Why this matters
Almost every break-in starts with a password. It gets reused, guessed, leaked in a breach, or typed into a convincing fake. A passkey removes the thing that gets stolen.
A password is a shared secret. You know it, and the website keeps a scrambled copy to check against. That sharing is the flaw. Anything that learns the secret, a fake login page, a leak from the company, a glance over your shoulder, can sign in as you from anywhere in the world.
A passkey works the other way around. When you create one, your device makes a pair of matching keys. The private half stays sealed on your phone, your computer or a hardware key, and never leaves it. The public half goes to the website, where it is useless to a thief. To sign in, the site sends a challenge, your device answers it with the private key, and you approve with the same face, fingerprint or PIN that unlocks the device. Nothing secret is ever typed or sent, so there is nothing to phish and nothing for a breach to spill. This is the design the FIDO Alliance built across the industry, and it is why Google, Apple and Microsoft now offer it on ordinary accounts.
The catch is a new one. When the key to an account lives on your devices instead of in your head, losing those devices can mean losing the account. That is the real subject of this guide. Switching on a passkey takes a minute. Doing it without ever locking yourself out takes a little planning, and that planning is the part most write-ups skip.
You give up a secret you can remember and type anywhere, and in return you get a sign-in that cannot be phished, guessed or leaked. The price is that you become responsible for keeping more than one way back in. Set those up first and the trade is all gain.
Anyone with a Google, Apple or Microsoft account, on a phone or a computer. No terminal, no command line. If you have read Second Factor or Lock and Key, this is the natural next step, and the hardware key from those guides does double duty here.
What a passkey is, in plain terms
A passkey is a key your device holds and proves, instead of a secret you remember and type. That one change fixes most of what is wrong with passwords.
You already use this idea without naming it. Your phone unlocks with your face, and your bank app trusts that unlock. A passkey extends the same move to websites. The site no longer asks for a secret. It asks your device to prove it holds the right key, and your device does so only after you unlock it. The proof is different every time and works only on the genuine site, so there is nothing a fake page can copy and replay.
Because the private key never leaves your device, the usual attacks have nothing to grab. A breach of the company exposes only public keys, which cannot sign in. A fake login page gets no secret, because none is typed. A reused-password leak cannot spread, because there is no password to reuse.
| A password | A passkey | |
|---|---|---|
| what it is | a secret you type | a key your device holds and proves |
| where it lives | in your head or manager, and on the company’s server | the private half stays on your device or key, only a public half on the server |
| can it be phished | yes, you can be tricked into typing it on a fake site | no, it works only on the real site and nothing is typed |
| if the company is breached | the stored secret can be attacked | there is nothing on the server to sign in with |
| how you sign in | type it, then often a second code | unlock your device with your face, fingerprint or PIN |
| what it counts as | one factor, a code adds a second | already two factors in one step |
Passkeys come in two kinds. A synced passkey copies itself, encrypted, into your iCloud Keychain or Google account, so it follows you to a new phone. A device-bound passkey never leaves the one device that made it, which is what a hardware key holds. You want both: the synced kind for everyday ease, the device-bound kind as the anchor that depends on no cloud.
Keep a way back in
This is the section to read twice. A passkey moves the key to your account out of your memory and onto your devices, so the question that decides everything is what happens when a device is lost. Answer it before you switch, not after.
The trick is to give every important account more than one way to prove it is you, so no single loss can shut you out. Three ways cover almost everyone, and you saw them in the panel at the top.
One: the sync that follows you
When you make a passkey on a phone, it is stored, encrypted, in your iCloud Keychain on Apple or your Google account on Android. Apple’s copy is end-to-end encrypted with keys Apple itself cannot read, and rate limited so it cannot be brute-forced even from inside Apple. Lose the phone, sign in to the same account on a new one, turn its sync back on, and the passkeys return. The strength of this depends entirely on the account that holds the sync, so that account needs a strong, unique password in your manager and a second factor of its own.
