The login box is changing. As of 2026, the FIDO Alliance counts 5 billion passkeys in active use, and the average passkey sign-in finishes in 8.5 seconds versus 31.2 seconds for the password-plus-code routine most of us still tolerate. Passwords, meanwhile, remain the single most reliable way for attackers to get in. So the question is no longer academic. Passkeys vs passwords is now a practical decision for every individual, family, and security team.

This comparison breaks down the cryptography, the benchmarks, the pricing, and the real deployments behind both systems. We pulled adoption data from the FIDO Alliance, breach economics from IBM and Verizon, and sign-in numbers from the FIDO Passkey Index. We weigh the security model honestly, including where passkeys still frustrate users. By the end you will know exactly which option fits your accounts, your company, and your threat model in 2026.

Passkeys vs Passwords: The 2026 Verdict at a Glance

Here is the short version before we dig in. Passkeys win decisively on security and speed. They are phishing resistant by design, they cannot be reused across sites, and they cannot be stolen in a server breach the way a password hash can. Passwords win on universality and recovery simplicity. Every device, browser, and legacy system on earth still accepts a typed string, and resetting one is a familiar, if insecure, ritual.

For most consumers and businesses in 2026, the right answer is to adopt passkeys wherever a service offers them and keep a strong, unique password as a fallback for the long tail of sites that have not caught up. The table below sets the scene with the headline numbers we expand on throughout this guide.

Headline metricPasskeysPasswordsSource
Active credentials worldwide (2026)5 billion passkeysBillions, reused and uncountedFIDO Alliance State of Passkeys 2026
Average sign-in time8.5 seconds31.2 secondsFIDO Passkey Index
Sign-in success rate93%63%FIDO Passkey Index
Phishing resistantYes, bound to originNo, can be typed anywhereFIDO Alliance
Reusable across sitesNo, unique key pair per serviceYes, and widely reusedW3C WebAuthn
Stealable in a server breachNo, only public key storedYes, hashes and plaintext leakIBM Cost of a Data Breach 2025
Human element in breaches (2025)Removes the typed secret60% of breachesVerizon DBIR 2025

What Is a Passkey? How FIDO2 and WebAuthn Work

A passkey is a cryptographic credential built on the FIDO2 standards, specifically the W3C WebAuthn API and the Client to Authenticator Protocol. Instead of a shared secret that you and the server both know, a passkey is a public and private key pair. The private key never leaves your device. The server only ever holds the matching public key, which is useless to an attacker on its own.

The flow has two ceremonies. During registration, you sign in and ask the service to add a passkey. The server, known in the spec as the relying party, sends a random challenge. Your authenticator (the secure chip in your phone, laptop, or a hardware key) generates a fresh key pair scoped to that exact domain. It keeps the private key and returns the public key plus an optional attestation object that describes the authenticator model. The service stores the public key against your account.

During authentication, the server sends a new random challenge. Your authenticator unlocks the private key after a local gesture (Face ID, a fingerprint, or a PIN) and signs the challenge, producing an assertion. The server verifies the signature with the stored public key. Because the key pair is bound to the real domain, a fake lookalike site cannot trigger a valid signature. That single property is why passkeys are phishing resistant in a way no password can be.

The Cryptography Behind a Passkey

Most passkeys use elliptic curve cryptography, typically ECDSA over the NIST P-256 curve, with EdDSA and RSA also permitted by the spec. The local biometric or PIN never travels to the server. It only unlocks the private key on the device, so your fingerprint is not a credential the relying party ever sees. If you want to understand the underlying signing mechanism in depth, our explainer on digital signatures walks through how a private key proves identity without revealing itself.

// Browser-side WebAuthn authentication (simplified)
const assertion = await navigator.credentials.get({
  publicKey: {
    challenge: serverChallenge,        // random bytes from the server
    rpId: "example.com",               // bound to this origin only
    userVerification: "required",      // biometric or PIN gesture
    allowCredentials: [{ id: credId, type: "public-key" }]
  }
});
// The signed assertion goes back to the server, which verifies it
// against the stored public key. The private key never leaves the device.

What Is a Password? Why a 60-Year-Old Model Keeps Failing

A password is a shared secret. You memorize a string, the server stores a representation of it, and at login you both compare notes. The model dates to the 1960s and it has one fatal flaw that no amount of policy can fix: the same secret has to exist in two places, your head and the server, and it travels across the network every time you use it. Anything that can intercept, guess, phish, or leak that string owns your account.

Modern systems do not store passwords in plaintext if they are built correctly. They store a slow, salted hash produced by an algorithm such as Argon2, bcrypt, or scrypt. Our guide to Argon2 password hashing shows how that defense works and why it raises the cost of cracking. Hashing helps enormously after a breach, but it does nothing to stop phishing, credential stuffing, or a user who picks the same password for 30 sites.

The numbers tell the story. In the Verizon 2025 Data Breach Investigations Report, 60% of breaches involved the human element, and 22% involved stolen credentials. IBM’s 2025 Cost of a Data Breach report put the global average breach at $4.44 million and the United States average at $10.22 million, with phishing the single most common cause at 16% of breaches. Breaches that begin with stolen credentials take roughly 246 days to identify and contain. Passwords are not failing because users are careless. They are failing because the design asks a human to be a perfect secret keeper, forever, against industrialized attackers. For the practical defense playbook while passwords still matter, see our guide to password security.

Passkeys vs Passwords: Full Specs Comparison

This is the detailed head-to-head. The table covers the dimensions that actually decide which credential you should trust with your bank, your email, and your company’s admin console. Read it as a scorecard: passkeys lead on every security row, passwords lead only on compatibility and the familiarity of recovery.

SpecificationPasskeysPasswords
Underlying technologyFIDO2, WebAuthn, public key cryptographyShared secret string
What the server storesPublic key onlySalted hash (best case) or plaintext (worst case)
Secret transmitted over networkNeverEvery login
Phishing resistanceStrong, cryptographically bound to originNone
Credential stuffing riskEliminated, no reusable secretHigh, reuse is rampant
Brute force or guessing riskInfeasible, 256-bit keyReal for weak or common passwords
Breach exposurePublic key leak is harmlessHashes crackable, plaintext catastrophic
User memory burdenNone, biometric or PIN gestureHigh, dozens of unique strings
Average sign-in time8.5 seconds31.2 seconds
Cross-platform supportBroad and improving, some friction remainsUniversal
Legacy system supportLimited, requires WebAuthnWorks everywhere
Account recoveryProvider dependent, can be hard if all devices lostFamiliar reset flow, but insecure
Works offline on one deviceYes, device-bound optionYes
Two-factor by defaultYes, possession plus biometric or PINNo, needs a separate 2FA layer

Notice the last row. A passkey is inherently multi-factor: it combines something you have (the device holding the private key) with something you are or know (the biometric or PIN that unlocks it). A password is single-factor unless you bolt on a second step. If you are still on passwords, layering on two-factor authentication is the highest-value upgrade you can make today.

Security Head to Head: Phishing, Stuffing, and Breaches

Security is where the comparison stops being close. Consider the three attacks that drive most account takeovers and how each credential holds up.

Phishing. A password is just a string, so if an attacker tricks you into typing it on a convincing fake page, they now have it. IBM ranked phishing as the most common breach cause in 2025 at 16% of incidents. A passkey cannot be phished this way because the private key only signs challenges for the genuine domain it was created on. Type your way into a lookalike site and the authenticator simply has no matching key to offer. Our primer on phishing attacks shows how convincing these pages have become, which is exactly why a credential that ignores the visual trick matters.

Credential stuffing. Because people reuse passwords, attackers buy leaked username and password pairs from one breach and replay them across hundreds of sites. Verizon’s 2025 report kept stolen credentials at 22% of breaches for a reason. Passkeys generate a unique key pair for every single service, so there is nothing to replay. A leak from one site reveals nothing usable anywhere else.

