Apple, Google, and Microsoft have all bet big on passkeys as the successor to passwords. Major sites including Google, Apple ID, GitHub, PayPal, and eBay now support them. But what exactly are passkeys, how do they work, and should you switch?
What is a passkey?
A passkey is a cryptographic key pair that replaces your password. When you create a passkey on a site, your device generates a private key (stored securely on your device) and a public key (stored on the site's server). To log in, you authenticate locally using biometrics (Face ID, fingerprint) or your device PIN — your device then uses the private key to prove your identity without ever sending a password.
The site never sees your private key. There's nothing to steal from their servers that can log you in. And because passkeys are cryptographically bound to the specific site, they're immune to phishing.
Why passkeys are genuinely better than passwords
- Phishing-proof — your device will only use a passkey for the exact site it was created for
- No secret to steal — the server only stores your public key, which is useless to an attacker
- No reuse problem — each site gets a unique key pair, so a breach at one site doesn't affect others
- Nothing to memorize — authentication is a biometric or device PIN you already use
- Resistant to brute force — cryptographic keys can't be guessed
✅ On security: Passkeys are strictly better than passwords for authentication security. There is no scenario where a passkey is weaker than a password for the same account.
The current limitations
- Coverage — most sites still don't support passkeys. You'll still need passwords for the majority of your accounts.
- Cross-device sync — passkeys sync within an ecosystem (Apple, Google, or Windows) but cross-platform portability is still maturing.
- Recovery — losing all your devices without a recovery method can lock you out permanently.
- Business accounts — enterprise passkey support is still early-stage.
Should you use passkeys now?
Yes — for any site that supports them, enable passkeys. They're strictly safer than passwords and more convenient. But don't think of it as an alternative to good password hygiene: most of the internet still runs on passwords, and you need strong unique ones for all those accounts.
⚠️ The transition period: We're likely 3–5 years from passkeys being mainstream enough to replace passwords entirely. Until then, a password manager with strong unique passwords + 2FA remains the right approach for most accounts.
The bottom line
Passkeys represent the best login technology we've built — adopt them wherever supported. But they're not yet a reason to stop caring about password security. The two approaches will coexist for years, and your password manager remains essential in the meantime.