What Is a Passkey and Is It Really Safe?

Passkeys are showing up everywhere these days: in our iPhones, Android devices, Google accounts, and password managers. They promise to make logging in both safer and simpler, but is this technology actually safer? And what happens if you lose your phone? 

We’re here to walk you through everything you need to know about passkeys, including what they are, how they work, why security experts are so excited about them, and if they’re the right choice for you.

What Is a Passkey?

A passkey is a modern, passwordless way to sign into websites and apps. Instead of typing (or often reusing) a password, you simply unlock your device using something you already use every day: your fingerprint, face, or personal identification number (PIN). That’s it. No typing in your username and password, no “forgot my password” resets, no guessing the variation of your go-to password.

A passkey is built on technology called public-key cryptography. In practical terms, creating a passkey for a website or app involves your device generating a pair of unique digital keys: one private and one public. The private key is the master key, securely stored on your device. The public key, on the other hand, is sent to and stored on the website. It doesn’t need to be secret, but it’s useless without the matching private half.

Unlike a password that is shared with every website you want to log in to, a passkey is kept locked on the device that only you can open. To admit you, the website just installs a special lock that verifies your private key remotely. If the website’s server is ever breached, all the cyberattacker gets is a useless lock with no key.

Where Can You Use Passkeys?

Passkeys are becoming widely adopted across major tech players, including Apple’s iCloud Keychain, Google accounts, Chrome, Microsoft accounts, and Windows Hello. Many password managers, such as 1Password and Dashlane, are building in passkey support, too.

Beyond these platforms, you can use passkeys anywhere a website or app has adopted passwordless sign‑in using the industry standards developed by the FIDO Alliance and the World Wide Web Consortium. This includes an increasing number of services across categories like email, banking, e‑commerce, cloud storage, and productivity tools. As more companies implement passkey support, you’ll see them available in more sign‑in flows, typically shown as a “Sign in with a passkey” or “Use device unlock” option.

The Difference Between Passkeys and Passwords

Passwords rely on something you know, a shared secret you type into every site. If that site stores it poorly or gets breached, your password can be stolen, guessed, or reused by attackers across other accounts. Passkeys replace that entire model with a cryptographic key pair: the private key stays securely on your device, and the public key stays with the website. You authenticate by unlocking your device, not by typing anything. Compared to passwords, passkeys are considered safer because they can’t be phished, reused, or exposed in a data breach, and they make sign‑ins faster and easier. However, they still introduce risks.

How Passkeys Work

Let’s walk through what happens when you create and use one:

Create a Passkey

Imagine you’re setting up a passkey for your favorite online shopping site. When you click “Create a passkey” or “Set up passwordless login,” your device, whether it’s your phone, tablet, or computer, instantly generates the private key and the public key, each one unique. These keys are mathematically linked but completely distinct to this specific website, meaning your Gmail passkey is different from your bank passkey, which is different from your shopping site passkey.

The private key is stored in a secure part of your device. On an iPhone, that’s the Secure Enclave. On Android, it’s a similar protected area. On Windows devices with Windows Hello, it’s the Trusted Platform Module. The point is, this key goes into a vault designed to protect sensitive information, is encrypted, isolated from other apps and processes, and stays in this secure storage.

The public key, meanwhile, is stored in the website’s servers with your account information and “unlocks” when you prove you have the matching private key. On its own, however, it’s just data.

Log In with a Passkey

Still on the shopping site, you click “Sign in with passkey,” and the website sends a challenge to your device. This is a one-time, random puzzle that requires you to prove you’re the one who created this passkey.

Your device then prompts you to “Use Face ID to sign in,” “Use fingerprint,” or “Enter your device PIN” to authenticate yourself using the method you’ve set up on your device.

Once you’ve unlocked your device, it uses your private key to mathematically “sign” the challenge, proving to the website that you have the correct private key. Critically, at no point does your device send the private key itself. It only sends the signed response to the challenge.

The website receives this signed response and uses the public key to verify that the signature is legitimate. If everything checks out, you’re logged in. The whole process takes only a few seconds.

Unlock the Vault with Biometric Data

When you use Face ID, Touch ID, or a fingerprint sensor to approve a passkey login, your actual biometric data, such as an image of your face or a map of your fingerprint, never leaves your device, nor is it sent to the website. It is used solely to unlock the vault on your device where the private key lives.

This is fundamentally different from scanning your fingerprint directly on a website. With passkeys, the website is completely isolated from your biometric data. You’re simply using your biometrics as a convenient, secure way to unlock your own device.

Are Passkeys Safe?

Passkeys represent a significant upgrade in safety over traditional passwords in several ways.

