The future of authentication is here — but passwords aren't going away yet
Apple, Google, Microsoft, Amazon, and hundreds of other companies are rolling out passkeys — a new way to sign in that doesn't involve typing a password. If you've recently seen "Sign in with a passkey" as an option on a website or app, you've witnessed the start of the biggest shift in online authentication since passwords were invented.
But what exactly are passkeys? Are they really better than passwords? And should you switch? This guide breaks it all down in plain language.
Traditional passwords work like a shared secret: you know the password, the website knows the password (stored as a hash), and when they match, you're in. The problem? That shared secret can be stolen, guessed, or phished.
Passkeys use a completely different approach called public-key cryptography. Here's how it works in simple terms:
When you create a passkey, your device generates two mathematically linked keys:
| Feature | Passwords | Passkeys |
|---|---|---|
| What you type | A secret string | Nothing — biometric or PIN |
| Phishing risk | High — can be tricked into typing on fake sites | None — bound to the real website domain |
| Data breach exposure | Hash can be cracked or reused | Public key is useless alone |
| Credential stuffing | Very common attack vector | Not possible |
| Memory required | Must remember each password | Nothing to remember |
| Cross-device access | Type it anywhere | Syncs via cloud or QR + Bluetooth |
| Recovery if device lost | Password + recovery codes | Cloud sync or backup device |
| Adoption as of 2026 | Universal | Growing — major services support it |
Passkeys win on almost every security metric. But adoption is the catch — most websites still don't support them, which means you'll be managing both systems for years to come.
The list is growing fast. Here are the major services where you can use passkeys today:
Phishing works by tricking you into typing your password on a fake website. With passkeys, there's nothing to type. The passkey is cryptographically bound to the real website's domain. A fake site can't use your passkey even if you try — your device simply won't authenticate.
When a website gets hacked, password databases are the prize. Attackers crack the hashes and use your credentials on other sites (credential stuffing). With passkeys, the website only stores your public key. Even with full access to the database, attackers can't impersonate you.
No typing, no remembering, no resetting. You look at your phone or touch your laptop's fingerprint sensor. That's it. For people who find passwords annoying — which is everyone — passkeys are a genuine improvement in daily life, not just security theory.
This is the most common worry. The answer depends on your setup:
You can also set up cross-device authentication. If your phone is lost, you can use another device (a family member's phone, for example) to authenticate via QR code and Bluetooth.
Passkeys are tied to your biometric identity on the device. If you share a computer, other users can't use your passkeys — they'd need their own fingerprint, face, or PIN to authenticate. This is actually more secure than shared-device passwords.
Unlike passwords, passkeys can't be shared between services or tracked across sites. Each passkey is unique to one website. There's no way for Google to see which Amazon passkeys you have, or vice versa. This is better for privacy than password reuse.
Here's a practical plan for 2026:
Go to the security settings of your Google, Apple, Microsoft, and Amazon accounts. Enable passkeys. This takes about two minutes per account and immediately improves your security for those services.
For the hundreds of sites that don't support passkeys yet, you still need strong, unique passwords. Use our Password Generator to create random passwords and our Strength Checker to verify they're strong enough.
Password managers handle both worlds — they store your traditional passwords and increasingly support passkey management too. They sync across devices and auto-fill on websites.
Even with passkeys rolling out, 2FA remains your best protection for password-protected accounts. Use an authenticator app (not SMS) wherever possible.
A hardware security key adds a physical layer of protection to your accounts — useful as a backup authentication method alongside passkeys.
A hardware security key that supports FIDO2 and works as a physical second factor for your most important accounts. USB-A with NFC for phones.
USB-C version of the popular hardware key. Works with laptops, tablets, and phones via NFC. Supports FIDO2, U2F, and more.
Google's hardware security key for two-factor authentication. USB-C with NFC, designed to work seamlessly with Google accounts and other FIDO services.
Keep a physical backup of recovery codes and backup authentication methods. Numbered pages and a table of contents make it easy to organize.
Your passkeys are protected by the same security that protects your phone — biometrics and encryption. If you're comfortable using your phone for banking apps, you can trust it with passkeys. The bigger risk is losing your phone without having a backup device set up.
Yes. The biometric authentication happens locally on your device. Your phone signs the challenge and then sends the result to the website. Even if you're offline during the authentication step, it works — though you obviously need internet to reach the website.
Not directly — passkeys live on your personal devices. However, you can use cross-device authentication: scan a QR code on the shared computer with your phone, and your phone authenticates via Bluetooth. No passkey is stored on the shared computer.
Every service that offers passkeys also maintains a password fallback. If passkey support is removed, you'll fall back to password-based login. You won't be locked out.
Passkeys represent a genuine leap forward in online security. They're more resistant to every major attack vector — phishing, breaches, credential stuffing — and they're easier to use. But the transition will take years, not months.
For now, the smartest strategy is hybrid: use passkeys where available, maintain strong unique passwords everywhere else, and enable two-factor authentication on every important account. Our free tools help you with the password side of that equation — generate strong passwords, check their strength, and create memorable passphrases.
Start by checking your most important accounts today. Google, Apple, and Amazon all have passkey options in their security settings. Enable them, and you've already made a meaningful step toward better security.