ANDRI.BLOG
Security
10 min read

Passkeys Are Here. Time to Ditch Your Passwords?

Passwords have been broken for decades. Passkeys might actually fix the problem — if enough sites get on board.

I've spent years telling people to use password managers and enable two-factor authentication. That advice still holds. But there's now a third option that makes both of those feel like duct tape on a broken pipe.

Passkeys. They've been rolling out quietly over the past couple of years, and in 2026 they've hit the point where you can actually use them day-to-day. I've switched most of my important accounts over, and honestly? I don't think I'm going back.

Here's what passkeys are, how they work, and whether you should start using them today.

The Password Problem (In 30 Seconds)

You already know this, but let's be precise about why passwords are terrible:

  • Phishing works. Even smart people type passwords into fake login pages. The entire phishing industry exists because passwords are something you know and can be tricked into sharing.
  • Reuse is inevitable. Password managers help, but most people reuse passwords across sites. One breach and attackers have the keys to your other accounts.
  • Databases get breached. The server stores some form of your password (ideally hashed, sometimes not). When the database leaks, attackers crack the hashes offline.
  • 2FA helps but isn't bulletproof. SMS codes get SIM-swapped. TOTP codes can be phished in real-time with proxy attacks. Push notifications get fatigue-bombed. 2FA raises the bar, but it doesn't change the fundamental game.

Passkeys change the fundamental game.

What a Passkey Actually Is

A passkey is a cryptographic key pair. When you register a passkey with a website, your device generates two keys:

  1. A private key — stays on your device, never leaves, never gets sent to anyone
  2. A public key — gets sent to the website and stored on their server

When you log in, the website sends a random challenge. Your device signs it with the private key. The website verifies the signature with the public key. If it matches, you're in.

That's it. No password transmitted. No shared secret. Nothing to phish.

If someone sets up a fake login page for your bank, your device won't sign the challenge because the domain doesn't match. Passkeys are bound to the specific website URL. A fake site at my-bank-login.com can't trigger the passkey you created for mybank.com. Phishing literally doesn't work.

If the website's database gets breached, attackers get your public key. This is useless. You can't derive the private key from the public key — that's the whole point of asymmetric cryptography.

How It Feels to Use One

The first time I set up a passkey, I kept waiting for the complicated part. It never came.

On most sites, you go to security settings, click "Add passkey," and your device prompts you to verify with a fingerprint, face scan, or PIN. Done. That's the setup.

Logging in is even simpler. You go to the login page, select your account, authenticate with your biometric, and you're in. No typing. No pasting from a password manager. No waiting for a 2FA code.

The biometric never leaves your device, by the way. Your fingerprint doesn't get sent to the website. It's just used to unlock the private key stored locally.

Where Passkeys Live

This is where it gets slightly confusing, because there are two flavours:

Synced Passkeys (Most Common)

These are stored in your platform's credential manager — iCloud Keychain on Apple devices, Google Password Manager on Android/Chrome, or Windows Hello on Microsoft devices. They sync across your devices through the cloud.

This means:

  • Create a passkey on your iPhone, use it on your Mac
  • Create one in Chrome on your laptop, use it on your Android phone
  • If you lose your phone, your passkeys survive because they're backed up

The trade-off: you're trusting Apple, Google, or Microsoft to store your private keys securely. They're encrypted end-to-end, but you are placing trust in these companies. For most people, this is a reasonable trade-off — these companies have strong incentive to get this right.

Third-party password managers like 1Password, Bitwarden, and Dashlane also support synced passkeys now. If you already use one, you can store passkeys there instead.

Device-Bound Passkeys

These are tied to a specific hardware device — typically a security key like a YubiKey. The private key exists only on that physical device and cannot be extracted or copied.

More secure, but:

  • Lose the key, lose access (always register a backup)
  • Need the physical key present to log in
  • Less convenient for everyday use

I use hardware-bound passkeys for my email and financial accounts. Synced passkeys for everything else.

The Cross-Platform Situation

The biggest headache with passkeys right now is cross-ecosystem login. You created a passkey on your iPhone, but now you're at a Windows computer at work. What do?

The answer is QR codes and Bluetooth. The website shows a QR code, you scan it with your phone, your phone verifies you with biometrics, and the authentication goes through over Bluetooth. It works, but it's clunkier than native authentication.

This has gotten noticeably smoother over the past year. Most browsers handle it well now. But it's still the weakest part of the experience.

If you use a cross-platform password manager like 1Password or Bitwarden for your passkeys, this problem mostly disappears — the passkeys are available wherever the manager runs.

Which Sites Support Passkeys?

