We are reader supported and sometimes earn a commission if you buy through a link on our site.

How Does Apple’s Passkeys System Work and Why Is It Better Than Using Passwords?

Weak and reused passwords are one of the most used “tools” used by hackers. Apple’s new “Passkeys” feature may be the way to protect against this.

At a Glance

Let’s face it, despite warnings to use secure and unique passwords from security experts, most of us reuse the same, easily crackable passwords across multiple websites and apps. When we do use unique passwords, they may be too complicated to remember and they’re still vulnerable to phishing scams. While we should all be using password managers to prevent password reuse and to help us recall our passwords, managers are just a way to patch the cracks in an outdated security system.

Fortunately, Apple, Google, Microsoft, Meta, PayPal, Visa, Mastercard, American Express, and several other companies have joined together to form the FIDO Alliance, which developed a remedy to our password-related security woes.

What is a Passkey?

A passkey offers a new way to log in to websites, apps, and services. Passkeys are designed to provide a faster, easier-to-use, and more secure way to log in than passwords.

Passkeys use public-key cryptography to create a single-use login credential to verify your identity and log in, rather than relying on having a username and password entered by the user. This means that there is no password to remember, be reused, or be stolen by a hacker or a phisher.

While all this might seem complicated, don’t worry. All of this happens in the background and it actually makes it easier to login to a website or app. And, you’ll never have to worry about having your password stolen.

How Do Passkeys Work?

Passkeys are part of a new web standard called Web Authentication or WebAuthn. WebAuthn uses public-key cryptography to verify your identity, which replaces the traditional Username/Password combination used for the traditional login process. It is basically the same way secure messaging apps encrypt your conversations, and how online payments are processed to ensure your credit card information doesn’t get hijacked.

When you create an account on a website, service, or app, WebAuthn creates a unique pair of mathematically related keys. One key is called the public key, while the other is the private key.

The public key, which is not a secret, is stored on the service’s servers. If this key is somehow stolen or leaked, it won’t do hackers any good. Heck, you could post it on a public forum like Facebook and it still wouldn’t affect your security.

As for the private key, it is stored on your device and it remains a secret.

The next time you visit that website or use that app, it will make use of your account’s public key to create a challenge for your device. Since the public key and your private key are mathematically related, your device will be able to use its stored private key to solve the challenge. You are authenticated and logged in to the site or app without any sensitive information (like a password) ever changing hands. This means there is nothing to be phished or hacked, forcing the bad actors of the world to look elsewhere for something to steal.

All of this happens with very little effort on your part, as you have no password to remember and enter, and you never have to load your password manager app to log in. All that’s required by you is to unlock your account by entering a PIN or by using a biometric option like TouchID or FaceID. When you do that, the public and private key information completes the authentication in the background.

Sounds great, right? And that’s how things will happen once passkey support becomes widespread on the web.

You see, passkeys only work with accounts that support them. Unfortunately, that support is currently limited to major websites, like Google, PayPal, Adobe, TikTok, Microsoft, and a few others. However, additional support is rolling out on a regular basis.

What Devices Offer Support for Passkeys?

Currently, passkeys support is early days. Since passkeys are created on a specific device, they cannot be shared with other devices as easily as passwords are. While solutions are being worked on, passkeys are not currently a cross-platform-friendly solution like passwords and password managers.

Currently, Apple has added passkey support to its iPhone, iPad, and Mac devices, Google supports it on Android devices (and is working on bringing it to ChromeOS), and Microsoft supports a limited version of passkeys in its Edge browser.

Apple Passkeys Support

Apple currently supports passkeys on iPhones running iOS 16 or later, iPads running iPadOS 16 or later, and Macs running macOS Ventura or later, providing the most complete passkey implementation around today. Apple syncs passkeys via iCloud Keychain, meaning that if you were to create a passkey on your iPhone, it will also be available on your Mac and iPad. There is a catch to all of this convenience, as you are required to use Safari to benefit from this cross-Apple device compatibility.

Windows Passkeys Support

Windows supports passkeys on computers running Windows 10 and Windows 11 in the Edge, Chrome, Firefox, and Brave browsers through Windows Hello. Unfortunately, Microsoft hasn’t come up with any kind of syncing or backup for it. So, at this time you can only log in with the passkey on the computer you set it up on. The next major Windows update is expected to include Passkeys sync support.

