Passwords have been with us for 60 years. And all these years they’ve been hacked, forgotten, lost. Passkeys are the technology that will finally replace passwords. Let’s understand how it works and why you should switch now.
What Are Passkeys
How They Work
A passkey is a cryptographic key stored on your device:
REGISTRATION:
Device creates key pair
├── Private key → stored on device (never leaves)
└── Public key → sent to server
LOGIN:
Server sends challenge
└── Device signs with private key
└── Server verifies with public key
└── Login complete
How They Differ From Passwords
| Passwords | Passkeys |
|---|---|
| Stored on server (hash) | Server only knows public key |
| Can be stolen in breach | Nothing to steal - private key on device |
| Can be guessed | Cryptographically impossible |
| Can be phished | Bound to domain - phishing impossible |
| Must remember | Device biometrics or PIN |
Technology Under the Hood
Passkeys are built on standards:
- FIDO2: authentication protocol
- WebAuthn: web API for browsers
- CTAP2: authenticator communication protocol
Why Passkeys Are Safer
Password Problems
- Database breaches: billions of passwords publicly available
- Phishing: fake sites collect passwords
- Reuse: same password on dozens of sites
- Weak passwords: “123456” still in top
- Social engineering: “security team” asks for password
How Passkeys Solve Problems
| Problem | Solution |
|---|---|
| Database breach | Public key useless without private |
| Phishing | Passkey verifies domain - won’t work on fake site |
| Reuse | Unique key for each site automatically |
| Weak passwords | Cryptographic key, not human-created |
| Social engineering | Nothing to share - biometrics not transmitted |
How Passkey Login Works
User Experience
- Open website
- Click “Login”
- Biometric prompt appears (Face ID, Touch ID, Windows Hello)
- Confirm - you’re in
Time: 2-3 seconds instead of typing password + 2FA.
What Happens Under the Hood
1. Site: "Here's a challenge, sign it"
2. Browser: "There's a passkey for this domain"
3. OS: "Confirm identity with biometrics"
4. You: *place finger*
5. Device: *signs challenge with private key*
6. Site: *verifies signature with public key*
7. Done - you're authenticated
Where You Can Use Passkeys
Supporting Services (2026)
| Service | Status |
|---|---|
| ✅ Full support | |
| Apple | ✅ Full support |
| Microsoft | ✅ Full support |
| GitHub | ✅ Full support |
| PayPal | ✅ Supported |
| eBay | ✅ Supported |
| Best Buy | ✅ Supported |
| Kayak | ✅ Supported |
| 1Password | ✅ Stores passkeys |
| Bitwarden | ✅ Stores passkeys |
Constantly Growing List
Site passkeys.directory tracks support - already 100+ services.
Setting Up Passkeys
Apple (iPhone, iPad, Mac)
Requirements: iOS 16+ / macOS Ventura+ / Safari or Chrome
Creating:
- Open site with passkey support
- Registration or Settings → Security → Passkeys
- “Create passkey”
- Confirm with Face ID / Touch ID
- Done - passkey saved in iCloud Keychain
Sync: Automatically between Apple devices via iCloud.
Google (Android, Chrome)
Requirements: Android 9+ / Chrome 109+
Creating:
- Open site
- Security settings → Passkeys
- “Create passkey”
- Confirm with fingerprint or PIN
- Passkey saved in Google Password Manager
Sync: Between Android devices and Chrome via Google account.
Windows (Windows Hello)
Requirements: Windows 10/11 with Windows Hello (fingerprint, face, or PIN)
Creating:
- Open site in Edge or Chrome
- Create passkey
- Confirm with Windows Hello
- Passkey saved locally or in password manager
Sync: Via 1Password, Bitwarden, or other manager with passkey support.
Password Managers
1Password:
- Stores passkeys alongside passwords
- Sync across all platforms
- Browser autofill
Bitwarden:
- Free passkey storage
- Cross-platform
- Open source
Passkeys Across Devices
Scenario: iPhone at Home, Windows at Work
Option 1: Cross-platform manager
- Use 1Password or Bitwarden
- Passkeys available everywhere
Option 2: QR code login
- On Windows click “Login with passkey”
- Select “Use another device”
- Scan QR code with iPhone
- Confirm with Face ID
- You’re logged in on Windows
Hardware Keys
YubiKey and other FIDO2 keys work as passkeys:
- Connect to USB or tap NFC
- Press button on key
- Login complete
Pros: Works everywhere, not ecosystem-dependent.
Passkeys vs Other Methods
Comparison
| Method | Security | Convenience | Phishing Protection |
|---|---|---|---|
| Password | ★★☆☆☆ | ★★★☆☆ | ★☆☆☆☆ |
| Password + SMS | ★★★☆☆ | ★★★☆☆ | ★★☆☆☆ |
| Password + TOTP | ★★★★☆ | ★★★☆☆ | ★★☆☆☆ |
| Password + key | ★★★★★ | ★★★☆☆ | ★★★★★ |
| Passkey | ★★★★★ | ★★★★★ | ★★★★★ |
Passkey vs TOTP
| TOTP | Passkey |
|---|---|
| Must enter code | One tap/glance |
| 30 seconds to enter | Instant |
| Can enter on phishing site | Automatic domain check |
| Separate app | Built into device |
Passkey vs Hardware Key
| Hardware Key | Passkey |
|---|---|
| Must carry with you | On device |
| Can lose | Syncs to cloud |
| Works everywhere | Ecosystem-dependent |
| ~$25-50 | Free |
What If You Lose Your Device
Backup Methods
- Cloud sync: passkeys on other devices
- Recovery codes: services provide during setup
- Second passkey: on another device or hardware key
- Account recovery: via email, phone
Recommendations
- Create passkey on multiple devices
- Save recovery codes (in password manager)
- Add hardware key as backup
- Don’t delete password yet - keep as fallback
Passkey Limitations
Current Issues
- Not all sites support: about 100 services so far
- Ecosystems separated: Apple passkey doesn’t work natively on Android
- Corporate restrictions: MDM may block
- Old devices: need modern OS
Solutions
| Problem | Solution |
|---|---|
| Low support | Use where available, rest - password + 2FA |
| Different ecosystems | Cross-platform password manager |
| Old devices | Hardware FIDO2 key |
Switching to Passkeys: Plan
Step 1: Start with Main Accounts
- Google account: enable passkey in security settings
- Apple ID: automatic when updating to iOS 17+
- Microsoft: account settings → Security
Step 2: Critical Services
- GitHub: for developers
- PayPal: finances
- Password manager: if supported
Step 3: Everything Else
- Check security settings on each site
- Enable passkey where available
- Keep password as backup (don’t delete)
Implementation Checklist
Preparation
- Device updated to latest OS
- Biometrics configured (Face ID, Touch ID, Windows Hello)
- Have password manager for cross-platform
Critical Accounts
- Google passkey created
- Apple passkey created (automatic)
- Microsoft passkey created
Backup
- Passkey on multiple devices
- Recovery codes saved
- Password not deleted (just in case)
Summary
Passkeys aren’t an experiment - they’re a standard adopted by Apple, Google, and Microsoft simultaneously. The technology is ready for use: safer than passwords, more convenient than 2FA, impossible to phish.
Start with one account today. Google or Apple - both support it. In a year, passkeys will be everywhere.
Passkeys protect accounts, Tainet protects the connection. Together - security at all levels: from credentials to network traffic.
