FK
FK94Security
Security TipJanuary 5, 20267 min read

Passkeys Are Here: What You Need to Know

Passkeys replace passwords with cryptographic keys tied to your device and biometrics. They are phishing-resistant, easier to use, and already supported by major platforms.

Passkeys are the most significant change in authentication in over a decade. They replace traditional passwords with cryptographic key pairs stored on your device and unlocked with biometrics or a device PIN. No more remembering passwords. No more phishing. No more credential stuffing.

How passkeys work

When you create a passkey for a website, your device generates a unique cryptographic key pair. The private key stays on your device (secured by your fingerprint, face, or PIN). The public key is sent to the website. When you log in, the website sends a challenge, your device signs it with the private key, and the website verifies it with the public key.

You never type a password. You never see a code. You just authenticate with your fingerprint or face, the same way you unlock your phone.

Why passkeys are more secure than passwords

  • Phishing-resistant: Passkeys are bound to the specific website domain. A fake login page cannot trick your device into using a passkey meant for the real site.
  • No shared secrets: Unlike passwords, the private key never leaves your device. There is nothing stored on the server that can be stolen and used to log in.
  • No reuse: Each passkey is unique to one service. A breach at one site does not affect your other accounts.
  • No credential stuffing: Attackers cannot try leaked passwords from other breaches because there are no passwords to leak.

Which services support passkeys

As of late 2024, passkey support is growing rapidly:

  • Google: Full passkey support for all Google accounts. Can be used as primary login method.
  • Apple: Passkeys synced across all Apple devices via iCloud Keychain. Works in Safari and apps.
  • Microsoft: Passkey support for Microsoft accounts and Windows Hello integration.
  • GitHub: Passkeys as a primary authentication method.
  • PayPal, eBay, Best Buy, Kayak: Consumer services adding passkey support.
  • 1Password, Dashlane, Bitwarden: Password managers that can store and manage passkeys cross-platform.

Check passkeys.directory for an up-to-date list of services that support passkeys.

How to set up passkeys

The process varies by platform but generally follows these steps:

  1. Go to the security settings of a supported service (e.g., myaccount.google.com).
  2. Look for "Passkeys" or "Sign-in methods" and select "Create a passkey."
  3. Your device will prompt you to verify with biometrics (fingerprint/face) or your device PIN.
  4. The passkey is created and stored on your device.
  5. Next time you log in, choose "Sign in with a passkey" and authenticate with biometrics.

Cross-device considerations

Passkeys created on Apple devices sync across your Apple ecosystem via iCloud Keychain. Google syncs passkeys across Android devices via Google Password Manager. For cross-platform use (e.g., using an Android passkey to log into a website on a Mac), you can use a QR code to authenticate via your phone.

Password managers like 1Password and Bitwarden can store passkeys and make them available across all platforms, which solves the cross-ecosystem problem.

Limitations and trade-offs

  • Not yet universal. Many services still only support passwords. You will need passwords for a while yet.
  • Recovery can be tricky. If you lose all your devices and do not have passkeys synced to a cloud service or password manager, recovery may require traditional methods.
  • Shared accounts are harder. Passkeys are tied to individual devices/accounts, which complicates shared logins.
  • Enterprise adoption is slow. Many workplace applications do not yet support passkeys.

What to do now

Start by creating passkeys for your most important accounts: Google, Apple, Microsoft, and your password manager. Keep your existing passwords and 2FA as backup methods until passkeys are fully established. Over time, as more services adopt passkeys, passwords will become the fallback rather than the primary method.

Passkeys are not a future concept. They are available now, they are easier than passwords, and they are meaningfully more secure. There is no reason not to start using them today on the services that support them.

Need help with this?

If this article raised concerns about your own security, or if you need personalized guidance, book a 1:1 session with FK94 Security.

Book a 1:1 Session

Related articles

Security Tip

Me hackearon WhatsApp: guia completa para recuperar tu cuenta y protegerte

12 min read

Security Tip

5 Privacy Settings You Should Change on iPhone Right Now

5 min read

Security Tip

Why SMS 2FA Is Better Than Nothing (But Not By Much)

5 min read

← Back to all articles

Get in touch

EmailRequest Audit