More than you'd think. As of March 2026:

  • Google — Full support, including Advanced Protection Program
  • Apple — Apple ID and iCloud
  • Microsoft — Microsoft accounts and Entra ID (corporate)
  • GitHub — Passkeys as primary authentication
  • Amazon — Account login
  • PayPal — Available in most regions
  • WhatsApp — Account verification
  • X (Twitter) — As a sign-in method
  • LinkedIn — For login
  • Coinbase — Account protection
  • Nintendo — Nintendo Account
  • Adobe — Creative Cloud
  • Shopify — Both merchant and customer accounts
  • 1Password, Bitwarden, Dashlane — Both as storage and for their own login
  • Most major banks — Adoption has accelerated, though coverage varies by region

The list keeps growing. Check a site's security settings — if they support passkeys, you'll usually find it under "Security" or "Sign-in methods."

Setting Up Your First Passkey

Let's do Google as an example since nearly everyone has a Google account:

  1. Go to myaccount.google.com
  2. Navigate to SecurityPasskeys and security keys
  3. Click Create a passkey
  4. Your browser or device will prompt you — authenticate with fingerprint, face, or PIN
  5. Done. Next time you sign in to Google, it'll offer the passkey option

Takes about 20 seconds.

My recommendation for your first few passkeys:

  1. Your primary email (Google, Microsoft, Apple)
  2. Your password manager
  3. GitHub or whatever you use for work
  4. Financial accounts that support it

Start there. Expand as you get comfortable.

Passkeys Don't Kill Password Managers

I still use a password manager daily. Here's why:

  • Hundreds of sites don't support passkeys yet
  • Password managers now store passkeys too, becoming a unified credential vault
  • You still need to store recovery codes, secure notes, and other sensitive data
  • Shared accounts (family Netflix, team credentials) still use passwords

Think of passkeys as the preferred method where available, with your password manager handling everything else. They're complementary, not competing.

What About Recovery?

"What if I lose all my devices?" — the first question everyone asks.

For synced passkeys: they're backed up to your cloud account. Recover your Apple/Google/Microsoft account, and your passkeys come with it. This means your cloud account becomes the critical recovery point. Secure it well.

For hardware keys: this is why you register two keys. Keep the backup somewhere safe — a lockbox, a trusted person's house, a safe deposit box.

Most sites still let you keep a password as a fallback alongside your passkey. I'd recommend doing this during the transition period. Use a strong, unique password from your password manager as the backup, and keep 2FA enabled.

Over time, some sites may let you go fully passwordless — passkey only, no password at all. Google already offers this. When you're confident in your passkey setup and backup strategy, it's worth considering.

The Honest Downsides

I'm sold on passkeys, but here's what still needs work:

Inconsistent UX. Every site implements the passkey flow slightly differently. Some are smooth, some are confusing. There's no universal "log in with passkey" button design yet.

Corporate/shared device scenarios. If you use shared workstations or kiosk devices, passkeys are awkward. You end up doing the phone-QR-code dance constantly.

Not all sites treat passkeys as true passwordless. Some still require a password plus passkey, essentially using it as a fancy 2FA. This defeats some of the benefit.

Ecosystem lock-in concerns. If all your passkeys are in iCloud Keychain and you switch to Android, migration is possible but not seamless. Using a third-party password manager avoids this.

Some sites delete inactive passkeys. I've seen a few sites remove passkeys after extended non-use. Annoying when you discover it at login time.

How Passkeys Compare

PasswordsPasswords + 2FAPasskeys
PhishableYesPartiallyNo
Reusable across sitesOftenOftenNever (unique per site)
Stolen in breachesYesPassword yes, 2FA maybeNo (public key is useless)
User effortMediumHighLow
Recovery optionsReset flowsReset + 2FA recoveryCloud backup or hardware backup
SupportUniversalWideGrowing fast

My Setup

Here's what I actually use right now:

  • High-value accounts (email, banking, password manager): Hardware security key (YubiKey) as primary passkey, second YubiKey as backup, password + TOTP as fallback
  • Important accounts (GitHub, cloud services, social): Synced passkeys via password manager, password as fallback
  • Everything else: Password manager with strong unique passwords + TOTP where available

I'll simplify this as passkey support gets more universal. But for now, this layered approach covers all the bases.

What to Do Today

If you do one thing after reading this:

  1. Pick your most important account — probably your primary email
  2. Go to its security settings and add a passkey
  3. Keep your existing password and 2FA as fallback for now
  4. Over the next month, add passkeys to other accounts that support them

You don't need to change everything at once. Every account you add a passkey to is one more account that can't be phished.

Passwords were a 1960s solution to a 1960s problem. We've been patching them with complexity requirements, rotation policies, managers, and second factors for decades. Passkeys aren't a patch. They're a replacement for the broken model underneath.

The transition will take years. But it's started, the technology works, and you can start today.

▸ TAGS
#passkeys#passwords#authentication#security#FIDO2
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES