The password has survived sixty years of people trying to kill it, mostly because every replacement was worse. Passkeys are the first serious attempt that is genuinely easier than the thing it replaces — and that, more than the cryptography, is why this one is working.

The one idea you need

A password is a shared secret: you know it, the website knows it, and anyone who steals it from either side can be you. That single design choice is the root cause of phishing, credential stuffing, and every “unusual sign-in attempt” email you’ve ever received.

A passkey isn’t a secret you share. It’s a key pair:

  • The private key is created on your device and never leaves it.
  • The public key goes to the website. On its own, it’s mathematically useless.

When you sign in, the site sends a random challenge. Your device signs that challenge with the private key, and the site verifies the signature against the public key it already holds. You proved you have the key without ever transmitting it.

That’s the whole trick. Everything good about passkeys falls out of it.

What it actually fixes

Phishing stops working. This isn’t a matter of degree — it’s structural. A passkey is cryptographically bound to the real domain. Land on paypa1.com and your device simply won’t offer the key. There’s nothing to type, so there’s nothing to trick you into typing. Compare that with one-time codes, which people cheerfully read aloud to attackers over the phone.

Breaches stop cascading. When a company leaks its password database, attackers get hashes they can grind offline and then try everywhere else you reused that password. Leak a passkey database and they get a pile of public keys — which are, by design, public. There is nothing there to crack.

Reuse becomes impossible. Every passkey is generated per site. You couldn’t reuse one if you tried.

The experience improves. This is the underrated part. Security upgrades normally tax the user; passkeys refund them. A fingerprint replaces typing a 16-character string on a TV remote.

Where passkeys still bite

The rough edges matter more than the sales pitch:

  • Recovery is the real weak point. You’ve moved the risk from “my password leaked” to “I lost access to my keychain.” Recovery flows are now the softest target — and plenty of sites still fall back to emailing a magic link, which quietly re-establishes your inbox as the master key to your entire life.
  • Syncing is a trust decision. Passkeys sync end-to-end encrypted through Apple, Google, Microsoft or a password manager. That’s genuinely secure, but your keys do live inside an ecosystem. Moving between them is improving and still not frictionless.
  • The naming is a mess. “Passkey”, “security key”, “device-bound credential” and “WebAuthn” get used interchangeably by people who should know better. The underlying open standard is WebAuthn/FIDO2; a passkey is the friendly name for a discoverable, usually-syncing credential built on it.
  • Coverage is uneven. The big platforms are done. Your bank, your government portal, and that ancient enterprise login are not.

How to switch without regretting it

Passkeys are added alongside your password, not instead of it. That makes this genuinely low-risk: adopt gradually, nothing breaks.

  1. Start with the keys to the kingdom. Your email first, then your password manager, then anything financial. Email is the account that can reset every other account, so it’s the one worth hardening before anything else.
  2. Enrol on more than one device, or confirm your passkeys are actually syncing. A passkey stranded on a lost phone is a bad afternoon.
  3. Keep the recovery codes. Print them; put them somewhere physical. Everyone skips this step and it’s the one that actually saves you.
  4. Don’t delete the password yet on accounts where recovery looks shaky. Simply adding a passkey already removes the phishing risk from your daily logins. Deleting the password is a later, optional step.

The honest verdict

Passkeys aren’t marketing. They’re a real structural fix to a problem we spent decades papering over with complexity rules and SMS codes that never worked. The cryptography is sound, the standard is open, and the major platforms have shipped it.

The remaining risk isn’t the technology — it’s recovery. Set that up properly, and every account you convert is one fewer password anyone can steal, phish, or leak. That is the slow end of the most successful attack in the history of the web.