Should You Use Passkeys Instead of Passwords?

Passkeys use public-key encryption for security, which means authentication requires two separate keys: one that is stored on your device, and the other on the service where your account is held. Passkeys can also be synced to the cloud (such is the case if you’re using them on Apple devices with iCloud), and your key can be copied from one device, such as your phone or laptop, to another. 

Passkeys require some form of authentication before they can be used. That might be the passcode you use to unlock your screen, or a form of biometric authentication such as a face scan or a fingerprint. That biometric data stays local on your own device or encrypted cloud storage—it’s not shared with the services you use. 

Using a passkey means you can’t accidentally enter your personal log-in on a malicious site or give it to a phishing account, making passkeys more secure than a traditional password.

What happens if you lose your phone—do you also lose access to your online accounts? This should not be a problem, as long as you’ve connected your passkey across multiple devices. And you can revoke a passkey for your Google account in your password settings, or from your Mac and iCloud keychain. For now, services that support passkeys offer traditional account recovery methods using the email address tied to your account. Others, like Google, also issue backup recovery keys as a last-ditch measure. You’ll want to print or physically write these down and store them somewhere safe in your home.

A handful of services and companies—including operating system vendors, password managers, retailers, and financial institutions—adopted passkeys when the standard first launched in 2023, and many more have joined the fray since. Typically, these websites and services will prompt you to create and use a passkey at the same step that you’d normally log in with a traditional password.

Android devices may automatically create passkeys when you log in to your Google account. You can start using passkeys for personal Google accounts by going to this page and selecting “start using passkeys.” You need Windows 10 or up to use passkeys on a PC, and Windows 11, version 22H2 or newer to access features such as synchronization. Some browsers might not support passkeys, so you may need to switch to a supported browser to set up a passkey for your Google account. 

Apple requires you to use a traditional password to log in to your Apple ID, but creating a passkey on an Apple device will let you sign in with that passkey on any Apple device, as long as your device runs iOS 16 or macOS Ventura or newer, and you are using iCloud Keychain. 

You can already use passkeys with dozens of companies, such as Best Buy, Hyatt, and PayPal. See this full directory of passkeys. For more information on setup, check out the Freedom of the Press Foundation’s guide to passkeys, or the following instructions for major platforms:

• Passkeys on a Google account
• Passkeys for Chrome and Android
• Passkeys on a Mac
• Passkeys on an iPhone 
• Passkeys on an iPad

What about the accounts we share with others? You might think that passkeys would make this harder, but Apple allows you to AirDrop a shared passkey with people in physical proximity to you, so you can share accounts with trusted individuals much like you can do for passwords in Apple.

If you need to borrow a friend’s phone or use a shared computer, Google lets you scan a onetime QR code from your phone, which will give you access to your account on the borrowed or shared device without storing your passkey on it. The device you’re borrowing just needs to be nearby. (The technology checks to see if the two devices are in Bluetooth range of each other, to protect against remote attacks.) You can then choose whether the new device is allowed to store the passkey if it supports it. You might opt to allow this for a second computer or tablet you own, but perhaps not one that you use at a school or library, for example.

Currently, passkeys are available only on select websites, apps, and services. Keeping track of where you can use them can be challenging, too. For example, if you use a passkey to log in to an app on your phone, you’ll still need a password on your laptop if you want to use a browser that doesn’t yet work with passkeys.

Getting passkeys set up on your various devices can be tricky because things don’t always sync seamlessly. For example, you can share passkeys across Apple devices using iCloud Keychain, and thanks to recent developments, you can now create and share them across Android, Chrome OS, macOS, Linux, and Windows devices using Google Password Manager. But there is not yet a seamless and easy way to share passkeys across iPhone and Android devices or natively across Windows devices. 

For these reasons, until we see further maturation, we suggest only going all-in on passkeys if most of your primary devices are part of the same ecosystem — if you’re firmly in the Apple camp with an iPhone, MacBook, and an iPad, for example. You may run into more hiccups and incompatibilities if you’re an Android smartphone user with a Windows PC and an iPad. 

The technology has other quirks, too. You can use passkeys with Apple’s Safari browser, but if you are on a MacBook, you may have to use the Chrome browser to set up a Google passkey. (Check this table to see if you can use passkeys on your preferred operating systems, browsers, and devices.) 

The rollout of passkeys, and even U2F [Universal 2nd Factor] before it, has been clunky and slow,” said Bret Jordan, vice chair of the board of directors at OASIS. “In fact, the technology is actually moving faster than organizations can adopt, causing fragmentation and uncertainty. The single biggest problem with passkeys is the lack of a good user experience when trying to migrate or add passkeys to other devices.”

The user experience around passkeys “can definitely be improved based on availability of the services and lack of consistency around how exactly you get the keys on your devices,” says Martin Shelton, principal researcher at Freedom of the Press Foundation. “That said, I also believe it’s really exciting technology because it could—pending availability—make it a lot easier for people to stop typing their password on malicious websites.”

Passkeys are still in their early stages. Given that they’re not yet available for all services, operating systems, and devices, it’s too soon to switch away from using passwords for all your online security. But you can start experimenting with passkeys on accounts where it makes sense for you.

Either way, you’ll still want to use a password manager to keep your passwords safe. Since passkeys aren’t intended to completely replace passwords, this will ensure you can always fall back to traditional methods if you decide using them isn’t for you.

Some password managers even allow you to store passkeys, and more are working on this feature. As passkeys continue to propagate, more service providers, password managers, and operating system vendors are creating better ways to easily port them from one platform to another. Be sure to verify the policies and tools for each of them to discern how easy it’d be to bring your passkeys with you if you need to switch.

You can also store passkeys on a security key. That passkey can’t be copied from the security key. That can make it more secure, but it’s important to register these passkeys on multiple keys kept in different locations if you do decide to use them. That’s because the passkey only exists on that security key and isn’t backed up to the cloud, meaning you may permanently lose access to your account if you don’t have it stored elsewhere.

Adoption of passkeys has been slow and steady, but may accelerate quickly. The governing FIDO Alliance—the group of companies responsible for developing passkeys—recently announced the Credential Exchange Protocol (CXP), which creates a standardized method for users to easily and securely transfer passkeys between supported platforms. 

The FIDO Alliance developed CXP in response to concerns that the current implementation of passkeys would make it prohibitive for users to switch platforms and services. Researchers from major operating system vendors like Apple, Google, Microsoft, and Samsung—as well as third-party password management services like 1Password, Dashlane, and Bitwarden—worked on it. The protocol isn’t yet available for implementation, as the group is still fine-tuning its specifications.