What Is a Passkey? Here’s How to Set Up and Use Them (2025)

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.

Passwords suck. They’re hard to remember, but worse is playing the ever-evolving game of cybersecurity whack-a-mole with your most important accounts. That’s where passkeys come into play. The so-called “war on passwords” has taken off over the past two years, with titans like Google, Microsoft, and Apple pushing for a password-less future that the FIDO Alliance (a consortium made to “help reduce the world’s over-reliance on passwords”) has been trying to realize for over a decade.

Like it or not, you’ll be prompted to create a passkey at some point, and you likely already have. That’s a good thing, as passkeys aren’t only much easier to use than a traditional password, they’re also a lot safer. Here’s everything you need to know about using them.

Updated September 2: We’ve added a few details on about restoring passkeys and mentioned non-biometric authentication options.

Passkeys offer a way of confirming you are who you say you are without remembering a long, complicated password, and in a manner that’s resistant to common attacks on passwords like phishing and dictionary attacks.

“Passkeys are built to replace passwords and outdated forms of two-factor authentication entirely,” Andrew Shikiar, executive director and CEO of the FIDO Alliance, tells WIRED. They represent a rare step forward in cybersecurity; one that’s not only easier to use than previous methods but also safer.

Conceptually, passkeys can come in many forms, but you’ll most commonly interact with them on a device you own. For example, imagine you want to sign in to your Google Account on a new device. Instead of entering a password, a passkey allows you to log in to your account with a device you’ve already verified. You can use your phone as a passkey, which instantly grants access to your Google Account without ever entering a password. The best implementations of passkeys don’t even need a username.

Passkeys end up being safer and more convenient than passwords because they work in a fundamentally different way. Passwords are what you’d call a “shared secret” in the world of cybersecurity. You know the secret, and so does the service you’re signing in to. The problem is that you have to remember that secret, and you aren’t fully in control of it, as you have to share that secret with whatever service you’re using. A data breach and a little decryption time are all that’s needed to end up with a compromised account, and you didn’t even do anything wrong.

Passkeys use public-key cryptography. Instead of matching a shared secret, public-key cryptography works by matching a pair of keys—a public key that anyone can see, and a private key that only you have access to. It’s safer because only you have access to your private key, and it’s easier because that key is bound to some device you own and usually secured with biometrics.

In the event your device is lost or stolen, you can restore your passkeys using the account you created it with. For instance, Google allows you to store passkeys in the Google Password Manager and sync them across your devices. Windows and iCloud Keychain only work on their respective operating systems, but they’re tied to your Microsoft and Apple accounts, respectively.

Are Passkeys Safe?

Passkeys are safe, even more so than a long, random password. When you sign in with a passkey, you send a handful of information to the service you’re signing into, including your public key, which is stored as a representation of you as a user. This information alone doesn’t do anything.

On the device where you created the passkey, you’ll have to engage in a “challenge” to unlock your private key, usually some form of biometric authentication. If the challenge is successful, it’s signed and sent back to the service you’re trying to log into. That challenge is then checked against the public key, and if it’s a match, you’re given access. Critically, this authentication happens on your device, not on a server far away.

Although biometric authentication is how you’ll typically interact with passkeys on a mobile device, it’s not a requirement. On Windows, for example, you need to authenticate with Windows Hello, which can use your device’s PIN. On Android, you can use a pin or pattern.

With a password, there’s a ton of room for an attacker to potentially steal your password. Data breaches might expose your password, and even if it’s encrypted, it can be cracked. Phishing schemes are an easy vector of attack for hackers looking to steal passwords. And, if you’re using a service with spotty security practices, you could have a password exposed as plaintext in a breach; there are dozens and dozens of examples of this happening before.

Passkeys vs. 2FA and MFA

Passkeys are tricky because they fly in the face of security conventions that have been around for years—namely, two-factor (2FA) or multifactor authentication (MFA). Although you don’t need to plug in a code from a text or copy something over from an authenticator app, passkeys inherently use multifactor authentication. It just happens so fast that it’s easy to miss.

MFA is about adding additional layers of protection beyond your password. Instead of just your password, you need it and a code texted to you, for example. Passkeys already work that way. You need to match the public-private key pair, but you also need to authenticate that you have access to that private key. It’s not “something you know and something you own,” as 2FA is normally described, but it’s still two layers of authentication.

Here’s how Shikiar describes it: “When you sign in, the service issues a cryptographic challenge that can only be answered with the private key on your device, verified by something you have (like your phone or laptop) and often something you are (like a biometric). The result is a phishing-resistant login with no reusable credentials to steal.”

Devices and Browsers That Support Passkeys

Passkeys are broadly integrated at an operating system level. If you’re using an OS that doesn’t natively support passkeys—i.e., Linux—you can still use them. However, you’ll need to use another device, like your phone, to scan a QR code and authenticate yourself, or a third-party password manager.

