What Are Passkeys? How Passwordless Authentication Works

Last updated: 2026-02-25

About 11 min read

What Are Passkeys?

Passkeys are a next-generation authentication technology designed to replace passwords. Based on the FIDO2/WebAuthn standards developed by the FIDO Alliance and W3C, passkeys use public key cryptography to authenticate users. Rather than relying on "knowledge" like a password, passkeys combine a private key stored on your device with biometric authentication (fingerprint or facial recognition) or a device PIN to deliver secure and convenient login.

Since Apple, Google, and Microsoft jointly announced passkey support in 2022, the number of compatible services has expanded rapidly. As of 2025, most major web services support passkey login, ushering in an era where users can be freed from the burden of password management.

How Passkeys Work

Public Key Cryptography Authentication

At the core of passkeys is public key cryptography. During account registration, a public-private key pair is generated on the device. The public key is sent to and stored on the service's server, while the private key is kept in a secure area of the device (TPM, Secure Enclave, etc.), protected by device encryption.

  1. The user requests to log in, and the server sends a random challenge (authentication request)
  2. The device verifies the user through biometric authentication or PIN
  3. After verification, the private key signs the challenge, and the signature is sent back to the server
  4. The server verifies the signature using the stored public key, completing authentication

WebAuthn and CTAP

Passkeys are built on two key technical specifications:

  • WebAuthn (Web Authentication API): The authentication protocol between browsers and web services. Through a JavaScript API, websites can request the creation and use of passkeys
  • CTAP (Client to Authenticator Protocol): The communication protocol between browsers and devices (authenticators). Enables interaction with external authenticators via USB, NFC, and Bluetooth

The Fundamental Difference from Passwords

Passwords rely on a shared secret model where both the server and user know the same secret. This model is vulnerable to server-side data breaches, credential stuffing attacks, and phishing. With passkeys, the private key never leaves the device, making these attacks fundamentally impossible.

Security Benefits of Passkeys

Phishing Resistance

Passkeys are bound to the domain (origin) where they were registered. The private key will not be used on a fake site's domain, providing inherent resistance to phishing attacks. Even if a user navigates to a phishing site, the passkey authentication process automatically fails.

Server Breach Resistance

Only the public key is stored on the server. Even if the server is hacked and public keys are leaked, login is impossible without the private key. The risk of digital identity theft is dramatically reduced.

Replay Attack Resistance

A unique challenge is generated for each authentication attempt, making replay attacks - which reuse past authentication data - impossible. For a thorough exploration of these concepts, consider reading a guide to web authentication security.

Elimination of Password-Related Threats

  • Brute force attacks: There is no password to guess
  • Dictionary attacks: The concept of a "weak password" does not exist
  • Credential stuffing: Reusing leaked passwords is impossible
  • Keyloggers: There is no password to type, making keystroke logging pointless

Setting Up Passkeys on Major Platforms

Apple (iPhone / iPad / Mac)

Apple syncs passkeys through iCloud Keychain. Available on iOS 16+, macOS Ventura+.

  1. Open the account settings page on a supported site
  2. Select "Add a passkey" or "Set up security key"
  3. Authenticate with Face ID or Touch ID
  4. The passkey is saved to iCloud Keychain and becomes available on all devices with the same Apple ID

Google (Android / Chrome)

Google manages passkeys through Google Password Manager. Supported on Android 9+ and Chrome 118+.

  1. Start passkey setup on a supported site
  2. Authenticate with fingerprint, facial recognition, or screen lock PIN
  3. The passkey syncs to your Google account and becomes available on Android devices and Chrome with the same account

Microsoft (Windows)

Windows 11 supports passkeys through Windows Hello. A 2025 update added passkey sync to Microsoft accounts.

  1. Select passkey creation on a supported site
  2. Authenticate with Windows Hello (facial recognition, fingerprint, or PIN)
  3. The passkey is stored in Windows Credential Manager

Third-Party Password Managers

Major password managers including 1Password, Bitwarden, and Dashlane support passkey storage and sync. These third-party products are convenient for using passkeys across different platforms. A book on FIDO2 passkey technology can provide additional technical depth.

Passkey-Compatible Services (2025–2026)

The number of services supporting passkeys is growing rapidly. Here are the major compatible services.

Major Technology Companies

  • Google: Recommends passkeys as the default authentication method across all Google accounts
  • Apple: Supports passkeys for Apple ID, iCloud, and App Store
  • Microsoft: Passkey support for Microsoft accounts and Microsoft 365
  • Amazon: Supports passkeys for shopping and AWS Console

Social Media and Communication

  • GitHub, X (formerly Twitter), LinkedIn, WhatsApp, PayPal

Finance and Payments

  • PayPal, Stripe, and select banks and brokerages
  • In Japan, Yahoo! JAPAN was an early adopter, with over 50 million accounts using passkeys as of 2025

Comparison with Traditional Two-Factor Authentication

Two-factor authentication (2FA) enhances security by requiring an additional authentication factor beyond the password. However, SMS-based 2FA is vulnerable to SIM swap attacks, and TOTP (time-based one-time passwords) can still be entered on phishing sites. Passkeys fundamentally solve these problems, providing security equal to or greater than multi-factor authentication in a single action.

