What Is a Passkey and How to Use One Instead of a Password

What a passkey is and how to use one

You may have noticed apps offering to let you sign in with a “passkey” and a quick face or fingerprint scan — no password typed at all. Passkeys are widely described as the replacement for passwords, and the big tech companies are pushing them hard. Our GetMyPassword team explains what a passkey actually is, how it keeps you safe from phishing, and how to start using one while passwords are still around.

How a passkey works
How a passkey replaces a password with a device key.

What a passkey is

A passkey is a pair of cryptographic keys created for one website. The private key stays locked on your device; the public key lives on the site’s server. To sign in, your device proves it holds the private key — unlocked by your fingerprint, face or device PIN. You never type or even see a secret, so there is nothing to forget, reuse or leak.

Why it is more secure than a password

  • Phishing-proof: a passkey only works on the real site it was made for, so a fake page cannot capture it.
  • Nothing to steal in a breach: servers only hold the public key, which is useless on its own.
  • No reuse: every passkey is unique to one site automatically.

How to set one up

Look under Security settings on accounts from Google, Apple, Microsoft, PayPal and a growing list of others, and choose “Create a passkey.” It saves to your phone or computer and syncs through your Apple, Google or Microsoft account, so it is available across your devices. Setup takes one tap and a biometric scan.

Passkeys are the future, but the change is gradual. Most of your accounts will still rely on passwords for years — so strong, unique passwords remain essential alongside the passkeys you adopt.

Passwords still matter in the meantime

Adopt passkeys wherever they are offered, but the vast majority of sites still need a password. For all of those, keep using strong, unique ones from our password generator and store them in a manager. The safest setup today is passkeys where you can, generated passwords plus 2FA everywhere else.

Frequently asked questions

Is a passkey the same as a password?

No. A password is a secret you type; a passkey is a cryptographic key stored on your device and unlocked with biometrics. You never type or memorise a passkey, and it cannot be phished or reused.

What happens to my passkey if I lose my phone?

Passkeys sync through your Apple, Google or Microsoft account, so they restore to a new device when you sign back in. Most sites also keep a backup sign-in method, such as a password or email code.

Do I still need passwords if I use passkeys?

Yes, for now. Many sites do not support passkeys yet, so you still need strong, unique passwords for those accounts. Use passkeys where available and generated passwords everywhere else.

Help your friends stay safe. Share this article!