Server breaches. When a password database leaks, attackers run offline cracking against the hashes. Weak or fast-hashed passwords fall in hours. When a passkey-enabled service is breached, attackers get a pile of public keys, which are designed to be public and cannot be used to sign anything. The asymmetry is the whole point. The Verizon 2026 DBIR even reported that 31% of breaches now begin with software vulnerabilities, overtaking stolen passwords as the top entry method, partly because passwordless adoption is closing the credential door. Passkeys do not make you invincible, but they remove the cheapest, most scalable attacks from the menu entirely.

Benchmarks: Sign-In Speed and Success From 3 Sources

Speed and reliability are not soft metrics. Every failed login is a support ticket or an abandoned cart. We gathered measured results from three sources: the FIDO Passkey Index (an aggregate from member companies), Amazon’s published customer data, and the FIDO Alliance enterprise report.

BenchmarkResultSource
Average passkey sign-in time8.5 secondsFIDO Passkey Index
Average legacy sign-in time31.2 secondsFIDO Passkey Index
Sign-in time reduction with passkeys73%FIDO Passkey Index
Passkey sign-in success rate93%FIDO Passkey Index
Other-method sign-in success rate63%FIDO Passkey Index
Amazon passkey sign-in speed6x quicker than passwordsAmazon (via FIDO Alliance)
Reduction in login help desk incidents81%FIDO Passkey Index
Reduction in password-reset support costs~85%Vision Training Systems

The pattern is consistent across all three sources. Passkeys are roughly three times faster to use and convert about 30 percentage points more sign-in attempts into success. The legacy 31.2-second figure is not just typing a password. It bundles in the modern reality of email verification, SMS one-time codes, and social logins that fail or time out. The FIDO Alliance enterprise report attributes a 77% positive impact on help center call volume and a 73% positive impact on productivity to passkey rollouts, alongside 90% positive impact on security and 82% on user experience. For a business, the help desk savings alone often pay for the migration.

Adoption in 2026: 5 Billion Passkeys and Counting

Two years ago, passkeys were a promising standard with thin real-world traction. That has changed. The FIDO Alliance’s State of Passkeys 2026 report, released around World Passkey Day in May 2026, marked the moment passkeys reached genuine mainstream scale.

  • 5 billion passkeys are now in active use worldwide.
  • 90% of people are aware of passkeys, up sharply year over year.
  • 75% of people have enabled a passkey on at least one account.
  • 49% of people use passkeys regularly whenever they are available.
  • 68% of organizations have deployed, are piloting, or are rolling out passkeys for employees.
  • On the FIDO Passkey Index, 93% of accounts are eligible for passkeys, 36% have one enrolled, and 26% of all sign-ins now use a passkey.

The enterprise side moved even faster than consumers. A separate FIDO Alliance enterprise survey found 87% of decision makers report deploying passkeys at their companies, with 47% using a mix of device-bound and synced passkeys to balance portability against control. The motivation is not abstract. The same research found one in three people (33%) experienced an account compromise or received a breach notification in the past year, and 47% are likely to abandon a purchase or sign-in when they cannot remember a password. Passkeys fix both the security problem and the abandonment problem at once, which is why adoption curves are bending upward rather than plateauing.

Real-World Deployments: Amazon, Google, GitHub, and More

Numbers in a report only matter if real services ship them. Here are five concrete deployments that show passkeys working at scale in 2026.

  • Amazon. The clearest data point of all. Amazon reported 465 million customers now using passkeys, and said passkey sign-in is roughly six times quicker than a traditional password. At Amazon’s scale, that is one of the largest passwordless rollouts in consumer history.
  • Google. Google made passkeys the default sign-in option for personal Google accounts and supports them across Android and Chrome through Google Password Manager, syncing across a user’s devices at no cost.
  • Microsoft. Microsoft pushed aggressively toward a passwordless default, supporting passkeys through Windows Hello and the Microsoft Authenticator app for both consumer and Entra ID work accounts.
  • GitHub. The developer platform supports passkeys for account sign-in, letting engineers replace password-plus-2FA with a single biometric gesture, which matters for accounts that gate source code and CI pipelines.
  • PayPal and major retailers. PayPal was an early passkey adopter for consumer logins, and retailers including Best Buy and others have added passkey support to cut cart abandonment tied to forgotten passwords.

