// security guide
Authentication

Passkeys are replacing passwords. What that actually means for you

Every major tech company has said the same thing for the past three years: passwords are dying. Google, Apple, Microsoft, and hundreds of apps now support passkeys. But if you are like most people, you still have no idea what a passkey actually is or whether you should trust it. This is the honest, no hype breakdown.

April 10, 20267 min readBy Baris Ayarkan
X / Twitter LinkedIn Facebook
80%of data breaches involve stolen or weak passwords
15B+credentials circulating on the dark web right now
0%of passkeys can be phished using fake login pages

What is a passkey, exactly?

A passkey is a cryptographic key pair two pieces of data that are mathematically linked. When you create a passkey for a website, your device generates a private key (stored only on your device, never sent anywhere) and a public key (sent to the website). When you log in, the site sends a challenge, your device signs it with the private key, and the site verifies the signature with the public key.

There is no password involved. The site never sees anything that could be stolen. Even if the company gets breached, the attacker gets a public key which is completely useless without the private key sitting on your phone.

🔑
Why phishing becomes impossible

Phishing attacks work by tricking you into entering your password on a fake site. Passkeys are bound to the exact domain they were created for. A fake Google login page simply cannot trigger a Google passkey your device refuses. Phishing is structurally impossible, not just harder.

Passkeys vs passwords vs password managers

FeaturePassword (no manager)Password ManagerPasskey
Phishing resistant✗ No~ Partial✓ Yes
Works if site is breached✗ Exposed~ Hashed only✓ Safe
No password to remember✗ No✓ Yes✓ Yes
Works across devices✓ Yes✓ Yes~ Getting better
No 2FA needed✗ Still need it✗ Still need it✓ Built in
Recovery if device lost✓ Easy✓ Easy~ Improving

The honest summary: passkeys are more secure than passwords in every meaningful way. The only real weakness right now is cross-device recovery but Apple, Google, and 1Password have all shipped syncing solutions that make this much less painful than it was in 2024.

Where can I use passkeys today?

As of April 2026, passkeys are supported on all the accounts that matter most.

Supported right now

Google, Apple ID, Microsoft, GitHub, Shopify, PayPal, Amazon, Coinbase, X, WhatsApp, Dashlane, 1Password, Robinhood, Adobe, Dropbox, LinkedIn, TikTok, Discord, Uber, Airbnb, Nintendo and over 900 other services. Check passkeys.directory for the full live list.

How to set one up

1
Go to your account security settings
On Google: myaccount.google.com then Security then Passkeys. On Apple: Settings then Apple ID then Sign-In and Security then Passkeys. Most apps now have a Passkey option under Login and Security or Password and Authentication.
2
Click Add passkey or Create passkey
Your device will prompt you to confirm with Face ID, Touch ID, Windows Hello, or your PIN. The key pair is generated automatically. You do not need to pick or remember anything.
3
The passkey syncs to your other devices automatically
Apple syncs through iCloud Keychain. Google syncs through Google Password Manager. If you use 1Password or Dashlane, passkeys sync through those instead, which works across iOS, Android, Windows, and Mac.
4
Next time you log in, just use biometrics
No typing. The site detects your passkey and prompts Face ID or fingerprint. The whole login takes under 2 seconds. On a new device, you can approve it from a device that already has the passkey via QR code.

What passkeys do not fix

⚠️
Still your problem

Passkeys protect your login credentials. They do not protect data that was already stolen. If your email, phone number, or home address was exposed in a breach last year, that data is already out there. Passkeys will not pull it back. This is why monitoring your breach exposure is still essential even after switching to passkeys.

Passkeys also do not help if your device is compromised by malware that can intercept biometric approval. Keep your devices updated and avoid sideloading apps from unofficial sources.

They also do not help if you lose access to all your synced devices simultaneously. Always set up an account recovery contact or keep a physical hardware key like a YubiKey as a backup.

And they do not help if the app you care about does not support them yet. Banking apps are notoriously slow to adopt. Keep using strong unique passwords and a password manager for those services.

See if your old passwords are already exposed

Passkeys protect future logins. But your email and old passwords from past breaches are still floating around on the dark web. Check your exposure score free, no account required.

Check my exposure →

Sources

  1. FIDO Alliance Passkey Adoption Report 2025 — cross-platform passkey deployment statistics
  2. Google Security Blog 2025 — passkey adoption rates across Google accounts globally
  3. Apple Platform Security Guide 2025 — iCloud Keychain and passkey sync architecture
  4. Verizon Data Breach Investigations Report 2024 — credential theft as the primary breach entry point
  5. passkeys.directory — live directory of services supporting passkey authentication as of 2026
// go deeper
Security Why SMS is your weakest 2FA link Apr 3, 2026 · 6 min read Malware How hackers steal your passwords without sending a single phishing email Apr 11, 2026 · 9 min read Guide The 10 minute security audit every person should do Apr 5, 2026 · 5 min read