Passkeys Are Phishing-Resistant by Design

Phishing, where cyberattackers deceive you into entering your credentials on a fake website, is one of the most common and successful attacks against password-based accounts. Passkeys eliminate this category of attack because they are intertwined specifically with the legitimate website’s domain.

When you try to log in, your device determines if the website requesting authentication is the exact site for which the passkey was created. Your passkey simply won’t work on a fake website, even if it looks perfect, because it is bound to the legitimate domain.

This is a fundamental change from passwords, where our human judgment is the only defense against a convincing fake. With passkeys, authentication happens at a technical level that’s immune to visual trickery.

No Shared Secrets Means No Massive Password Leaks

Public keys stolen from data breaches aren’t usable for account takeovers without the matching private key kept safely in your device. This means that even if your favorite shopping site, social media platform, or online service is breached, your ability to log into your account remains secure.

Every Passkey Is Automatically Strong and Unique

We’re constantly told to make our passwords long, randomly complex, and unique for every site. But that’s exhausting. Passkeys eliminate this entire burden. Every single passkey is automatically long, completely random, and unique to its matching website. There’s no such thing as a weak passkey, which removes the human element. You don’t choose it, so you can’t choose badly. You don’t reuse it, because each one is generated fresh. And you don’t need to remember it, because your device handles all of that for you.

Passkeys let the technology do what it does best, but until passkeys are universal, using a password manager remains one of the best ways to create and store strong, unique passwords.

Built-In Multi-Factor Protection in a Single Step

Traditional wisdom says you should use two-factor authentication wherever possible, something you know (your password) plus something you have (your phone) or something you are (your fingerprint). Passkeys inherently combine these factors.

When you use a passkey, you have the device with the private key stored on it, and you’re authorized to use that device via biometric or PIN unlock. That’s two authentication factors in one seamless step.

Passkey Risks and Limitations

Passkeys are genuinely safer than passwords for most everyday threats, but they’re not perfect, and there are legitimate concerns and limitations you should understand.

Device Loss or Damage

How do you access your passkeys if your phone falls in a lake, gets stolen, or simply dies? This is where backup and recovery become crucial. Major platforms such as Apple synchronize passkeys across its devices through iCloud Keychain, Google through your Google account, and Microsoft through your Microsoft account. Many password managers are adding passkey sync capabilities as well.

If you lose your phone but have an iPad or Mac, you can still access your accounts using the synchronized passkeys. Your Apple ID or Google account becomes even more critical because it’s now the backup for your passkeys. You will need to protect that central account with the strongest protection available: a unique, strong password (still a password for now), and two-factor authentication if the service offers it. Some services offer hardware security keys as options, which also pair well with a passkey strategy. You can also use multiple devices as backup passkeys for your most important accounts.

Trusting a Single Service Provider Is Risky

When your passkeys synchronize through iCloud, Google, Microsoft, or a password manager, you’re placing significant trust in that service provider. Your synced passkeys are typically encrypted in transit and at rest, and the companies involved have strong incentives to protect them. But that central account is already powerful, holding access to your emails, cloud storage, purchases, and more. With your passkey, it becomes a high-value target.

If well protected, passkeys are highly convenient. But if someone manages to compromise your main ecosystem account, they potentially gain access to everything. This is why we’re so adamant about using strong, unique passwords for these accounts and enabling the 2FA options they offer.

Not Every Site Is Passkey-Ready

While major sites and services now support passkeys, many others aren’t ready for them yet. Also, while the underlying technology is standard, the passkeys are executed differently across ecosystems. A passkey created on an iPhone works beautifully on other Apple devices. Moving it to an Android phone or Windows PC is possible but requires extra steps, such as scanning a QR code. Cross-platform compatibility is a key goal of the technology, but we’re not quite there yet.

Shared or Family Devices Require Extra Thought

If multiple people can unlock a device with their fingerprints or PINs, they could use passkeys stored on that device to access accounts that aren’t theirs, posing a security risk. It is best to use separate user profiles on shared computers or ensure that phones and tablets are personal to each family member. On supported devices, you can also set up individual biometric enrollments tied to specific profiles, which keeps things separated.

For truly shared devices where multiple people legitimately need access to the same accounts, such as a shared streaming service, you might want to stick with traditional passwords and consider using a family password manager instead.

A Practical Guide to Start Using Passkeys

For a clear, practical path forward that balances security benefits with realistic caution, here’s a guide that will help you gradually transition to passkeys.

1. Lock Down Your Foundation First

Before you start creating passkeys, take a moment to secure the device and the main ecosystem account that will support them. If passkeys are going to live on your phone and sync via your Apple ID or Google account, they need to be rock-solid.