The common thread is that these are not pilots. They are production sign-in flows serving hundreds of millions of people, and the operators kept passwords available as a fallback rather than forcing a hard cutover. That hybrid approach is the realistic path for 2026, and it is the one we recommend for your own accounts.

Synced vs Device-Bound Passkeys: Which to Choose

Not all passkeys behave the same. The biggest practical decision is whether your passkey is synced or device-bound, and the right choice depends on whether you optimize for convenience or maximum control.

Synced passkeys live in an encrypted cloud vault, such as iCloud Keychain, Google Password Manager, or a third-party manager. They replicate across all your trusted devices automatically. Lose your phone and your passkeys reappear on your new one after you sign in to the vault. This is the model most consumers want because recovery is painless. The trade-off is that your passkeys are only as secure as your vault account, and they can tie you to one ecosystem.

Device-bound passkeys never leave the hardware that created them. A FIDO security key, a smart card, or a TPM-backed credential is the classic example. Nothing syncs to the cloud, so there is no vault to breach and no provider to trust with your private keys. The trade-off is recovery: lose the device and the passkey is gone, which is why enterprises that issue device-bound keys also enroll backup keys. The FIDO Alliance found 47% of enterprises run a mix of both, using synced passkeys for everyday convenience and device-bound keys for high-assurance roles like administrators.

PropertySynced passkeysDevice-bound passkeys
StorageEncrypted cloud vaultSingle device or hardware key
Cross-device useAutomaticManual, key must be present
Recovery if device lostEasy, restore from vaultHard, need a backup key
Cloud breach exposureDepends on vault securityNone
Best forConsumers, familiesAdmins, regulated, high-security

Pricing: What Passkey Storage Actually Costs in 2026

Passkeys themselves are free. The standard is open and every major platform supports it at no charge. What you pay for, optionally, is a cross-platform vault that syncs passkeys across iOS, Android, Windows, and Linux without locking you to one ecosystem. Here is what the current options cost.

ProviderPlanPricePasskey support
Apple iCloud KeychainBuilt inFreeSynced across Apple devices
Google Password ManagerBuilt inFreeSynced across Android and Chrome
Microsoft (Windows Hello / Authenticator)Built inFreeWindows and Microsoft accounts
BitwardenFree$0/yearStore and use passkeys
BitwardenPremium$10/yearFull features plus passkeys
1PasswordIndividual$2.99/month billed annuallyCross-platform passkeys
1PasswordFamilies$4.99/month billed annuallyUp to 5 people
DashlanePremium~$59.88/yearCross-platform passkeys

The honest takeaway is that you do not need to spend a cent to use passkeys well. If you live entirely in one ecosystem, the built-in manager from Apple, Google, or Microsoft covers you for free. The case for a paid cross-platform manager is portability: if you mix an iPhone with a Windows laptop and an Android tablet, a vendor-neutral vault keeps a single set of passkeys available everywhere. We compared two of the leading options in detail in Bitwarden vs 1Password, and the short version holds here too. Bitwarden wins on price, 1Password wins on polish.

Expert Opinions: Fireship, MKBHD, and ThePrimeagen

The creator community has shaped how developers and consumers understand passkeys. Three voices stand out for the breadth of their audiences and the clarity of their takes.

Fireship, the developer channel known for fast technical explainers, has framed passkeys as the long-overdue death of the shared secret. The core argument: passkeys swap a string you both have to keep secret for a public key pair where the secret half never leaves your hardware, which kills phishing and database leaks in one move. He has also been candid that the developer experience and the account-recovery story are the parts that still need work before passkeys feel truly universal.

Marques Brownlee (MKBHD) approaches it from the consumer experience. His emphasis is the sheer speed and seamlessness of unlocking an account with Face ID or a fingerprint instead of typing and waiting for a texted code. The flip side he highlights is the cross-ecosystem friction: moving a passkey-protected login from an Apple device to an Android phone, or vice versa, is still clunkier than it should be for a mainstream feature.

