A passkey lets you sign in to an app or website with the same thing you use to unlock your phone — a fingerprint, face scan, or PIN — instead of a password. There’s nothing to type, remember, or leak, and passkeys are resistant to phishing by design. Here’s what they are and how they work.
Reviewed and kept current by the Coppers.io editorial team — see how we research .
What is a passkey?
A passkey is a modern, passwordless login credential built on the FIDO2 / WebAuthn standards from the FIDO Alliance and W3C . Instead of a shared secret you type in (a password), a passkey uses a pair of cryptographic keys — the same public-key cryptography that secures HTTPS.
When you create a passkey for a site, your device generates two linked keys:
- A private key that never leaves your device (stored in secure hardware).
- A public key that’s registered with the website.
You authenticate by unlocking the private key with your biometric or PIN — the secret itself is never sent anywhere.
How passkeys work
Signing in with a passkey takes one tap:
- The site sends your device a one-time challenge.
- Your device asks you to confirm with a fingerprint, face scan, or PIN.
- It signs the challenge with your private key and sends back the signature.
- The site verifies it with your stored public key — and you’re in.
Because the private key never leaves your device and nothing reusable is transmitted, there’s no password for an attacker to steal, guess, or trick out of you.
Passkeys vs. passwords
| Password | Passkey | |
|---|---|---|
| What it is | A secret you type | A key pair on your device |
| Phishing | Vulnerable — can be tricked out of you | Resistant — bound to the real site |
| Data breaches | Stored secrets can be stolen | Nothing reusable to steal |
| Reuse risk | People reuse passwords everywhere | Unique per site automatically |
| To sign in | Type (and often a 2FA code) | One fingerprint/face/PIN |
Why passkeys are more secure
- Phishing-resistant. A passkey is tied to the exact website domain it was created for, so it simply won’t work on a lookalike phishing page.
- Nothing to breach. A site only stores your public key, which is useless to an attacker on its own.
- No reuse or weak passwords. Every passkey is unique and strong by default — no human habits to exploit.
- Built-in two-factor. A passkey combines something you have (your device) with something you are (biometric), so it’s strong authentication in a single step.
How to use passkeys
Passkeys are widely supported across Apple, Google, and Microsoft accounts and a fast-growing list of websites. In practice:
- Create one when a site offers it — you’ll just confirm with your biometric.
- They sync across your devices through your platform (iCloud Keychain, Google Password Manager) or a dedicated password manager like 1Password or Bitwarden, which now store passkeys across platforms too.
- Sign in anywhere with a fingerprint, face scan, or PIN — even by scanning a QR code with your phone on a device that isn’t yours.
This is also why passkeys and password managers go hand in hand — see how password managers work for the vault that increasingly holds them.
The current state (and limits)
Passkeys are ready for everyday use, but the rollout is still in progress: not every website supports them yet, and moving passkeys between ecosystems (say, Apple to Google) is improving but not seamless. Account-recovery flows also vary by provider. The good news — you don’t have to switch all at once; add passkeys where they’re offered and keep strong passwords (in a manager) elsewhere.
The bottom line
Passkeys replace the password’s biggest weaknesses — phishing, reuse, and breaches — with a one-tap login secured by your device and your fingerprint or face. They’re the most significant login upgrade in years. Start using them wherever they’re offered, and let a password manager handle the rest.
FAQs
- It's a passwordless way to sign in using your device plus a fingerprint, face scan, or PIN. Instead of a typed secret, it uses a cryptographic key that stays on your device, so there's nothing to remember or leak.
- Yes. Passkeys are phishing-resistant (they only work on the genuine site), can't be reused or guessed, and leave nothing reusable for attackers to steal in a data breach. They also combine your device and biometric into built-in two-factor security.
- Eventually they could, but not yet — support is still rolling out across websites. For now, use passkeys where they're offered and keep strong, unique passwords (in a password manager) for everything else.
- The private key is stored securely on your device and synced across your devices through your platform (such as iCloud Keychain or Google Password Manager) or a password manager like 1Password or Bitwarden. The website only stores your public key.
- Because passkeys sync to the cloud through your platform or password manager, you can restore them on a new device after signing back into your account. Set up account recovery in advance, and keep more than one device or a backup method where possible.