support them. Most major banks still do not. Most line-of-business software for small businesses still does not. The places you most want passkeys (your bank, your accounting software, your CRM) have been the slowest to adopt them.
During the transition, most sites still let you fall back to a password. While convenient, it also means an attacker who somehow has your password can still log in and set up their own passkey on their own device. This transition period is genuinely weaker than full passkey-only. The fix is to also have strong two-factor authentication turned on for the password fallback.
Where to start
If you want to try using a passkey, there are a few places that are best to start.
Your email account. Whoever controls your email can reset the password on almost every other account you have. Set up a passkey on your Gmail, Outlook, or Yahoo account today. It takes about 30 seconds once you find the security settings.
Your Apple ID, Google account, or Microsoft account. These accounts often unlock other things on your devices, and the cloud sync for your other passkeys may depend on them.
Amazon, eBay, PayPal, and the major retailers. Amazon's passkey prompt has been showing up after sign-ins for months. The next time you see it, take the time to set up your passkey.
Anything where a takeover would hurt. Generally it's a good idea to set up a passkey anywhere that is available. If an account could cause serious harm if it fell into the wrong hands, it's a good idea to set up a passkey.
You do not have to convert everything in one sitting. The next time a site you actually use offers a passkey, take it.
What if I lose my phone?
This is the question that comes up most often.
If your passkeys sync (through Apple, Google, Microsoft, or a password manager) and you can sign into that account on a new phone, your passkeys come with you. Same as your photos and text messages on iMessage. There is nothing extra you have to do.
If you did not have sync set up, or you lose access to the account that does the syncing, you fall back to the old recovery options for each site. Password reset emails, backup codes, two-factor codes, etc. The same path you would have used if you forgot a password.
The thing to do today:
Make sure your phone has a real PIN (not 1234)
Make sure your iCloud, Google, or Microsoft account has two-factor authentication on
If a site offers backup codes when you set up a passkey, save them somewhere offline (not in your phone)
If you follow those steps, you won't have to worry about losing access to any passkey protected sites.
Final thought
Passkeys are a real upgrade and they work, but they are not magic. Eventually they will not be optional. Major platforms are pushing hard toward making them the default and password-only logins are slowly being deprecated.
You do not need to do anything dramatic today. The next time a website you actually use offers to set up a passkey for you, say yes, follow the prompts, and let your phone do the work. If you have been clicking "not now" the way I had been, maybe take a minute to set it up.
If you have a specific site that has been bugging you to set up a passkey and you want me to walk through what the prompt is asking, I'd love to hear from you!
Joel · joel@freshfromcache.com