Person signing in with a passkey using a phone, fingerprint icon and security shield

A passkey is a safer way to sign in to an app or website without typing a traditional password. Instead of remembering a password, you unlock your phone, computer, password manager, or security key with something you already use every day: a device PIN, fingerprint, face scan, screen lock, or hardware security key.

The important part is this: a passkey is not simply your fingerprint, Face ID, or phone PIN. Those are local unlock methods. The passkey itself is a digital sign-in credential based on public key cryptography. One part is kept private on your device or credential manager. The other part is registered with the website or app so it can verify your sign-in.

Passkeys are designed to reduce major password risks: phishing, reused passwords, weak passwords, leaked passwords, and fake login pages. They are easier to use than long random passwords, but you still need to know where they are saved and how account recovery works.

Quick answer

A passkey is a digital sign-in key that can replace a password. It lets you log in by unlocking your device with a PIN, fingerprint, face scan, screen lock, or security key.

Passkeys are usually safer than passwords because they are unique for each website, harder to phish, and never need to be typed into a login form. A website does not receive your fingerprint, your face data, or your private passkey. It only verifies a secure response from your device.

When to use this guide

Use this guide if you have seen a message such as:

  • “Create a passkey”
  • “Sign in with a passkey”
  • “Use your fingerprint or screen lock”
  • “Skip password when possible”
  • “Save a passkey”
  • “Use Windows Hello”
  • “Use passkey from nearby device”

This article is for normal users, not developers. It explains what a passkey means, how it works, whether you should use one, what can go wrong, and how to manage passkeys safely.

Before you start

Before you create a passkey for an important account, make sure you have:

  • a personal device, not a shared or public computer;
  • a secure screen lock, PIN, fingerprint, Face ID, Touch ID, or Windows Hello setup;
  • access to your recovery email and recovery phone number;
  • a trusted password manager or cloud account if you want passkeys synced across devices;
  • a backup method for important accounts, such as another passkey, recovery codes, or a hardware security key.

Do not create passkeys on devices you do not control. If someone else can unlock that device, they may be able to use the passkey.

What is a passkey?

A passkey is a modern login credential that helps you sign in without typing a password.

A traditional password works like a shared secret. You know it, and the website stores a version of it. When you sign in, you type the password and the website checks whether it matches. That model creates many risks: people reuse passwords, attackers steal them, fake websites trick people into typing them, and data breaches expose password databases.

A passkey works differently. It uses a pair of cryptographic keys:

Part Where it is kept What it does
Private key On your device, password manager, or security key Proves it is really you during sign-in
Public key On the website or app Lets the service verify the sign-in without knowing your private key

The website does not need to store a password for that login. It stores the public key. Your device keeps the private key protected.

When you sign in, the website sends a challenge to your device. Your device asks you to unlock it with your fingerprint, face, PIN, screen lock, or security key. Then it uses the private key to sign the challenge. The website checks the signature with the public key and lets you in.

That is why a passkey is often described as passwordless authentication.

What a passkey is not

A passkey is easy to misunderstand, so these distinctions matter.

A passkey is not your fingerprint or face scan. Biometrics may unlock access to the passkey on your device, but they are not sent to the website.

A passkey is not a one-time code. It is different from SMS codes, email codes, and authenticator app codes.

A passkey is not just a password manager entry. A password manager can store passkeys, but the passkey itself is a cryptographic credential, not a text password.

A passkey is not automatically an account recovery plan. You still need recovery options in case you lose access to your device or passkey provider.

Passkey example

Laptop sign-in approved by a phone using a passkey instead of a password Imagine you are signing in to your Google Account on a laptop.

Instead of typing your password, Google asks you to use a passkey. You choose your phone. Your phone asks you to unlock it with your fingerprint or screen lock. After you unlock it, the phone confirms the sign-in and your laptop logs in.

In that example:

  • you did not type a password;
  • your fingerprint stayed on your phone;
  • Google did not receive your private passkey;
  • the login worked because your phone proved it had the private key for that account.

That is the experience passkeys are trying to create: strong authentication that feels like unlocking your device.

How does a passkey work?

Diagram showing public key and private key flow during passkey creation and sign-in You do not need to understand the mathematics to use passkeys safely, but you should understand the basic flow.