Two: a hardware key that needs no cloud
A security key, the kind from Lock and Key and Second Factor, holds a passkey that lives nowhere but the key. It works with no phone, no internet and no company account in the middle. Register one on each of your main accounts and it becomes the steady anchor: the way in that still works when a phone is lost, a cloud account is locked, or you are on a borrowed computer. Keep it somewhere safe at home, not on the same keyring as your car keys.
Three: recovery codes on paper
Each of the big accounts can produce a short list of one-time recovery codes. Generate them, print them, and put them where you keep important documents. They need no device and no signal, and any one of them signs you in once if everything else fails. Treat the printout like cash, because anyone holding it can use it.
Set up at least two of these three on an account before you turn its password off or lean on the passkey. The most common way people lock themselves out is enabling a single passkey on a single phone, then losing the phone with nothing else in place. Two ways in turns that disaster into a five-minute fix.
Switch your accounts, in order
Do them one at a time, email first. Each one is the same shape: make sure the password is safe, add the passkey, add the hardware key, save the recovery codes. The menus differ a little by company.
Secure the account that resets the others
Your email address is the reset link for everything else, so it goes first. Open your password manager and confirm the account has a long, unique password saved. Check that its recovery phone and recovery email are ones you still control. Only then move on to adding a passkey, so you are building on solid ground rather than over a weak password.
Set the anchor before the convenience
On each account, register your security key before anything else, so the cloud-independent way in is in place from the start. You add it the same way you add a passkey, choosing the security key when asked where to save. If you have two keys, as Lock and Key recommends, register both and keep the spare elsewhere.
Turn on a passkey for your Google account
Go to your Google Account, open Security, and find Passkeys and security keys. Choose to create a passkey and approve with your device. On an Android phone, the screen-lock passkey is saved to Google Password Manager and syncs to your other Android devices. Google’s own page warns that once a passkey exists, anyone who can unlock that device can sign in, so keep a strong screen lock. While you are here, open 2-Step Verification and download a set of backup codes.
Turn on iCloud Keychain so passkeys sync and back up
On your iPhone, open Settings, tap your name, then iCloud, and make sure Passwords and Keychain is on. This is what stores and syncs the passkeys you create, and backs them up so you can recover them if you lose every device. Add a recovery contact under your Apple Account settings as a further way back in. Then, on a website that offers it, choose to create a passkey and it will be saved to your keychain.
Add a passkey to your Microsoft account
Sign in at your Microsoft account security settings and choose Add a new way to sign in or verify, then Face, Fingerprint, PIN, or Security Key. You can save the passkey to Windows Hello on your computer, to your phone, to a security key, or to your password manager. New Microsoft accounts now start without a password, and an older one can be set the same way once your passkeys are working.
Confirm a second way in, then move on
Before you call an account done, check that it has at least two ways back in: the passkey plus the hardware key, or the passkey plus saved recovery codes. Sign out and sign back in once with the passkey to be sure it works. Keep the password in your manager for now. Removing it is a later step, taken only when passkeys work everywhere you sign in.
Email first, because it resets the rest. Then anything with money, your bank and your main shopping account. Then social media, which is both valuable to an impersonator and well supported. You do not have to do them all in one sitting. Each account you switch is one fewer password worth stealing.
What changes day to day
Less than you might expect, and all of it in your favour. Signing in becomes a glance or a touch, and the pause to fish out a code disappears.
On your own phone or laptop, signing in is the unlock you already do. The site asks for the passkey, your device prompts for your face, fingerprint or PIN, and you are in. There is no password to remember for that site, no code to wait for, and no field for a fake page to harvest.
On a computer that is not yours, a friend’s laptop or a library machine, you do not type anything secret either. You choose to use a passkey from another device, the screen shows a QR code, and you scan it with your phone and approve with your face or fingerprint. The sign-in happens through your phone, and nothing is left behind on the borrowed machine.
When a site has no passkey option yet, you fall back to the password from your manager, exactly as before. Passkeys arrive site by site, and the two live side by side during the change-over. Nothing forces you to switch an account before you are ready.
