Passkeys are the consumer name for the passwordless authentication standard built on FIDO2/WebAuthn cryptography. Each passkey is a public-private keypair generated on the device, with the public key registered to the service and the private key held in the device’s secure storage (Apple Keychain with iCloud sync, Google Password Manager, Microsoft Hello, password managers like 1Password and Bitwarden). The user authenticates with biometric or device PIN; the cryptographic protocol handles the rest.
What it means in practice
Passkeys are the structural replacement for passwords plus 2FA in services that support them. The cryptographic model is identical to FIDO2 hardware keys: domain-bound credentials, phishing-resistant by design, no shared secret to leak in a breach. The differentiator from hardware keys: the credential lives in a software-managed keystore (Apple, Google, Microsoft, password manager) rather than a physical device, with sync enabled by default for cross-device access. The trade-offs: the keystore becomes the new master key (compromise of the Apple ID, Google Account, or password manager compromises every passkey it holds), the sync mechanism crosses platforms unevenly (Apple-to-Apple is seamless, cross-platform is improving but uneven), and the recovery flow when the keystore is lost varies in operational quality. The 2024-26 adoption curve: most major services (Google, Microsoft, Apple, Amazon, GitHub, dozens more) support passkeys; many users have not yet enrolled them.
Where it shows up
Available on: Apple devices via iCloud Keychain (iOS 16+, macOS 13+), Android via Google Password Manager, Windows via Hello, password managers including 1Password, Bitwarden, Proton Pass. Supported by services: Google, Microsoft, Apple, Amazon, GitHub, Cloudflare, Shopify, eBay, PayPal, dozens more by 2026 with rapid adoption growth. Defends against: credential phishing (the cryptographic binding to domain), credential stuffing (no shared secret to leak), database breaches (only public keys are stored server-side; a breach reveals nothing useful). Less effective against: malware on the unlocked device that uses the authenticated session, supply-chain compromise of the keystore vendor, and the structural threat that the keystore becomes the new master key whose compromise cascades.
What you can change today
Enable passkeys on your top 5 services. Google Account: account.google.com, Security, Skip password when possible, set up passkey on each device. Apple ID: Settings, Apple ID, Sign-In and Security, Account Recovery, set up passkey. Microsoft: account.microsoft.com, Security, Set up passwordless. GitHub: Account, Security, set up passkeys. Bitwarden or 1Password: passwordless login via passkey on supported services through the manager. Carry hardware keys (YubiKey) as the backup for accounts that support hardware-key-as-passkey, so a compromised software keystore does not lock you out. The migration takes 30-60 minutes; the result is a authentication posture that defeats most credential-related attacks structurally.