When you create a passkey

Step What happens
1 You sign in to the website or app with an existing method.
2 The website offers to create a passkey.
3 You unlock your device with a PIN, fingerprint, face scan, screen lock, or security key.
4 Your device creates a public key and a private key.
5 The public key is registered with the website.
6 The private key stays protected on your device, password manager, or security key.

When you sign in with a passkey

Step What happens
1 You enter your email, username, or select an account.
2 The website asks for your passkey.
3 Your device asks you to unlock it.
4 Your device signs a challenge with the private key.
5 The website verifies the signature with the public key.
6 You are signed in without typing a password.

This design is powerful because the private key is not typed, copied, or sent to the website. The credential is tied to the service it was created for.

Where are passkeys stored?

Passkeys stored across phone, laptop, password manager and hardware security key Passkeys can be stored in different places depending on your device, browser, operating system, and password manager.

Common places include:

  • Apple Passwords and iCloud Keychain;
  • Google Password Manager;
  • Windows Hello;
  • Microsoft account / Microsoft Password Manager;
  • Android credential manager;
  • third-party password managers that support passkeys;
  • hardware security keys, such as FIDO2-compatible USB, NFC, or biometric keys.

There are two broad types of passkey storage.

Synced passkeys

A synced passkey is stored in a credential manager and can be available on more than one device. For example, a passkey saved in Apple Passwords may be available on Apple devices signed in to the same Apple Account with iCloud Keychain enabled.

The advantage is convenience and recovery. If you get a new phone or computer, your passkeys may come back when you sign in to the same trusted account or password manager. The trade-off is that your passkey security also depends on the security of that provider account.

Device-bound passkeys

A device-bound passkey stays tied to one device or one hardware security key. It may not sync automatically to other devices.

The advantage is stronger separation. The downside is that losing the device or key can lock you out unless you have another sign-in method.

For high-value accounts, the safest approach is usually to have more than one trusted method: for example, a synced passkey plus a hardware security key, or two hardware security keys stored separately.

Passkey vs password vs 2FA vs security key

Comparison of password, two-factor authentication, passkey and hardware security key Passkeys are often compared with passwords and two-factor authentication, but they are not exactly the same thing.

Method What you use Main strength Main weakness
Password Text you remember or store Works almost everywhere Can be weak, reused, leaked or phished
SMS code Code sent to your phone Better than password alone Can be intercepted, phished or affected by SIM-swap risk
Authenticator app Time-based code Stronger than SMS Can still be tricked by phishing if typed into a fake site
Passkey Device or credential manager plus local unlock Phishing-resistant and easier to use Requires good device and recovery management
Hardware security key Physical USB/NFC/security device Very strong, often device-bound Can be lost if you do not have a backup key

For a deeper side-by-side comparison, read Passkey vs Password: Which Is Safer?.

A passkey can replace a password for sign-in on supported services. In some accounts, passkeys can also act as a second factor. The exact role depends on the website, app, and account type.

Are passkeys safe?

Passkey security shield showing protection against phishing, leaked passwords and reused passwords Yes, passkeys are generally safer than passwords for most people.

They are safer because:

  • you do not type them;
  • they are unique for each website or app;
  • they are harder to steal through phishing;
  • they are not reused across accounts;
  • the website does not store your private key;
  • your biometric data stays local to your device.

Passkeys are especially strong against common password attacks. If a phishing website tricks you into visiting a fake login page, it cannot simply collect your passkey like it could collect a password. If a company suffers a password database leak, there should be no reusable passkey password for attackers to try elsewhere.

But passkeys are not magic. You can still be at risk if your device is stolen and can be unlocked, your password manager account is compromised, malware controls your device, or the website has weak account recovery. The practical rule is simple: passkeys are a major security improvement, but they work best when your device lock, recovery methods, and password manager are also secure.

What are the downsides of passkeys?

The biggest downside of passkeys is not the cryptography. It is the user experience around storage, syncing, recovery, and support.

Here are the main limitations.

Not every website supports passkeys

Passkey support is growing, but it is not universal. You may still need passwords for many accounts.

People may not know where a passkey was saved

A passkey might be in Apple Passwords, Google Password Manager, Windows Hello, a browser profile, a third-party password manager, or a hardware security key. If you do not know where it is stored, managing it later can be confusing.

