Passkeys

What if logging into a website didn't need a password at all? Not "a really strong password" — none. No string of characters to type. No code to copy. Just your fingerprint, your face, or a tap on your phone.

That's a passkey. They've been quietly rolling out since 2022, and as of 2026, they work on hundreds of major sites. This chapter explains what they are, why they're better than passwords plus 2FA, and how to switch.

How A Passkey Works (Without The Math)

When you sign up for a site that supports passkeys, your device — phone, laptop, or both — does the following:

• Generates a unique cryptographic key pair, just for that one site;
• Keeps the private half on your device, protected by your biometric (fingerprint, Face ID) or device PIN;
• Sends the public half to the website's servers.

The private half never leaves your device. It can't be typed, copied, or accidentally pasted into a fake site. To log in later:

• You go to the site and click "Sign in with passkey";
• Your device asks you to unlock (fingerprint, Face ID);
• Your device does a quick cryptographic handshake with the site;
• You're in.

That's it. No password to remember. No code to copy. No typing.

Why This Is A Big Deal

Three things make passkeys structurally safer than any password + 2FA combination:

1. Nothing to phish. A password is a secret. If you type it into a fake site, the scammer has it. A passkey isn't a secret you can be tricked into sharing — your device verifies the website's real domain cryptographically before responding. A fake site at g00gle.com will get nothing, even if you tap "Sign in" by mistake. Phishing fails by design.

2. Nothing to leak. When a website is breached, attackers steal whatever's in the database. With passwords, that's everyone's password (hashed, hopefully strong enough). With passkeys, it's only the public half of the key pair — useless to attackers without the private half on your device. A breach that would have ruined millions of accounts becomes a non-event.

3. Nothing to remember. No password to type wrong, write down, reuse, or forget. Your device handles everything.

Where Passkeys Work In 2026

The list is growing fast. As of mid-2026:

• Apple — iCloud accounts, App Store, all Apple services;
• Google — Gmail, Drive, YouTube, all Google services;
• Microsoft — Outlook, Office 365, Xbox;
• Amazon — main shopping account, AWS, Audible;
• PayPal, eBay, Shopify, Best Buy;
• GitHub, GitLab, Cloudflare, 1Password, Bitwarden (yes, the password manager now supports passkeys);
• Banks — Bank of America, Wells Fargo, Chase, plus most European and Asian major banks;
• Government services in the US (login.gov), UK, Australia, and Singapore.

Over 600 services total support passkeys as of 2026, doubling roughly every year. The major holdouts are smaller banks and older enterprise software, which will catch up over the next 2-3 years.

A useful directory: passkeys.directory — a community-maintained list of every site that supports passkeys.

How To Switch — In 60 Seconds Per Account

For any account that offers passkeys:

1. Log in normally with your password;
2. Go to Settings → Security (or sometimes "Sign-in & security");
3. Look for "Passkeys" or "Sign in with passkey";
4. Click "Add a passkey";
5. Your device prompts you to confirm with your biometric;
6. Done.

Next time you log in, click "Sign in with passkey" instead of typing your password. Your device prompts for fingerprint or Face ID, and you're in.

You can have multiple passkeys for the same account — one on your phone, one on your laptop, one on a hardware security key. Most password managers (1Password, Bitwarden, Apple Passwords) can store passkeys too, so they sync across devices automatically.

Common Questions

"What if I lose my phone?"

Passkeys sync through your password manager or platform account (iCloud Keychain for Apple, Google Password Manager for Android, etc.). Get a new phone, sign in to your manager or platform, and your passkeys appear. You can also add passkeys for the same account on multiple devices.

"Can I still use a password as backup?"

For most services that support passkeys, your existing password still works. You can have both. Some services (Google's "advanced protection" mode, certain enterprise setups) let you remove the password entirely — but for most people, keeping both for now is fine.

"Are passkeys the same as biometrics?"

No. The fingerprint or Face ID just unlocks the private key on your device — it never leaves the device, and the site never sees your biometric data. Your fingerprint isn't being sent anywhere. It's just the local "prove it's you" step before your device does its cryptographic work.

"What about laptops without fingerprint sensors?"

Modern laptops use Windows Hello, Touch ID, or PIN. Or your phone can act as the passkey — your laptop shows a QR code, you scan it with your phone, you confirm with your fingerprint on the phone, and the laptop logs in. Cross-device passkeys work surprisingly well.

The Practical Rule

When a site offers a passkey option, take it.

It's strictly better than a password plus 2FA — phishing-proof, breach-proof, faster to use. Even better, you don't have to throw away your existing setup. Add a passkey, keep your password as backup, gradually shift to passkey-first as more sites support it.

For your top 5 accounts — email, password manager, bank, cloud storage, primary social — go set up passkeys this week. It's the single biggest free upgrade to your security posture in 2026.