ThePrimeagen, the developer and streamer with a large engineering audience, brings the skeptic’s lens. He has acknowledged the cryptographic case is sound while pushing back on the lock-in risk: when your passkeys live in a vendor’s synced vault, you are trusting that vendor’s recovery and export design, and the industry’s interoperability promises have to actually hold up in practice. His position is broadly representative of careful engineers who want passkeys to win but refuse to ignore the recovery and portability gaps.

Across all three, the consensus matches ours. The cryptography is not in doubt. The remaining friction is human: recovery, portability, and the long tail of services that have not shipped support yet.

The Limitations: Recovery, Lock-In, and Friction

A fair comparison names the weaknesses. Passkeys are better than passwords on security by a wide margin, but they are not frictionless, and pretending otherwise sets users up for frustration.

Account recovery is the hardest problem. With a password, you click “forgot password” and reset via email. With synced passkeys, recovery depends entirely on regaining access to your vault, whether that is your Apple ID, Google account, or password manager. If you lose every device and your vault recovery path at once, you can be locked out. This is why every passkey setup should include a backup: a second device, a hardware security key, or a recovery code stored offline.

Vendor lock-in remains real. Synced passkeys tie you to whichever ecosystem holds your vault. Cross-platform export standards exist on paper, but in practice moving a full passkey collection between Apple, Google, and third-party managers is still maturing. A neutral manager like Bitwarden or 1Password reduces this risk, which is the main reason to pay for one.

Cross-platform friction persists. Using a passkey created on your phone to sign in on a friend’s Windows PC works through a QR-code and Bluetooth hand-off, but it is slower and less obvious than the native flow. Legacy support is incomplete. Plenty of older services, intranet apps, and niche sites still only accept passwords. For those, a strong unique password in a manager remains the right tool, which is exactly why the hybrid model wins in 2026.

Passkeys vs SMS Codes and Authenticator Apps

Many people already protect their passwords with a second factor, so a fair comparison has to ask how passkeys stack up against the two-factor methods we lean on today. The short answer: a passkey is stronger than a password plus SMS or a password plus an authenticator app, because it removes the phishable first factor entirely rather than patching it.

SMS one-time codes are the weakest common second factor. They are vulnerable to SIM-swap attacks, where a criminal ports your number to their own device, and they can be relayed in real time by a phishing page that asks you to type the code you just received. They are still better than nothing, but security teams have spent years trying to move users off them. A passkey is immune to both attacks because there is no code to intercept and nothing to relay.

Authenticator app codes, the rotating six-digit TOTP numbers from apps like Google Authenticator or Authy, are a real upgrade over SMS. They are not tied to your phone number and they work offline. But they share the same fatal weakness as passwords: a convincing phishing page can ask you to type the current code, capture it, and replay it within the 30-second window. Real-time phishing kits automate exactly this. A passkey cannot be relayed because the cryptographic signature is bound to the genuine domain, so even a perfect copy of the login page gets nothing usable.

That is the key distinction. SMS and TOTP are phishable second factors layered on top of a phishable first factor. A passkey is a single, phishing-resistant factor that already combines possession and a local biometric or PIN. If you currently run password plus authenticator app on your important accounts, that is a strong setup and you should keep it where passkeys are not yet available. Where they are available, a passkey is the cleaner and safer replacement for the whole stack. Our deep dive on two-factor authentication covers how to implement TOTP correctly for the accounts still relying on it.

Passkeys and the Post-Quantum Question

A natural worry in 2026 is whether the cryptography under passkeys survives the arrival of quantum computers. Passkeys today sign with elliptic curve algorithms like ECDSA over P-256, and elliptic curve cryptography is one of the families a large fault-tolerant quantum computer could eventually break using Shor’s algorithm. So is this a reason to hold off? No, and the reasoning matters.