Challenges and Considerations

Device Loss Recovery

Since passkeys are tied to devices, account recovery when all devices are lost is a challenge. If cloud sync (iCloud Keychain, Google Password Manager) is enabled, recovery on a new device is straightforward - though it's important to understand the security implications of cloud storage. Without sync, you need to ensure alternative recovery methods are in place.

Cross-Platform Challenges

Sharing passkeys across Apple, Google, and Microsoft ecosystems is still not fully seamless as of 2025. Using passkeys across different platforms requires QR code-based proximity authentication or third-party password managers.

Limited Service Coverage

While passkey adoption is growing, not all web services support them yet. A transitional period of using passkeys alongside traditional passwords and 2FA will continue for the time being.

Shared Account Handling

Using passkeys with accounts shared among family members or teams can be complex. Each member needs to register individual passkeys, or the team must use a password manager's sharing features.

Latest Developments in 2025–2026

CXP/CXF Credential Synchronization Protocol

The FIDO Alliance published the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) specifications in late 2025, enabling secure transfer of passkeys between different password managers and platforms. This addresses one of the biggest barriers to passkey adoption - vendor lock-in - by allowing users to freely move their credentials between 1Password, Bitwarden, Apple Keychain, and Google Password Manager.

Passkey Export/Import Standardization

Building on CXP/CXF, major password managers implemented passkey export and import functionality by early 2026. Users can now back up their passkeys independently and migrate between ecosystems without re-registering on each service. This standardization has significantly accelerated enterprise passkey adoption, as organizations can now manage credential portability at scale.

FIDO2 Level 3 Certification

The FIDO Alliance introduced Level 3 certification requirements in 2025, adding hardware-backed attestation and enhanced anti-phishing protections. Devices meeting Level 3 requirements provide cryptographic proof of authenticator integrity, making passkeys suitable for high-security applications including financial services and government systems.

Accelerating Passkey Adoption

According to the FIDO Alliance, the number of websites supporting passkeys exceeded 2 million by early 2026, with monthly passkey authentications surpassing 15 billion. Adoption has accelerated particularly in e-commerce and financial services, with passwordless authentication becoming the default for new account registrations on major platforms.

Credential Manager API Standardization

The W3C has been advancing extensions to the Credential Management API, making passkey creation and management more intuitive. In 2025–2026, browser autofill integration with passkeys has further improved, allowing users to log in simply by selecting a passkey from the password field.

Developments in Japan

In Japan, the Digital Agency is promoting integration between My Number cards and passkeys. Major banks and online services are also advancing passkey support, with passkeys predicted to become the standard authentication method for Japanese online services by 2026. Yahoo! JAPAN has surpassed 60 million accounts using passkeys.

Passkey Migration Checklist

Follow these steps to gradually transition from passwords to passkeys:

  1. Identify which of your current accounts support passkeys (search on passkeys.directory)
  2. Prioritize setting up passkeys for your most important accounts (email, banking, social media)
  3. For services that don't yet support passkeys, set up strong passwords and two-factor authentication
  4. Enable cloud sync for passkeys and ensure recovery methods are in place for device loss
  5. Adopt a third-party password manager to enable cross-platform passkey usage
  6. Regularly check your digital identity protection status and review login history for suspicious activity
  7. Recommend passkey adoption to family and colleagues to improve overall security

Summary

Passkeys are a next-generation authentication technology that eliminates the fundamental vulnerabilities of passwords. They significantly outperform traditional passwords plus 2FA in three key areas: phishing resistance, server breach resistance, and usability. Compatible services are expanding rapidly, making now the ideal time to begin your passkey migration. Start by setting up passkeys for your most important accounts and gradually build a passwordless environment. Alongside your passkey migration, consider running a security check on our site to review your current browser and network security posture.

For definitions of the technical terms used in this article, visit our glossary.

Share
B!

Related Articles

Password Security: How to Create Strong Passwords and Manage Them

Learn what makes a strong password, how to use password managers, how to check for breaches, and common mistakes to avoid.

Two-Factor Authentication (2FA): The Best Defense for Your Accounts

Understand how 2FA works, the different types (SMS, TOTP, FIDO2), how to set it up, and why passwords alone aren't enough.

Credential Stuffing Attacks: The Danger of Password Reuse

Learn how credential stuffing attacks exploit leaked credentials and practical measures to protect yourself from this growing threat.