Changing devices can be confusing

If your passkey is synced, moving to a new device may be easy. If it is device-bound, you may need to create another passkey before replacing the old device.

Recovery still matters

If you lose your phone, laptop, or security key, you need a backup method. That could be another device, another passkey, recovery codes, a verified recovery email, or a hardware security key.

Some accounts still keep passwords enabled

Many services let you use both a passkey and a password. That can be convenient, but it also means your overall account security may still depend on the old password and recovery settings.

Shared devices are dangerous

Creating a passkey on a family computer, school computer, internet cafe device, or someone else’s phone can create unnecessary risk. If another person can unlock that device, they may be able to sign in.

Should you turn on passkeys?

For most personal accounts, yes. You should consider turning on passkeys when the account supports them and you understand where the passkey will be saved.

Passkeys are especially useful for email accounts, cloud storage, password managers, payment accounts, social media accounts, and work accounts when your organization supports them.

Turn on passkeys if

  • the device is yours;
  • you use a strong screen lock or device PIN;
  • your recovery email and phone number are current;
  • you know where the passkey will be stored;
  • you have another way to recover the account;
  • you want less risk from phishing and password leaks.

Be careful if

  • the device is shared;
  • you are on a public computer;
  • you do not control the password manager;
  • your recovery methods are outdated;
  • you are about to sell, wipe, or replace the device;
  • you do not know whether the passkey syncs to your other devices.

The best time to turn on a passkey is after you update recovery information, remove old devices, and protect your main email account.

How to create a passkey

The exact buttons differ by service, but the process is similar.

  1. Open the account settings for the website or app.
  2. Go to Security, Sign-in, Login methods, Password and security, or Passkeys.
  3. Choose Create passkey, Add passkey, or Set up passkey.
  4. Confirm your identity.
  5. Choose where to save the passkey if you are given options.
  6. Unlock your device with fingerprint, face scan, PIN, screen lock, Windows Hello, or a security key.
  7. Save the passkey.
  8. Check that your recovery methods are still correct.

If the account is important, create a second trusted sign-in method. For example, add another passkey on a second device or register a hardware security key.

Google, Apple and Microsoft passkeys

The passkey idea is the same across major platforms, but the settings look different.

For Google Accounts, passkeys can enable passkey-first sign-in on supported devices. Google advises creating passkeys only on personal devices you own and use.

For Apple devices, passkeys can be saved in Apple Passwords and iCloud Keychain and used across devices signed in to the same Apple Account when the required security features are enabled.

For Microsoft and Windows, passkeys can work with Windows Hello, so you may sign in using a device PIN, fingerprint, face recognition, or a companion device.

In every case, the same safety rule applies: know where the passkey is stored, keep your device secure, and keep recovery methods updated.

Can you still use your password if you have a passkey?

Often, yes, but it depends on the account.

Some services let you keep both a password and a passkey. In that case, the passkey is a safer and easier sign-in method, but the password may still exist as a backup option.

Other services may move toward passwordless sign-in, especially for personal accounts where passkeys are fully supported. Work or school accounts may have different rules controlled by an administrator.

Do not assume that adding a passkey automatically removes all password risk. If the account still allows password sign-in, keep the password strong, unique, and stored in a password manager.

What happens if you lose your phone or computer?

Recovery checklist for a lost device with passkeys, backup methods and account protection If you lose a device with a passkey, the next step depends on where the passkey was stored.

If the passkey was saved in a synced credential manager, you may be able to recover it by signing in to the same provider on a new trusted device. This is why the provider account must be protected well.

If the passkey was tied only to that device or a hardware security key, losing it can remove that sign-in method. You should then use another recovery method, such as another passkey, a backup hardware security key, recovery codes, recovery email, recovery phone, or the account recovery flow from the service.

If a device with passkeys is lost or stolen:

  1. Use another trusted device to sign in to important accounts.
  2. Remove the lost device from account access.
  3. Remove passkeys associated with the lost device, if possible.
  4. Review recent account activity.
  5. Add a new passkey on your replacement device.
  6. Keep at least one backup method for important accounts.

How to find, manage, or delete passkeys

Passkeys are usually managed in the account security settings of the service and in the credential manager that stores them.

