TheTest.com

Passkeys Explained

What passkeys are, how they replace passwords, and how to set them up on your devices

Passkeys are a replacement for passwords. Instead of typing a password, you unlock your account with the same thing you use to unlock your phone – your fingerprint, face, or screen lock PIN. They're faster to use, impossible to phish, and you never have to remember or type anything.

A passkey is a pair of cryptographic keys: one stored on your device (the private key) and one stored by the website (the public key). When you sign in, your device proves it has the private key using biometrics or your device PIN. The website never sees your fingerprint or face – it just confirms the cryptographic handshake. This is based on the FIDO2/WebAuthn standard, backed by Apple, Google, and Microsoft.

Why passkeys are better than passwords

  • No phishing: Passkeys are tied to the real website. A fake login page can't intercept them because the cryptographic exchange only works with the legitimate domain
  • Nothing to remember: No passwords, no "forgot password" flows, no resets
  • No reuse risk: Each passkey is unique to one site. A breach at one company doesn't affect your other accounts
  • No two-factor codes: Passkeys replace both the password and the second factor. The biometric check on your device is the second factor
  • Faster sign-in: Tap the passkey prompt, scan your face or fingerprint, done

How passkeys sync across your devices

Passkeys sync through your platform's cloud account, so you don't lose them if you lose a device:

  • Apple devices: Passkeys sync via iCloud Keychain across your iPhone, iPad, and Mac. All devices signed into the same Apple Account get the same passkeys automatically
  • Android/Chrome: Passkeys sync via Google Password Manager across your Android phone, tablet, and Chrome browser on any platform
  • Windows: Passkeys saved to Windows Hello stay on that device. Microsoft is rolling out sync through your Microsoft account. You can also save passkeys to your phone and use them on Windows via a QR code

If you use devices across ecosystems (say an iPhone and a Windows laptop), you can sign in on the laptop by scanning a QR code with your phone. The phone does the biometric check and authorizes the sign-in over Bluetooth.

Setting up passkeys on Apple

  1. Make sure your devices are on iOS 16 or later and macOS Ventura or later
  2. Go to Settings > [your name] > iCloud > Passwords and confirm iCloud Keychain is on
  3. Go to a site that supports passkeys (like google.com or amazon.com) and look for a passkey option in your account security settings
  4. Follow the prompts – you'll usually see Create a passkey or Add a passkey
  5. Authenticate with Face ID, Touch ID, or your device passcode
  6. The passkey is saved to iCloud Keychain and available on all your Apple devices

Next time you sign in, the site will offer the passkey. Tap it, authenticate with biometrics, and you're in.

Setting up passkeys on Google / Android

  1. Make sure your phone is on Android 9 or later (Android 14+ recommended for the best experience)
  2. Open Settings > Google > Manage your Google account > Security
  3. Under How you sign in to Google, tap Passkeys and security keys, then Create a passkey
  4. Authenticate with your fingerprint, face, or screen lock
  5. The passkey is saved to Google Password Manager and syncs to your other Android devices and Chrome

For other websites, look for passkey options in each site's security settings. Chrome on desktop will also offer to save passkeys to Google Password Manager.

Setting up passkeys on Microsoft / Windows

  1. Go to account.microsoft.com and sign in
  2. Navigate to Security > Advanced security options
  3. Under Ways to sign in, click Add a new way to sign in and choose Face, fingerprint, PIN, or security key
  4. Follow the Windows Hello prompts to set up your passkey with your face, fingerprint, or PIN
  5. The passkey is saved to your Windows device

Microsoft made passkeys the default sign-in method for new accounts in 2025. For existing accounts, you can remove your password entirely once you've set up a passkey.

Which services support passkeys

Passkeys are supported by a growing number of services. Some of the major ones:

  • Tech accounts: Google, Apple, Microsoft, Amazon, eBay, PayPal
  • Password managers: 1Password, Bitwarden, Dashlane (these can also store passkeys from other sites)
  • Social: GitHub, X (Twitter), LinkedIn, TikTok
  • Finance: Some banks are starting to adopt passkeys, though coverage varies
  • Other: Best Buy, Kayak, Nvidia, Adobe, Nintendo, PlayStation, Shopify stores

The list is expanding rapidly. If you visit a site and see a "sign in with a passkey" option during login, go for it. You can check passkeys.directory for a community-maintained list of supported services.

Using a passkey on someone else's device

You don't need your passkey stored on every device. When signing in on a borrowed computer or a new device:

  1. Choose the passkey sign-in option
  2. Select Use a phone or tablet (or similar – the exact wording varies by browser)
  3. A QR code appears on screen
  4. Scan it with your phone's camera
  5. Authenticate with your biometrics on your phone
  6. The computer signs you in without your passkey ever leaving your phone

This works because the authentication happens on your phone over Bluetooth. The borrowed device never gets your passkey.

What if I lose my phone

Your passkeys are backed up to the cloud (iCloud Keychain, Google Password Manager, or your password manager). Getting a new device and signing into the same account restores all your passkeys. This is the same way your passwords and apps restore when you set up a new phone.

If you lose access to your cloud account entirely, you'll need to use each service's account recovery process – just like if you forgot your password. Set up recovery options (backup email, recovery phone number) on your important accounts as a safety net.

Frequently Asked Questions

Do passkeys replace two-factor authentication?

Yes. A passkey combines something you have (your device) with something you are (your biometric) or something you know (your PIN). That covers two factors in one step. You don't need a separate authenticator app or SMS code when using a passkey.

Can I still use my password after setting up a passkey?

Usually yes. Most services keep your password as a fallback when you first add a passkey. You can remove the password later on services that allow it (Google and Microsoft both offer this). Keeping the password temporarily is fine while you get comfortable with passkeys.

What happens if biometrics don't work -- like a wet finger?

You can always fall back to your device PIN or passcode. Passkeys don't require biometrics specifically – they require your device's screen lock method, which includes PIN, pattern, or password.

Are passkeys stored on the website's server?

No. The website only stores a public key, which is useless without your private key. Even if the website gets hacked and the public keys are leaked, attackers can't sign into your account. This is fundamentally different from passwords, where a breach exposes the actual credential.

Should I delete my passwords after setting up passkeys?

Not yet. Keep your passwords around until you're confident the passkey works everywhere you need it. Over time, as you add passkeys to more services and get comfortable, you can remove passwords from sites that support passkey-only sign-in.