What is a passkey?
A passkey is a login credential based on public-key cryptography. Your device creates a private key that stays protected on the device or inside a trusted synchronized credential service. The website stores the matching public key. During login, the website sends a challenge and your device signs it after you unlock with a fingerprint, face scan, PIN, or device password.
The website never needs the private key. There is also no shared password for a criminal to steal from the site and reuse elsewhere. The credential is tied to the genuine website origin, which makes a well-implemented passkey strongly resistant to common phishing pages.
Passkeys compared with passwords
| Question | Passkey | Password |
|---|---|---|
| Secret stored by website | Public key only | Password hash |
| Phishing resistance | Strong origin binding | User can type it into a fake site |
| Reuse risk | Unique per service | Often reused |
| User experience | Device unlock | Remember or manage text |
| Recovery | Depends on device ecosystem and account recovery | Email reset or recovery codes |
Passkeys reduce several familiar risks, but they do not remove the need for account recovery, secure devices, and careful administration. A criminal who controls an unlocked device or cloud account may still be able to use synchronized credentials.
Where passkeys live and how syncing works
Some passkeys are device-bound, such as credentials on a hardware security key. Others can synchronize through an operating-system or password-manager account. Synchronization makes it easier to sign in on a new phone or computer, but it also means the security of that ecosystem account matters. Use strong recovery options and protect the account with its own multi-factor authentication.
Cross-device login can use a QR code or nearby-device approval. The private key is not simply displayed to the website. The devices establish a protected process to approve the authentication.
What happens if you lose every device?
Recovery depends on the service and credential provider. You may restore synchronized passkeys after recovering the platform account, use a hardware security key kept as a backup, enter recovery codes, or complete the website's identity-recovery process. Before replacing your final old device, confirm that important accounts have at least two recovery paths.
How to adopt passkeys safely
- Add a passkey only on a device or password manager you trust.
- Keep the device lock PIN private and enable biometric protection where suitable.
- Register a second passkey or hardware key for critical accounts.
- Store recovery codes offline in a secure location.
- Review the list of registered devices and remove old ones.
- Do not approve unexpected cross-device login prompts.
Businesses should keep auditable recovery procedures. A passkey rollout can fail if users are secure during normal login but can be socially engineered through a weak help desk.
Frequently asked questions
Is a passkey the same as a fingerprint?
No. The fingerprint normally unlocks the private key locally. The biometric template is not sent to the website as the credential.
Can a passkey be hacked?
No system is risk-free, but passkeys remove password reuse and make ordinary phishing much harder. Device compromise and account-recovery attacks remain relevant.
Do passkeys work across Apple, Android, and Windows?
Modern platforms support passkeys, but exact sharing and synchronization depend on the credential provider and the website.
Should I delete my password immediately?
Only after confirming the service supports reliable passkey login and recovery. Some services retain a password as a fallback, which means the password must still be protected.
Technical foundation: Passkeys are built on FIDO2 and WebAuthn standards maintained by the FIDO Alliance and W3C.