What are passkeys, and why should you use them instead of passwords?
Summary:
Passkeys replace passwords with something safer that you never have to remember
They work with Face ID or Touch ID, so logging in is faster and much harder to fake
Apple syncs your passkeys automatically across all your devices through iCloud Keychain
Passkeys are phishing-resistant by design: scammers can't steal information you don't know
Hundreds of major websites already support them, including Google, Amazon, and Apple
The short version: Passkeys are replacing passwords, and they are faster to use and more secure. If you take nothing else away from this article: when a website offers to create a passkey, say yes. It's one of the best things you can do to protect your accounts and make phishing attacks much harder to pull off. If you want to understand how they work and why they matter, read on.
A client of mine was doing everything right. He had app-based two-factor authentication on his account: the kind where you open an authenticator app and type in a six-digit code. But the phishing site he landed on wasn't just collecting his password. It was passing his credentials to the real site in real time and relaying the 2FA code before it expired. His account was compromised anyway, despite doing exactly what he was supposed to do.
Passkeys are resistant to that kind of attack. The phishing site never gets a prompt it can relay, because your device only responds to the real one. Whether you've never heard of passkeys or aren't quite sure what they are, this is your guide.
What is a passkey, exactly?
Think of a passkey as a key that's been cut in two. When you create an account, your iPhone or Mac generates both halves: one stays locked inside your device, and the other goes to the website. Neither half works on its own. When you log in, the two halves come together and the door opens. You never have to hand your half to anyone, and the website's half is useless without yours.
There's nothing for you to remember, nothing for you to type. You look at your phone (Face ID) or touch the sensor (Touch ID), and you're in. If your face or fingerprint isn't recognized, your device passcode works too, so you're never locked out because your hands are damp or you're wearing sunglasses.
[Image: Side-by-side comparison showing the old username/password login flow vs. the passkey Face ID prompt]
Why are passkeys so much safer than passwords?
Passwords have two big problems. First, they can be stolen. When a website gets hacked, the list of passwords in its database can end up in the wrong hands. Second, they can be tricked out of you. A phishing scam works by pointing you toward a fake website that looks like the real one, and the password you type goes straight to whoever built the fake.
Passkeys solve both problems at once. Your half of the key is locked inside your device and never comes out, so a hacked website has nothing useful. And because your device checks the exact address of the site before it responds, a fake site gets no response at all, no matter how convincing the page looks.
Passkeys also beat the kind of attack that trips up even careful people. Some scam sites don't collect your password and stop there: they pass it to the real site in real time and ask for your two-factor code too, all before you realize anything is wrong. With a passkey, none of that works. A fake address gets no response from your device at all.
Studies have shown that 81% of data breaches involve stolen or weak passwords. Passkeys make that entire category of attack irrelevant for any account that uses them.
How do you create a passkey?
There are two ways, depending on the website.
The first: some sites will offer to create a passkey automatically when you log in. You'll see a prompt saying something like "Do you want to save a passkey?" or "Sign in faster next time with a passkey." Say yes. It takes about three seconds and you're done.
The second requires a bit of hunting: some sites don't prompt you automatically. The setting is usually in the same place you'd go to change your password, often under Security, Password, or Account Settings. Look for a section labeled "Passkeys" or "Sign-in methods." Once you find it, tap to create one, authenticate with Face ID, Touch ID, or your passcode, and it's saved.
Either way, your iPhone or Mac will display a prompt to save the passkey to Apple Passwords. Tap "Continue," authenticate, and it's done.
A few things to know before you start:
iCloud Keychain needs to be turned on. On your iPhone, go to Settings > [your name] > iCloud and make sure Passwords & Keychain is enabled.
Two-factor authentication must be active on your Apple account. This is required for passkey syncing and almost certainly already on if your account is set up normally.
Keep your password as a backup. Passkeys are new, and occasionally a site's passkey implementation has bugs. It's not unusual to need your password as a fallback while things get smoothed out.
How does Apple keep your passkeys available across all your devices?
This is where Apple users genuinely have an advantage. One common concern about passkeys is: "What happens if I lose my phone?" With Apple, the answer is: nothing, because your passkeys aren't only on your phone.
Passkeys sync automatically through iCloud Keychain, end-to-end encrypted with keys that even Apple cannot read. If you lose one device, your passkeys are already on your others. If you lose everything, recovery is still possible through Apple's escrow system as long as you know your Apple ID password and device passcode, or have set up a recovery contact in advance.
Do passkeys work on non-Apple devices?
Yes. Passkeys are an open standard backed by Apple, Google, and Microsoft, which means they work across iPhone, Android, Windows, and all major browsers.
If you need to log in on a Windows computer, an Android phone, or a library computer, your iPhone can handle the authorization. When you click the sign-in button on the other device, look for an option that says something like "Use a passkey from another device" or "Use a different device." Choosing that option displays a QR code on the screen. Point your iPhone camera at it, follow the prompt, and authenticate with Face ID, Touch ID, or your passcode. The site logs you in.