Google Passkeys Support

Google offers support for passkeys on devices running Android 9 or later. The passkeys are synced via the Google Password Manager, making them also available on other Android 9 or higher devices. Support is on the way for ChromeOS devices.

How to Create and Use Passkeys

Passkeys are designed to be easy to create and easy to use. The process of setting one up should be similar across devices. If you’d like to familiarize yourself with the process, you can create a demo passkey on the Passkeys.io website. The website demo shows how easy it is to create a passkey and you don’t have to think of a secure and unique password (or reuse one from another website).

How to Create a Passkey for a New Account

If you don’t feel like creating a demo passkey, I will explain how it all works.

When you visit a website that offers passkey support to create a new account, you’ll see a button that will say “Sign in with a passkey,” “Sign up with a passkey,” or something similar.

You’ll likely need to enter your email address, which, while it isn’t required for passkey validation, websites will still want it so they can send you emails. You can enter a disposable email address if you’d like. After you enter the email address and click the button you’ll need to confirm your identity by either entering a PIN or using biometrics, like Touch ID or Face ID.

That’s all it takes.

How to Create a Passkey for Existing Accounts

If you already have an account with a website or service that can use passkeys, you’ll need to log in and add a passkey to your account, somewhere in your account settings. The website will usually walk you through the process or you’ll find how in the website’s support section.

How to Sign In Using Cross-Device Authentication

When you’re using passkeys, you’ll be able to sign in to your accounts on other devices (like your work computer or another smartphone) by using cross-device authentication.

To log in, click “Sign in with passkey, then click “Other sign in options.” (The wording may be slightly different.) You’ll then see a QR code on the screen. Scan that QR code on your passkeys-enabled device, such as your Android or iPhone smartphone, which will verify your identity on your smartphone, allowing you to log in on the other device.

Will Passkeys Completely Replace Passwords?

While passkeys definitely appear to be an excellent solution to password reuse, hacking, and phishing, the technology has a way to go before it’s truly ready for prime time.

Passkeys are a much more secure alternative to old-fashioned passwords, while also providing an improved user experience. I myself have begun switching my accounts over to use passkeys, wherever they are available. (In the interest of full disclosure, I am fully invested in the Apple ecosystem, using an iPhone, iPad, Mac, Apple Watch, and several other Apple devices.)

While passkeys are a more secure way to log in to your online accounts, passkey support isn’t quite there yet.

Currently, only Apple offers genuine passkey support across its smartphones, tablets, and computers. Microsoft and Google are also working on sync support, but there will still likely be some issues in syncing between operating systems, at least for the short term. Look for password managers like 1Password to at least partially solve this issue. Until then, it will likely be a bit of a pain if you move from the iPhone to an Android phone or switch from macOS to Windows.

While device makers and operating system companies are working on passkey support, we still need quite a few more websites and services to adopt passkeys in place of passwords. We will see the situation improve over the next few years, as passkey support will expand, allowing you to better protect your most sensitive accounts.

Passkeys FAQs

Are Passkeys a Complete Replacement for Passwords?

Passkeys are a replacement for passwords. They don’t simply hide your password like some password authentication solutions do. The public and private key used in the process, while you’re providing authentication via a PIN or biometrics (your fingerprint, face, or eye) allows passkeys to take passwords completely out of the login process.

Will Passkeys Completely Replace Passwords?

While there will always still be websites, apps, and services that will continue to require passwords, passkeys will likely replace passwords on the majority of sites and services. However, it will take at least a few years for that to happen.

Short term, most users will be using a combination of passkeys and passwords, as sites transition to passkeys. But, as tools are developed to make it easier to implement passkeys, developers will begin to add the technology to their apps and websites.

Is the Same Passkey Used Across All of My Accounts?

No. A unique passkey is required for each account. It’s much like the ring of keys you may carry in your pocket or purse. You don’t use the same key to unlock your front door as you do your vehicle’s door. Luckily, it only takes a few seconds to create a passkey for an account, as the heavy lifting is performed in the background, with little to no effort on the user’s part.


Leave a Comment