Passwordless Security

What Are Passkeys and How to Use Them

A plain-language guide to passkeys — the password replacement backed by Apple, Google, and Microsoft. Learn what they are, why they are more secure, and how to set them up on every major platform.

Secure Your Accounts

99.9%fewer account compromises with passkeys

15B+accounts support passkeys globally

0passwords to remember or steal

3 secaverage sign-in time with passkeys

What Is a Passkey?

A passkey is a replacement for your password. Instead of typing a password that can be guessed, stolen, or phished, you sign in using your fingerprint, face, or device PIN — the same unlock method you already use on your phone or laptop.

Behind the scenes, your device creates a unique cryptographic key pair:

Private Key

Stays on your device and is never shared with anyone. Your device proves it holds this key without ever sending it. A fake login page gets nothing.

Public Key

Stored by the website or app. This is useless without the private key on your device — even if an attacker hacks the server, they get nothing useful.

How Passkeys Work (Simple Explanation)

Create a Passkey

The website asks your device to generate a key pair. You confirm with your fingerprint, face, or PIN.

Website Stores Public Key

This is like giving the website a lock. Only your device has the key to open it.

Sign In Securely

The website sends a challenge. Your device signs it with the private key after biometric confirmation. You are in.

Why Passkeys Are More Secure Than Passwords

Attack	Passwords	Passkeys
Phishing (fake login page)	User enters password, attacker steals it	Passkey only works on the real website — fake pages are ignored
Credential stuffing	Attacker tries leaked passwords from other sites	Each passkey is unique per site — cannot be reused
Brute force (guessing)	Attacker guesses weak passwords	No password exists to guess
Keylogger	Records your password as you type	Nothing useful to record — biometrics are not transmitted
SIM swap (bypass SMS MFA)	Attacker steals phone number to intercept codes	Passkey does not use SMS — tied to your physical device
Database breach	Attacker steals hashed passwords from the server	Server only stores the public key — useless without your device

Where Can You Use Passkeys?

As of March 2026, over 15 billion accounts across major platforms support passkeys. Here are the most common services:

Consumer Platforms

Google — myaccount.google.com > Security > Passkeys
Microsoft — mysignins.microsoft.com > Security info
Apple — Built into iCloud Keychain (iOS 16+, macOS Ventura+)
Amazon — Account > Login & security > Passkeys
GitHub — Settings > Password and authentication > Passkeys
PayPal — Settings > Security > Passkeys
LinkedIn, X, WhatsApp, Adobe, Shopify — Full support

Business and Enterprise

Microsoft Entra ID — Device-bound and synced passkeys
Okta — Full support
AWS — Full support (IAM Identity Center)
Salesforce — Full support
Cloudflare — Full support

Password managers: Bitwarden, 1Password, Google Password Manager, and iCloud Keychain all store and sync passkeys across devices.

For a complete, up-to-date list of services supporting passkeys, visit passkeys.directory — a community-maintained directory of every service with passkey support.

How to Set Up Passkeys

On Windows 11

Windows 11 supports passkeys natively through Windows Hello.

For Websites (Browser-Based)

Go to a website that supports passkeys (e.g., Google, Microsoft, GitHub)
Find the passkey/security option in your account settings
Click Create a passkey or Add a passkey
Windows will prompt you with Windows Hello — use your fingerprint, face, or PIN
Done — the passkey is stored in Windows Hello on your device

For Your Microsoft Account

Go to mysignins.microsoft.com
Click Security info > Add sign-in method
Select Passkey (Windows Hello)
Confirm with your fingerprint, face, or PIN
Next time, choose Sign in with Windows Hello or a security key

Manage passkeys on Windows:Go to Settings > Accounts > Passkeys to view and manage all passkeys stored on your device.

On iPhone (iOS 16+)

Apple stores passkeys in iCloud Keychain and syncs them across all your Apple devices.