Because a passkey is released by your device unlock, the strength of that unlock matters more than it used to. Use a real screen lock, not a four-digit PIN that is a birthday or four of the same number. This one habit carries most of the weight.
If you get stuck
| Situation | What to do |
|---|---|
| new phone, passkeys missing | Sign in to the same Google or Apple account and turn its sync back on, Google Password Manager or iCloud Keychain. The synced passkeys return on their own. |
| signing in on someone else’s computer | Choose to use a passkey from another device, scan the QR code with your phone, and approve with your face or fingerprint. Nothing is stored on their machine. |
| a site only shows a password box | Use the password from your manager. Passkeys are added site by site, and not every site offers one yet. |
| lost the phone and forgot the password | Use your hardware key, or one of your printed recovery codes. This is exactly the case the two backups are for. |
| locked out of the whole account | Use the account’s recovery: a recovery contact, your recovery codes, or for Apple the iCloud Keychain recovery with your Apple Account, a trusted-number code and your device passcode. Apple allows ten attempts before it stops, so go carefully. |
| a key blinks and waits | A hardware key wants a touch to confirm a real person is present. Tap its contact within a few seconds. |
Common questions
The questions people ask before they trust a passkey with the account that runs their life.
If I create a passkey, is my password gone?
Not at first. On most big accounts, adding a passkey leaves the password in place as a fallback, and you sign in with whichever you prefer. Once passkeys work on every device you use, you can remove the password, or set the account to skip it. New Microsoft accounts now start without a password at all. Keep the password in your manager until you are sure you no longer need it.
What happens if I lose my phone?
Your passkeys are not stranded on the lost phone. Synced passkeys live in your iCloud Keychain or your Google account, so when you sign in to that account on a new phone and turn its sync back on, the passkeys return. This is why the account that holds the sync matters so much, and why it deserves a strong password and a hardware key of its own.
What if I lose all my devices at once?
This is what the second and third ways back in are for. A hardware key in a drawer signs you in with no phone and no cloud. Recovery codes do the same on paper. Apple can also rebuild your passkeys from iCloud Keychain recovery, which asks for your Apple Account, a code sent to a trusted phone number, and your device passcode, and allows ten attempts before it stops. Set up at least one of these before you switch an account, not after.
If someone steals my phone, can they get into my accounts?
Only if they can unlock the phone. A passkey is used by the same face, fingerprint or PIN that opens the device, so the lock on your phone is now the lock on your accounts. Google says this plainly: once you create a passkey, anyone who can unlock your device can sign in. Use a strong screen lock, and a PIN that is not a birthday or a repeated digit.
Do passkeys replace my password manager?
No, and you still want one. A manager stores passkeys as well as passwords, and most of your accounts will keep a password for a while yet. It also holds the strong, unique password for the account that syncs your passkeys, the one account you cannot afford to lose. The Lock and Key guide sets up a vault that a hardware key protects.
Is a passkey the same as two-factor authentication?
A passkey does the job of both in one step. A password plus a texted code is two separate checks, and the texted code can be phished or intercepted. A passkey is a single action that is already multi-factor by design: something you have, the device or key, unlocked by something you are or know, your face, fingerprint or PIN. It can replace the password and the code together.
Should I still keep a hardware security key?
Yes. A security key holds a passkey that depends on no company's cloud, so it is the steadiest way back in if you lose a phone or get locked out of an ecosystem. Hardware keys have held this kind of credential since 2019. If you followed Lock and Key or Second Factor you already own one, and adding it to these accounts takes a minute each.
Can a passkey still be phished?
They are phishing resistant, which is a strong claim made carefully. A passkey is tied to the real website's address and proves itself without revealing anything, so a fake site cannot capture a code or a secret to reuse. There is nothing to type and nothing to hand over. The weak point is any password you leave switched on as a fallback, which is why hardening recovery matters as much as adding the passkey.
Which account should I switch first?
Your email. It is the address that resets every other account, so it is the one an attacker wants and the one you most need to keep. For most people that is the Google or Apple account on their phone. Secure it, add a passkey and a hardware key, then work outward to banking, then to social and shopping accounts.