A passkey is a way to sign in without a conventional password. Instead of a shared secret that you type into a website, it uses a cryptographic key pair. The private part remains on your device or in a protected credential manager, while the service stores the public part. You approve sign-in by unlocking the device with a PIN, fingerprint, or face recognition.
Why passwords are more vulnerable
A password can be reused, guessed, stolen from a database, or collected by a fake website. Even a complex password cannot protect you if you type it into a convincing phishing form.
A passkey is bound to a specific website or app. The browser and operating system verify the service address, so the key will not work on another domain. Google and Apple describe this as phishing resistance: a user cannot be persuaded to “enter” a passkey on a fraudulent site in the same way they can reveal a password.
How passkey registration works
- A website offers to create a passkey.
- Your device creates a unique cryptographic pair.
- The public key is sent to the service.
- The private key remains in protected storage.
- At the next sign-in, the service sends a cryptographic challenge.
- You approve the action by unlocking the device, and the private key signs the response.
Your fingerprint or face is not sent to the website. Biometrics only unlock the key locally. Depending on the device, you may use a PIN or unlock pattern instead.
Where a passkey is stored
A passkey can remain on one hardware security key or synchronize through an ecosystem’s credential manager. Apple, for example, describes end-to-end encrypted passkey synchronization through iCloud Keychain. Google Password Manager can make passkeys available across a user’s supported devices.
This is convenient, but it raises a practical question: How will you recover access if every device is lost? Before switching, check your recovery email, phone number, backup codes, and whether you can add a passkey on a second device.
Does the website receive your biometric data?
No. In the standard process, the website receives proof of a successful cryptographic operation, not a face image or fingerprint template. User verification happens on the device. Unlocking a banking app with your fingerprint does not mean that the fingerprint is transmitted to the bank, and the same principle applies here.
What to do if you lose your phone
Do not wait until a device is missing to learn how recovery works.
- Add a second trusted device or hardware key if the service permits it.
- Confirm that the recovery email and phone number are current.
- Store backup codes offline.
- Protect the password-manager or platform account with strong authentication.
- Enable remote locking or erasure for the phone.
- Do not remove your last familiar sign-in method until the passkey works on another device.
Some services retain the password as a fallback. That helps with recovery, but it also means overall security still depends partly on the old password and the recovery process.
Signing in on someone else’s computer
A supported service may let you approve sign-in with your phone, often after scanning a QR code and confirming that the devices are nearby. The private key is not copied to the other computer. When you finish, sign out and do not allow a public browser to retain local data.
Do passkeys work across Apple, Android, and Windows?
The standard is designed for cross-platform use, but portability depends on operating-system, browser, and credential-manager versions. Synchronization within one ecosystem is usually the simplest. Before completing a migration, test sign-in on every device you actually use.
Do not assume that a key will automatically appear everywhere. You may need to approve sign-in with a phone, import credentials through a supported process, or create an additional passkey.
Passkeys or two-factor authentication?
A passkey can prove possession of the key and verify the user locally, so some services do not ask for a separate SMS code. Implementation varies, however. Do not disable additional protection merely because you see the word “passkey.” Read the service’s explanation and make sure the recovery channels are protected too.
SMS codes are better than relying on one weak password, but they have their own risks. For important accounts, prefer a passkey, authenticator app, or hardware key when the service supports one.
A safer migration sequence
- Start with an important account that has a clear recovery process.
- Update the operating system and browser.
- Create a passkey on a personal device.
- Sign out and test signing in again.
- Test sign-in on a second device.
- Add a backup recovery method.
- Review active sessions and old devices.
Conclusion
A passkey removes the password’s central weakness: a secret that a user can reuse or hand to a phishing site. It does not remove the need to protect the device and recovery process. Also review our guide to recognizing AI phishing and voice cloning. The safest strategy is to migrate gradually, keep a second access method, and test the lost-phone scenario before you need it.

Join the conversation
Stay on topic and respect other readers. Your first comment may appear after editorial review.