First, the threat is not here yet. No quantum machine capable of breaking P-256 exists, and credible estimates put practical cryptographically relevant quantum computers years away. Second, and more important, the passkey threat model is different from encryption. The classic post-quantum panic is “harvest now, decrypt later,” where an attacker records encrypted traffic today and decrypts it once quantum hardware arrives. Passkey signatures do not work that way. A signature proves possession of a private key at the moment of login. Recording an old assertion is worthless because every login uses a fresh server challenge, so there is no archive of signatures an attacker can retroactively forge their way past.

The real long-term task is upgrading the signing algorithms themselves to quantum-resistant ones such as the NIST-selected lattice schemes, and the FIDO standards are designed to be algorithm-agile, meaning new key types can be added without rebuilding the whole system. In practice, your passkeys will gain post-quantum algorithms through ordinary platform updates, the same way TLS is already adopting them. For the wider shift now underway across the web, see our analysis of post-quantum cryptography. The takeaway for passkeys vs passwords is simple: the quantum question is a reason to keep upgrading, not a reason to stay on passwords, which fail to far cheaper attacks today.

Migration Guide: Moving From Passwords to Passkeys

You do not migrate everything at once, and you never delete your password fallback until you have confirmed recovery works. Here is the sequence we recommend for individuals.

  1. Pick your vault. Decide where passkeys will sync. Single ecosystem? Use the built-in Apple, Google, or Microsoft manager free. Mixed devices? Choose Bitwarden or 1Password.
  2. Start with high-value accounts. Add passkeys to email, banking, and your primary cloud account first. These are the accounts that gate everything else.
  3. Enroll, do not replace yet. Most services let a passkey coexist with your password. Add the passkey, sign out, and sign back in with it to confirm it works before removing anything.
  4. Set up a backup credential. Register a second device or a hardware security key so a lost phone never locks you out. Save any recovery codes offline.
  5. Keep a strong password for the long tail. Sites without passkey support still need a unique, manager-generated password. Do not reuse.
  6. Review every few months. Adoption is moving fast. Services that lacked passkey support last quarter may have shipped it. Upgrade them as they arrive.

For organizations, the playbook scales the same logic. Start with a pilot group, default new high-privilege accounts to device-bound hardware keys, offer synced passkeys to the general workforce for convenience, and keep a documented recovery process run by IT. The FIDO Alliance enterprise data showing 47% of companies running a hybrid of device-bound and synced passkeys reflects exactly this staged approach. Pair the rollout with phishing-resistant policies and you remove the credential as an attack surface without a disruptive big-bang cutover.

Use-Case Recommendations: Which Should You Use?

The right choice depends on who you are and what you are protecting. Five concrete recommendations.

  • Everyday consumer in one ecosystem: Use synced passkeys through the free built-in manager (iCloud Keychain, Google Password Manager, or Windows Hello). Zero cost, painless recovery, strong security.
  • Cross-platform power user: Pay for Bitwarden ($10/year) or 1Password ($2.99/month) so one set of passkeys follows you across iOS, Android, Windows, and Linux without lock-in.
  • Family: A family plan such as 1Password Families at $4.99/month per group gives shared vaults and synced passkeys for everyone, including less technical members who benefit most from no-password logins.
  • Developer or admin: Use device-bound hardware security keys for accounts that gate code, infrastructure, or production. Add a second key as backup. This is the highest-assurance configuration available.
  • Regulated or high-security organization: Run the hybrid model. Device-bound keys for privileged roles, synced passkeys for the general workforce, documented recovery, and passwords retired from the login flow wherever possible.

For the one group still stuck on passwords by necessity, legacy-system users, the recommendation is unchanged: long unique passwords in a manager, plus two-factor authentication on every account that offers it. That combination is not as good as a passkey, but it is far better than a reused string alone.

Passkeys vs Passwords: Pros and Cons

A clean summary of where each credential earns its place.

Passkeys

  • Pro: Phishing resistant by design, bound to the real domain.
  • Pro: Nothing reusable to steal in a server breach.
  • Pro: About 3x faster sign-in, 93% success rate, no memorization.
  • Pro: Inherently multi-factor (device plus biometric or PIN).
  • Con: Account recovery is harder and provider dependent.
  • Con: Cross-ecosystem portability and legacy support still maturing.

