I haven’t used my password in the last few months to sign into my Google and Microsoft accounts. Instead, when I need to log in, I enter my email address and, when prompted, type my Windows PC’s PIN. As I enter the correct PIN, I’m in without the need to enter the long password.
This passwordless sign-in is what passkeys offer, but with better security than conventional passwords that can be stolen or phished, and are a hassle to remember and use. I’ve replaced my passwords with passkeys and am glad I made the switch.
What is a passkey, and how is it better than a password?
Understanding the cryptographic handshake
A passkey is essentially a digital password that uses public key cryptography instead of a memorized string of characters. When you create a passkey for a website, your device generates two mathematically linked keys. The public key goes to the service you’re signing up for, while the private key is stored in your device’s secure hardware—like Windows Hello’s TPM chip or your phone’s secure enclave.
The magic of passkeys is that they can’t be tricked, as they only work on the sites they are bound to. Even if you accidentally land on a phishing site that looks exactly like Gmail, your device won’t release the private key because it knows this isn’t the real accounts.google.com. The login simply fails with no password or credentials to phish.
Passkeys fix two issues with the manual approach. First, they verify that you are on the genuine site by checking the domain before releasing the key, so phishing attempts fail. Second, they don’t reveal a reusable password at all, but only a one-time cryptographic signature that proves it’s really you.
Passkeys are safe even if you lose your device
Multiple keys for the same account
What confuses many people about passkeys is what happens when you lose a device. The important thing to know is that losing a phone or laptop doesn’t lock you out, because each device stores its own unique passkey for your account. If you lose your phone, you can still sign in from another device with its own passkey, or fall back to your account password if needed.
If someone steals your laptop or phone, they can’t use your passkeys without first unlocking the device with your biometric or PIN. Plus, you can see all your registered passkeys in your account settings and revoke any that belong to lost or stolen devices.
When you eventually get a new device, you create a fresh passkey for the accounts on your device. Sign in using another trusted device or a backup method like your password, then add the new device’s passkey.
How to create and store passkeys
Setting up on different platforms
For passkeys to work on your Windows computer, you need to enable Windows Hello. If you are already using a PIN or fingerprint scanner to unlock your device, you probably have it enabled. If not, go to Settings > Accounts > Sign-in options and set up a face, fingerprint, or PIN. When a website offers to create a passkey, Windows Hello handles storage automatically.
For Android devices running version 9 or newer, passkeys are saved to Google Password Manager by default. They’ll sync across all Android devices signed into the same Google account. Android 14 comes with support for third-party password managers to store passkeys, so that’s another option if you prefer dedicated security tools.
Apple makes it a bit more straightforward. On iOS and macOS devices, passkeys are stored in iCloud Keychain and sync across all your Apple devices. You need two-factor authentication enabled for your Apple ID, then passkeys work seamlessly from your iPhone to your Mac.
If you want cross-platform support, password managers like 1Password, Bitwarden, or Dashlane now support passkeys. This is a great way to manage all your passkeys regardless of the device you are using.
I personally prefer a platform-native solution, as I primarily use Windows and Android. However, a password manager makes sense if you regularly juggle devices across Windows, Mac, iPhone, and Android.
Creating passkeys
Many websites that support passkeys will automatically prompt you to create one right after you sign in with your password.
If you don’t get an automatic prompt, you can create one manually on websites that support it. Go to the website’s account settings and then locate the security section to find passkey options. For example, to set up a passkey for your Google account, go to g.co/passkeys, click Create a passkey, and then complete the steps.
Where you can use passkeys right now
Your Google, Microsoft, and Apple accounts already support passkeys
Most major websites, including Google, Microsoft, Apple, Amazon, Adobe, and Meta (Facebook and Instagram), support passkeys. I’ve set them up for my Google Workspace, Microsoft account, and even PayPal. Every time I need to sign in, I opt for a passkey and then authenticate with my PIN.
The experience varies slightly between services. Some, like Google, let you switch to passkeys for everyday logins and even remove your password if you choose. Others still require you to keep a password as a fallback. For now, all major platforms still allow you to set a password when creating a new account, but once passkeys are enabled, you rarely need to type it.
Passkey is here to stay
Passwordless sign-ins are the future
While more and more sites are adopting passkeys, it’s happening relatively slowly. But where it’s available, signing in is a breeze. Of course, you still need a password to create new accounts, and passwords remain as your backup method when signing in from unsupported devices or if something goes wrong with your passkeys.
This also means that passwords aren’t going anywhere soon. They’ll stick around for compatibility, recovery, and all those services that haven’t caught up yet. However, for daily sign-ins, the convenience of not typing passwords and the protection from phishing attacks make the switch worthwhile.