Two things need to be true for this to work: the browser on the other computer needs to be reasonably up to date, and both the computer and your iPhone need to have Bluetooth turned on. Bluetooth is what confirms your phone is physically nearby. Your passkey never transfers to the other device; it stays on your iPhone the entire time.
Unlike passwords stored in Apple Passwords, which historically only autofilled in Safari, passkeys work in any browser on your Mac. If you prefer Firefox, Chrome, or Brave, your passkeys are right there.
Apple Passwords is the focus here, but passkeys are also supported by third-party managers like 1Password and LastPass, which have the added benefit of syncing across Windows and Android without needing your iPhone as a go-between.
Which websites already support passkeys?
Adoption has grown quickly since Apple, Google, and Microsoft all backed the same standard. As of early 2026, major names include:
Finance:
Chase
Coinbase
Experian
PayPal
Robinhood
Wells Fargo
Health:
CVS
MyChart
Travel:
Flying Blue (Air France/KLM)
Hyatt
Qantas
Tech and productivity:
ChatGPT
Dropbox
GitHub
Notion
Nvidia
Square
Stripe
Accounts you probably use every day:
AOL
Apple (iCloud, App Store, Apple ID — a passkey is created automatically for every Apple Account)
Google (Gmail, Google Drive, YouTube)
Microsoft (Outlook, OneDrive, Microsoft 365)
Yahoo
Social and communication:
LinkedIn
Meta (covers Facebook and Instagram — passkey support has been rolling out, but it doesn't appear to be available to all users yet. If you don't see the option in your account settings, it may not have reached you)
Snapchat
Telegram
TikTok
WhatsApp
X (formerly Twitter)
Shopping and services:
Amazon
Best Buy
eBay
Ring
Target
Ticketmaster
Uber
Walmart
Not every site supports passkeys yet, but the list grows regularly. When a site you use offers to create a passkey, take it.
Why does the login experience feel different from site to site?
Passkeys don't behave identically everywhere. The underlying technology is the same, but each website decides for itself how much trust to place in it.
Some sites treat a passkey as fully two-factor on its own. The reasoning is sound: you have your device (something you have) and you unlocked it with your passcode or face (something you know or are). That's two factors by definition, so they let you straight in. Google is a good example of this.
Other sites accept the passkey but still want a second confirmation, usually a code sent by text message or generated by an authenticator app. And some older sites use the passkey only as a replacement for your second factor, still asking for your password first.
If a site you use still asks for a code after your passkey, that's the site being conservative, not a sign that anything went wrong.
The long-term goal is for sites to let you remove your password entirely. No password means nothing to steal, guess, or phish. That's the direction the industry is moving, and the number of sites offering it will grow as adoption matures.
For now, passkeys are always an improvement over passwords alone.
Can you set up more than one passkey on an account?
Most websites allow it. The most common reason is sharing access with another person: a spouse, a caregiver, or an adult child who helps manage your accounts can create their own passkey on their own device, rather than everyone sharing the same password. Each person authenticates with their own face or fingerprint, and you can revoke individual passkeys without affecting anyone else.
One important warning: only do this with someone you fully trust. A person with a passkey to your account has the same access you do, including the ability to change settings, make purchases, or remove your passkey and lock you out. Treat it the same way you'd treat handing someone a key to your house.
If you both use Apple's Passwords app, there's a seamless option: shared password groups. You can create a group in the Passwords app, add another person's Apple ID, and any passkeys or passwords in that group are available to both of you automatically.
Common mistakes to avoid
Dismissing the passkey prompt when a site offers to create one. It takes about three seconds and makes that account significantly harder to compromise. Do it.
Thinking a passkey means your account is invincible. A passkey makes your account significantly harder to compromise, but as long as a password still exists on the account, it can still be targeted. Keep your password strong and unique, and keep your devices protected with a strong passcode.
Leaving weaker sign-in methods in place once a passkey is set up. Once you have a passkey working and your recovery options confirmed, consider removing text message codes and authenticator app codes as backup sign-in methods. Google and Microsoft both allow this. It closes the exact vulnerability my client ran into: a scam site that relays your credentials in real time can't steal a code that's no longer part of your login. Just make sure your passkeys are syncing reliably and you have a recovery contact or know your Apple ID password and device passcode before you remove anything.
Key takeaways
When a site offers to create a passkey, say yes
Go to Settings > [your name] > iCloud and confirm that Passwords & Keychain syncing is enabled on each Apple device
Set a strong passcode on your iPhone and Mac, since it's part of what protects your passkeys
Check passkeys.directory to see if sites you use regularly already support them
Keep your passwords for now: passkeys complement rather than completely replace them while adoption catches up
If you'd like help setting up passkeys or reviewing whether your accounts are as secure as they should be, I offer one-on-one sessions in San Francisco, Washington DC, and via Zoom. Book a session and we can go through it together at your pace.