Passwords

  • Pro: Universal, works on every device and legacy system.
  • Pro: Familiar, well-understood recovery flow.
  • Con: Phishable, reusable, and the root cause behind most breaches.
  • Con: Involved in 60% of breaches via the human element (Verizon 2025).
  • Con: Slow, with a 63% sign-in success rate when stacked with codes.
  • Con: Single-factor unless you add a separate 2FA layer.

Final Verdict: Passkeys Win, Passwords Aren’t Dead Yet

The data points one direction. Passkeys are faster (8.5 vs 31.2 seconds), more reliable (93% vs 63% success), and fundamentally more secure because they remove the reusable, phishable, breach-leakable secret that sits at the center of nearly every account takeover. With 5 billion passkeys in active use and giants like Amazon serving 465 million passkey customers, this is no longer the future. It is the present.

But passwords are not dead. They remain the universal fallback for legacy systems, and they are the recovery anchor while passkey portability and recovery flows finish maturing. The winning strategy for 2026 is not passkeys instead of passwords. It is passkeys first, passwords as backup. Enroll passkeys on every important account, set up a recovery key, and keep strong unique passwords in a manager for everything that has not caught up. Do that and you get the security of the new model without the lockout risk of abandoning the old one too soon.

Our overall verdict: adopt passkeys now, retire passwords gradually. The credential that cannot be phished, reused, or stolen from a server is the one that deserves your most important accounts, and in 2026 it is finally ready for them. For the bigger picture on why the entire authentication and encryption stack is shifting, see our coverage of post-quantum cryptography and the broader online security guide.

Frequently Asked Questions

Are passkeys more secure than passwords?

Yes, substantially. Passkeys use public key cryptography, so the private key never leaves your device and is never transmitted. They are phishing resistant because they are bound to the real domain, they cannot be reused across sites, and a server breach only exposes harmless public keys. Passwords are involved in roughly 60% of breaches through the human element, according to Verizon’s 2025 report.

What happens to my passkeys if I lose my phone?

If you use synced passkeys, they are stored in an encrypted cloud vault (iCloud Keychain, Google Password Manager, or a third-party manager) and reappear on your new device once you sign back in to that vault. If you use device-bound passkeys, they do not sync, so you need a registered backup device or hardware key. Always set up a backup credential before relying solely on passkeys.

Do passkeys replace two-factor authentication?

In effect, yes. A passkey is already multi-factor: it combines something you have (the device with the private key) with something you are or know (the biometric or PIN that unlocks it). That makes a separate one-time code unnecessary for that login. If you are still using passwords, however, adding two-factor authentication is essential.

Can passkeys be phished?

Not in the way passwords can. A passkey’s private key only signs challenges for the genuine domain it was created on, so a lookalike phishing site cannot obtain a valid signature. There is no secret string for you to accidentally type into a fake page. This is the single biggest security advantage passkeys hold over passwords.

How much do passkeys cost?

Passkeys themselves are free and built into Apple, Google, and Microsoft platforms at no charge. You only pay if you want a cross-platform vault to sync them everywhere: Bitwarden is free or $10/year for premium, and 1Password starts at $2.99/month for individuals. A hardware security key for device-bound passkeys is a one-time purchase.

Which websites support passkeys in 2026?

Support is broad and growing. Major services including Amazon, Google, Microsoft, GitHub, PayPal, and many banks and retailers now offer passkey sign-in. The FIDO Passkey Index reports that 93% of accounts among contributing companies are eligible for passkeys. Coverage is not universal yet, which is why a password fallback still matters for the long tail of services.

Should businesses switch employees to passkeys?

For most, yes, using a staged hybrid rollout. The FIDO Alliance reports 87% of enterprise decision makers are deploying passkeys, citing a 90% positive impact on security, 81% fewer login help desk incidents, and major productivity gains. Best practice is device-bound hardware keys for privileged accounts and synced passkeys for the general workforce, with a documented recovery process.

External References