Look in places such as:

  • Google Account security or sign-in options;
  • Apple Passwords app and iCloud Keychain;
  • Windows Settings, Accounts and sign-in options;
  • Microsoft account security settings;
  • Chrome or browser password manager;
  • third-party password manager passkey vault;
  • hardware security key management tool.

You may need to remove a passkey in two places: from the website or app account, and from the password manager, device, browser, or security key where it is stored.

Common passkey problems

If you do not see a passkey option, the website may not support passkeys yet, or your device, browser, or operating system may need an update.

If your passkey appears on the wrong device, check both the account’s passkey settings and the credential manager where it was saved. Remove passkeys from shared or unwanted devices.

If the website still asks for your password, the service may still require passwords for some actions or may not be set to passkey-first sign-in.

If a passkey does not appear after changing phones or computers, use another trusted device, recovery email, recovery phone, recovery codes, or a backup security key. After you recover the account, create a new passkey on the new device.

Common mistakes

Avoid these mistakes when using passkeys:

  • creating passkeys on shared devices;
  • forgetting to update recovery methods;
  • assuming a passkey removes every security risk;
  • wiping or selling an old phone before checking whether passkeys are available elsewhere;
  • keeping a weak password active on an account that still allows password sign-in.

Passkeys reduce several major risks, but they should be part of a complete account security setup.

Security, privacy and safety notes

Passkeys are designed to be private. Your fingerprint, face scan, and device PIN are used locally to unlock access to the passkey. They are not supposed to be sent to the website you are signing in to.

Use these safety rules:

  • use passkeys only on devices you own;
  • keep device software and browsers updated;
  • use a strong device screen lock;
  • protect your Apple, Google, Microsoft, or password manager account;
  • remove lost or old devices from important accounts;
  • do not approve passkey prompts you did not start;
  • keep at least one backup method for important accounts;
  • use a hardware security key for high-value accounts when possible.

For sensitive accounts, passkeys work best with updated recovery methods, strong device security, phishing awareness, and regular review of signed-in devices.

Faster alternative

If you only want a simple rule, use this:

Turn on passkeys for important accounts when you are using your own device, your recovery methods are up to date, and you know where the passkey will be saved.

Do not create a passkey on a shared device. Do not rely on only one device for an account you cannot afford to lose.

FAQ

What is an example of a passkey?

Signing in to an account by unlocking your phone with your fingerprint instead of typing a password is a common passkey example.

Is a passkey the same as a password?

No. A password is text you type. A passkey is a cryptographic credential unlocked locally by your device or security key.

Is my passkey my fingerprint?

No. Your fingerprint may approve use of the passkey on your device, but it is not sent to the website.

Can I still use my password if I have a passkey?

Often yes, but it depends on the service and your account settings.

Are passkeys safer than passwords?

Usually yes. Passkeys are unique per service, harder to phish, and not typed into login forms.

What are the downsides of passkeys?

The main downsides are limited support, storage confusion, device changes, and account recovery.

Can a hacker steal my passkey?

Not like a typed password. However, malware, stolen unlocked devices, weak recovery, and session theft can still put accounts at risk.

What happens if I forget my passkey?

You do not memorize a passkey. The real issue is losing access to the device, password manager, or security key that stores it.

How do I find my passkeys?

Check your account security settings and your credential manager, such as Apple Passwords, Google Password Manager, Windows sign-in options, Chrome, or your password manager.

Should I turn on passkeys?

Yes, if the account supports them, the device is yours, your device lock is secure, and recovery methods are updated.

Is it better to use a passkey or a password?

For the full comparison, see Passkey vs Password.

Are passkeys the same as two-factor authentication?

Not exactly. A passkey can replace a password as the primary sign-in method, and in some accounts it can also be used as a second factor.

Can I remove a passkey?

Yes. Remove it from the account security settings and, if needed, from the device, password manager, browser, or hardware key where it is stored.

Editorial sources

This article follows current passkey and account security guidance from:

Last tested

Tested and reviewed against:

  • Google Account passkey settings
  • Apple Passwords and iCloud Keychain documentation
  • Microsoft account passkeys
  • Windows Hello passkey documentation
  • Chrome passkey sign-in behavior

Last reviewed: 2026-06-30