Passkeys explained: how they work and when to use them
A clear explanation of passkeys (FIDO2/WebAuthn): what they are, why they're phishing-resistant, where they're supported, and how they interact with password managers.
Passkeys are the replacement for passwords that the industry has been building toward for years. In 2026, they’re supported by most major platforms and many high-traffic sites. Here’s what they actually are and when to use them.
What a passkey is
A passkey is a cryptographic key pair: a private key stored on your device and a public key registered with the website. When you log in, the site sends a challenge, your device signs it with the private key, and the site verifies the signature with your public key.
No password is ever sent over the network. There’s nothing for a phishing site to capture.
The underlying standard is FIDO2/WebAuthn. “Passkey” is the consumer-friendly name for a resident credential stored in a FIDO2 authenticator.
Why passkeys are phishing-resistant
A passkey credential is bound to the origin — the exact domain where it was registered. When you registered your Google passkey at accounts.google.com, the origin is cryptographically embedded in the credential.
When an attacker sets up accounts-g00gle.com and tricks you into visiting it, the browser’s WebAuthn implementation checks the origin. It won’t sign a challenge for a domain that doesn’t match the registered origin. The passkey cannot be used on a phishing site — not even by the attacker.
This is the core property that passwords and TOTP codes don’t have. A phishing site can relay your password and TOTP code in real time. It cannot relay a passkey authentication.
Where passkeys are stored
Passkeys can be stored in:
- Platform authenticators: your device’s secure element (iPhone Secure Enclave, Android Titan M chip, Windows Hello TPM). Sync via iCloud Keychain (Apple) or Google Password Manager (Android/Chrome).
- Password managers: 1Password, Bitwarden, and Dashlane support storing passkeys in their vaults, enabling cross-platform use without being locked into Apple or Google’s ecosystem.
- Hardware security keys: YubiKey 5 series supports FIDO2 resident credentials (passkeys). Device-bound; does not sync.
Support in 2026
Sites and services with passkey support:
- Google, Apple ID, Microsoft accounts
- GitHub
- PayPal
- Adobe
- Shopify
- 1Password, Bitwarden (vault logins)
- Most major banks (varies by country/institution)
OS and browser support:
- iOS 16+ / macOS Ventura+: full passkey support via iCloud Keychain
- Android 9+ (with Play Services): full passkey support via Google Password Manager
- Windows 11 22H2+: Windows Hello passkey support
- Chrome 108+, Safari 16+, Firefox 122+: WebAuthn support
Passkeys vs TOTP 2FA
| Passkeys | TOTP | |
|---|---|---|
| Phishing resistant | Yes | No |
| Brute-force resistant | Yes | Partially (30s window) |
| Works offline | Yes (device-bound) | Yes |
| Lost device recovery | Via sync/backup | Backup codes |
| Setup complexity | Low-medium | Low |
| Site support | Growing, not universal | Wide |
If a site offers passkeys: use them. If not: use TOTP over SMS.
Passkeys and password managers
If you store passkeys in your platform authenticator (iCloud Keychain / Google), they’re only usable on that ecosystem’s devices.
Storing passkeys in your password manager (1Password, Bitwarden) decouples them from a single ecosystem. You can use a passkey registered in 1Password on any device where 1Password is installed. This is the right approach if you use mixed platforms.
How to start using passkeys
- Check if your password manager supports passkeys — 1Password and Bitwarden do as of 2026.
- Register a passkey on Google/Apple ID first — high-value targets, well-implemented.
- For each site that offers passkeys: register one and delete the password entry.
- Keep your old password as a fallback until you’re confident the passkey flow works on all your devices.
The transition is gradual. Don’t delete passwords for sites until you’ve verified passkey login works end-to-end on your primary devices.
What passkeys don’t protect against
- Compromised device — if your device is compromised by malware, an attacker may be able to use stored credentials directly.
- Account recovery flows — many sites let you recover via email/phone even with passkeys. If your email is compromised, passkeys on downstream accounts don’t help.
- Sites that haven’t implemented it — for sites without passkey support, you still need a strong unique password.
Passkeys are a significant improvement. They’re not a silver bullet.
Related
Bitwarden setup guide: from zero to secure vault in 30 minutes
A complete Bitwarden setup walkthrough for new users: account creation, browser extension, mobile app, master password, and importing existing passwords.
Password security fundamentals: what actually matters in 2026
The credential security basics that matter: password length, uniqueness, breach exposure, phishing-resistant 2FA, and passkeys. No fluff.
1Password review 2026: best-in-class auto-fill, subscription-only pricing
A full 1Password review: Secret Key architecture, Watchtower, Travel Mode, family and team plans, and why it has no free tier.