Here are the operating systems that fully support passkeys:

• Android 9 or newer
• iOS 16 or newer
• macOS 13 (Ventura) or newer
• Windows 10/11 23H2 or newer

Each one of these operating systems supports passkeys for native apps, as well as in your browser. Chromium supports passkeys, which covers the vast majority of browsers available, including Brave, Opera, Vivaldi, and Google Chrome. The major non-Chromium browser, Mozilla Firefox, also supports passkeys on version 122 or newer.

How to Create and Store Passkeys

To use passkeys, you need to store them somewhere. The major operating systems that support passkeys already include a way to store them, but they aren’t created equally.

Windows 10 and Windows 11

You need to set up Windows Hello to use passkeys on Windows 10 or Windows 11. You might have set it up during installation, but if not, you can enable it in the Settings app by clicking Accounts > Sign-in options. Whenever you want to use a passkey, you’ll need to authenticate with Windows Hello, be it with your face, fingerprint, or PIN.

Windows 10 or 11, version 23H2 or later, will prompt you to use a passkey whenever you attempt to sign in to a supported service on a supported browser (or through a native Windows app). Unlike other operating systems, these passkeys aren’t synced across your devices. They only work on your Windows device.

Both macOS and iOS store passkeys on your iCloud Keychain, so you’ll need to turn your Keychain on if it’s not already enabled. You can turn it on in the Settings app by following Apple ID > iCloud > Passwords and Keychain. You’ll need to enable 2FA for your Apple ID to use iCloud Keychain.

Similar to Windows, you’ll be prompted to create a passkey whenever you create a new account with a service that supports passkeys. If you want to add a passkey to an already created account, you’ll have to do so through that application’s settings. Unlike Windows, these passkeys work across devices, assuming you have access to your iCloud Keychain.

In newer versions of macOS (version 15 and later), it’s much easier to create and manage passkeys through the dedicated Passwords app.

iOS follows the same principles as macOS when it comes to Passkeys. They’re stored in your iCloud Keychain and synced across your devices. In iOS 18 and newer, you can manage passkeys in the dedicated Passwords app, and in older versions, you can find them in your settings.

iOS via Jacob Roach

iOS via Jacob Roach

Android 9 and newer versions support passkeys, but in different forms. By default, passkeys in Android will use the Google Password Manager, which is tied to your Google Account and syncs across your devices. On Android 14 and newer, you can choose to store your passkeys elsewhere, such as in a third-party password manager.

Passkeys in a Password Manager

Chrome via Jacob Roach

If you want all your passkeys on all your devices, operating system be damned, you need a password manager. Most of the best password managers support passkeys, allowing you to store and sync them on nearly any device. I personally use 1Password, but services like NordPass, Bitwarden, and Dashlane also support passkeys. You can create and store passkeys with a password manager on Android and iOS.

Keep your logins locked down with our favorite password management apps for PC, Mac, Android, iPhone, and web browsers.

Apps That Support Passkeys

There are only a few places where you can store and sync passkeys, but plenty of services support passkeys for signing in. The usual suspects include Microsoft, Adobe, Amazon, Google, and Apple, but there are still many websites and apps that don’t support passkeys.

You can find a handful of directories that claim to hold a complete list of apps that support passkeys with a quick Google search. 1Password maintains one directory, as do a couple of B2B services, including a directory from Hanko and another from OwnID. These aren’t complete lists. Meta apps like Facebook and Instagram aren’t listed, for example, despite adding support for passkeys in June 2025.

The best directory I’ve come across is from a nonprofit called 2factorauth in Sweden. It’s hosted on GitHub, updated constantly, and critically, maintained by the community. It’s the most up-to-date I’ve found, and apps are even organized into categories so you can, for instance, pick a VPN service that supports passkeys.

Passkeys Will (Eventually) Replace Passwords

Passkeys were built to replace passwords, but we’re in the middle of a long, arduous transition to get there. It requires every app, device, and operating system to adopt a new standard of authentication and ditch a model we’ve been using for decades throughout our entire digital lives.

The inflection point is well underway, though. With major services adopting passkeys, it’s possible to use them across your most important accounts. If nothing else, it’s worth using passkeys on accounts that are connected to others, such as your Google or Facebook account if you use social sign-on features.

Despite offering clear security advantages, passkeys aren’t a (excuse the pun) turnkey solution for better security. As Shikiar puts it, “Passkeys secure the front door, but organizations still need to harden the entire identity journey, ranging from onboarding and recovery to session management.”

Power up with unlimited access to WIRED_._ Get best-in-class reporting and exclusive subscriber content that’s too important to ignore. Subscribe Today.