What is a passkey, and how does it work?

What are passkeys?

Passkeys are digital credentials that use a device like a phone, laptop, or tablet to authenticate users’ login attempts. They’re a more secure and convenient alternative to traditional credentials, consisting of a username and a password, and are generally considered phishing resistant.

Lauded by cybersecurity experts as the authentication technology set to replace passwords, passkeys have been in development for the better part of the decade by members of the FIDO Alliance, the association focusing on creating passwordless authentication models. Organizations working on passkeys include tech giants like Apple, Microsoft, and Google.

How do passkeys work, and how do they differ from passwords?

Passkeys use biometrics to make logging in as easy as unlocking your phone. From the user’s standpoint, it can feel like skipping the password step of the login process altogether and hopping straight into multi-factor authentication. To understand how passkeys improve the login process, we need to understand the security vulnerabilities of password technology.

Password technology explained

Password-based authentication is relatively straightforward — you create a password for a new account, which is then stored in an encrypted format on a server. When you use the password to access the account, the system compares it against the one in its database. If they match, you’re good to go. Simple, right?

There’s a catch. This type of user authentication presents quite a few serious security concerns. People tend to reuse simple and easy-to-crack passwords for multiple accounts. Breaching one password puts all accounts it’s tied to at risk, granting a hefty data package right into hackers’ hands. Verizon’s 2025 Data Breach Report notes that around 60% of successful breaches are attributed to human involvement, primarily related to phishing and credential abuse.

Passkey technology explained

When you sign up for an online service that supports passkey authentication, two keys are generated — a public one and a private one. Both are used to authenticate the user when logging in. The public key is stored on the website’s server, while the private key is stored on the user’s device. Without each other, the two keys are useless.

Upon logging in, the server sends a request to the device, which is then answered by a related passkey. The user’s identity is also verified on the device level via biometrics. If the pair of keys matches, the user gains access to their account.

Why are passkeys better than passwords?

Passkeys are widely considered a more secure and convenient form of authentication than passwords. The user doesn’t need to reset a passkey during login attempts, as they would if they forgot their account password. Setting up a passkey reduces the risk of forgetting or reusing passwords and protects you against phishing attacks because passkeys can’t be stolen from a device by a malicious actor. Once a passkey is created, it’s saved in its related device. Even if a cybercriminal acquires one key, they can’t gain access to the account without its matching pair.

Unlike passwords, which use strings of plaintext characters, typed by the user or generated via a password generator, passkeys use system-generated cryptographic keys. Such keys are harder to breach than regular passwords. Each public and private key is unique, whereas even a complex password may be duplicated by a user who types out the same combination.

Passkeys also have the industry expertise and trust on their side. Thanks to the involvement of the FIDO Alliance, passkey technology is being perfected by cybersecurity professionals with decades of experience. As passkey adoption spreads, this technology will become the default security alternative to the passwords we’ve grown accustomed to.

Will passkeys replace passwords?

As a passwordless alternative, passkey technology shows a strong potential to become the new normal. Thanks to its convenience and security, the era of passwords may be creeping towards its end. However, before it happens, major platforms, services, and apps must introduce passkeys as the default authentication method.

Where can you use passkeys?

Passkey adoption is still in its early stages. It isn’t broadly spread, so you might not be able to find this authentication method in the security settings of some of your favorite apps. However, new platforms continue to join the list of passkey-compatible authentication providers.

At the time of writing, passkeys are already supported by over a hundred digital service providers, including Amazon, PayPal, Nintendo, Shopify, and GitHub. Both iOS and Android devices added third-party passkey support for their respective most recent OS updates back in 2023, allowing users to store and manage passkeys on their phones and tablets using their preferred service provider.

Current limitations

Currently, passkey use faces two key restrictions — platform support and device compatibility. Passkeys are still available on a very limited number of apps and websites, preventing users from choosing them as their primary authentication method. Passkey can be tricky for developers to implement in their services, which slows down mainstream adoption and usability.

Even when you can use a passkey, how you manage it can be restricted. For a while, Apple and Android devices would only support native passkeys, blocking access to third-party passkey management apps. This can limit users’ options and discourage them from choosing passkeys, especially if they plan to switch devices in the near future.

Device-related limitations don’t end here. Passkeys are only available on Android devices starting with version 9.0 and Apple devices starting with iOS 16. If your device is older, you can’t use it for passwordless authentication.

In addition to technical restrictions, passkeys face the challenge of obscurity. Many users haven’t heard of passwordless authentication yet, let alone figured out how it works. Explaining a line of random characters to a random person on the street is easier than going into the process of two cryptographic keys. Even if it offers a higher level of data protection, passkey technology may seem too intimidating and complex to a user who just wants to log in to their Facebook account or do their online shopping without overthinking security.

Store passkeys with NordPass

For NordPass, the passwordless future has already begun. We’re ready and determined to make your transition from passwords to passkeys as smooth and easy as possible. You can store and manage your passkeys in NordPass and use them to access your favorite apps and websites. NordPass is available on all major browsers, including Chrome, Firefox, and Safari, as well as iOS and Android devices, and syncs your passkeys across all your devices, allowing you to safely share passkeys whenever needed.

You can easily change your existing passwords to passkeys with NordPass:

1. Go to the “Passkeys” tab in the NordPass sidebar and select a password that can be swapped for a passkey.

2. Select “Create Passkey.” You will be redirected to the adjacent website.

3. From there, follow the required passkey verification steps to change your preferred login method from a password to a passkey. These may vary based on the website.

4. You will see a NordPass pop-up prompting you to create the passkey. Select “Create.”

5. You may be prompted to enter your NordPass Master Password or use biometrics to verify this change.

6. You can now find the passkey in your NordPass vault.

Next time you log in to your account with a passkey, you’ll verify the login attempt by entering your Master Password or using biometrics in NordPass. If you have more questions about how passkeys work in NordPass, please consult our dedicated Help Center article.

FAQ