Implement strong screen locks. For instance, at least 6-digit PINs and biometric unlocks, where possible, as these will be the primary approval methods for passkey logins moving forward.

Next, generate long, unique, and strong passwords to secure your Apple ID, Google, or Microsoft account, or your password manager. Don’t reuse it anywhere else. If you struggle to remember complex passwords, this is actually a great use case for a password manager. Then enable the most secure 2FA option available, whether it is a hardware security key or an authenticator app. This layered approach is how security works best.

2. Test the Waters with a Low-Stakes Account

Once your foundation is secure, pick a passkey-ready online service that isn’t critical to your daily life. Perhaps it’s a news site or a social media account that wouldn’t devastate you if something went wrong.

Go into the security settings of that account and look for an option to “Add a passkey,” “Set up passwordless login,” or similar wording. When you create this first passkey, pay attention to how quick it is, usually just a tap and a biometric unlock, and to what happens when you log out and try to log back in. Get comfortable with the flow.

This low-stakes testing lets you discover several things: first, whether you like using passkeys before committing to them on important accounts. Second, you’ll uncover any friction points unique to your device or browser. Third, you’ll build confidence in the technology.

3. Gradually Expand to Important Accounts

Once you’ve built a comfort level with passkeys on a test account, gradually expand to the accounts that matter, such as email, which is often the key piece of your digital infrastructure.

From there, consider cloud storage accounts, financial services, and any other accounts where security is a genuine concern. Many services may want you to keep your password as a backup authentication method or for flexibility. You can use the passkey for quick, secure day-to-day logins while keeping the password for recovery or accessing your account from a non-passkey-ready device.

Many services will also still require or recommend keeping the traditional 2FA, as more security layers are generally better. Over time, as passkey adoption becomes more universal, these backup methods may become less necessary.

4. Plan for Device Loss Before It Happens

Losing your phone is stressful; this is why planning for recovery is so important. If you’re using cloud-synced passkeys, make sure you understand their account recovery processes and what information you’d need to prove you own that account. This might include recovery emails, phone numbers, or trusted contacts. Keep this information current.

Consider setting up multiple devices in your ecosystem so your passkeys can synchronize across them. If you have both a phone and a tablet, or a phone and a computer, they can back up each other.

For your most critical accounts, such as email, banking, and core identity services, consider creating a hardware security key as backup, if the service supports it. Hardware keys such as YubiKeys or Google Titan Keys work across platforms, providing a recovery path that doesn’t depend on any single digital account or device.

Also, many services still offer traditional backup recovery codes when you enable advanced security features. Download them, print them, and store them safely offline. They’re not as convenient as passkeys, but they can save you from being locked out of an important account.

5. Keep Learning and Adjusting

Stay curious and informed, as the passkey landscape is evolving rapidly. If passkeys aren’t working as you expected, don’t hesitate to use your backup authentication methods while you figure it out.

Pay attention when the platforms and services you use announce improvements to passkey features or recovery options. Sometimes, a quick update to your device or browser enables better passkey functionality. Remember, you can add passkeys to more accounts as you get comfortable, while keeping traditional authentication methods as backups.

Should I Use Passkeys?

For most people in most situations, passkeys are genuinely safer than traditional passwords, and they’re easier to use after the initial setup. The core technology is sound, the protections against phishing and credential theft are real, and the reduction in password fatigue is significant.

Passkeys work best when you’re thoughtful about the supporting infrastructure. The technology is particularly well-suited to you if you:

• Already use a modern smartphone or computer with biometric unlock capabilities
• Are you tired of managing multiple passwords and want a simpler, more secure alternative
• Want better protection against fake websites and phishing attacks
• Use services from major providers (Google, Apple, Microsoft, and major banks) that have robust passkey support
• And are willing to set up proper backup and recovery methods

On the other hand, you might want to proceed more cautiously or stick with traditional authentication if you:

• Regularly use older devices or browsers that don’t support passkeys well
• Share devices with others and can’t maintain separate user profiles
• Are not comfortable or able to properly secure your cloud ecosystem account
• Rely on specific services that don’t support passkeys yet

Final Thoughts

If you haven’t already, consider setting up at least one passkey on a service you use regularly. Experience how it works firsthand and pay attention to how you feel about it.

Adopting passkeys, even on a few important accounts, is a meaningful step toward a safer, more manageable digital life. They offer a powerful option to break out of the exhausting cycle of forgetting passwords by changing the game entirely.

For more security insights and tips, visit the McAfee Blog and guides to stay informed about the latest threats and protection strategies.