Open Safari and go to a site that supports passkeys
When creating an account or adding a passkey, tap Continue when prompted
Authenticate with Face ID or Touch ID
The passkey is saved to iCloud Keychain automatically
It syncs to your iPad, Mac, and other Apple devices

On Android

Android stores passkeys in Google Password Manager and syncs across your Google account.

Open Chrome and go to a site that supports passkeys
When prompted to create a passkey, tap Create
Authenticate with your fingerprint or screen lock
The passkey is saved to Google Password Manager
It syncs to other Android devices and Chrome on desktop

On macOS

Open Safari (or Chrome) and go to a site that supports passkeys
When prompted, click Create a passkey
Authenticate with Touch ID or your Mac password
The passkey is stored in iCloud Keychain and syncs to your other Apple devices

Using a Hardware Security Key (FIDO2)

A hardware key (YubiKey, Google Titan, Feitian) is a physical device that stores your passkey. Best for high-security accounts.

Purchase a FIDO2-compatible security key
Go to your account security settings and select Add a security key
Insert the key into USB (or tap for NFC) and set a PIN when prompted
Touch the key sensor to confirm — done

Why hardware keys are the most secure option: The passkey cannot be extracted from the key — even if someone has your PIN, they need the physical key. Ideal for admin accounts, financial accounts, and high-value targets.

Migrating From Passwords to Passkeys

Passkeys do not replace all your passwords overnight. Here is a practical migration approach:

Secure Critical Accounts

Email (Google, Microsoft, Apple)
Password manager (Bitwarden, 1Password)
Banking and financial services
Social media and work accounts

Add Passkeys Gradually

Every time you log into a service and see a "Create a passkey" prompt, take 30 seconds to set it up. Over time, most of your accounts will have passkeys.

Remove Passwords

Some services now allow you to delete your password entirely after setting up a passkey. Google and Microsoft both support this.

Before removing your password, ensure you have at least two passkeys as backup (e.g., phone + security key).

Passkeys for Businesses

Why IT Admins Should Care

Eliminates password-related helpdesk tickets — no more forgotten password resets
Stops phishing attacks — passkeys cannot be entered on fake websites
Reduces credential theft risk — no passwords to steal in a breach
Meets compliance requirements — NIST, CMMC, and CISA recommend phishing-resistant auth

Recommended Rollout

Week 1

IT admins and security team

Week 2-3

Executives and finance team

Month 2

All employees (voluntary)

Month 3-4

All employees (required for sensitive apps)

Deploying Passkeys in Microsoft 365

Go to entra.microsoft.com > Protection > Authentication methods > Policies
Enable FIDO2 security key and/or Microsoft Authenticator (passkey)
Assign to a pilot group first, then expand to all users
Create a Conditional Access policy with authentication strength set to Phishing-resistant MFA

Common Questions

What if I lose my phone?

If your passkeys are stored in iCloud Keychain, Google Password Manager, or a password manager like Bitwarden, they sync across devices. Sign in on another device and your passkeys are still there. Best practice: Always have at least two ways to sign in — a passkey on your phone and a passkey in a password manager or on a security key.

Are passkeys the same as FIDO2?

Yes — passkeys are built on the FIDO2 standard (WebAuthn + CTAP). "Passkey" is the user-friendly name that Apple, Google, and Microsoft agreed on. Technically, every passkey is a FIDO credential.

Can passkeys be hacked?

No known practical attack can steal a passkey remotely. The private key never leaves your device and cannot be extracted. The only attack vector is physical theft of your device combined with breaking your biometric or PIN — which is orders of magnitude harder than stealing a password.

Can I use passkeys and passwords at the same time?

Yes. Most services let you keep your password while also adding a passkey. When you sign in, you can choose either method. Over time, you can transition to passkey-only.

Ready to Go Passwordless?

CyberITEX can help you deploy passkeys across your organisation, configure phishing-resistant MFA in Microsoft 365, and eliminate password-based attacks. Set up takes less than a day for most small businesses.

Email Security Services Contact Us

Get Security Insights Delivered

One email per month with our best articles. No spam.