Glossary
What is a passkey? Passwordless login with nothing to steal
A passkey is a login with no shared secret. Your device signs with a private key; the server stores only a public key — so a leak can't be abused and it won't work on a fake site (phishing-resistant). How it differs from passwords and SMS, and how to migrate. Defensive, no attack steps.
"Stop using passwords that can be stolen" — that's what a passkey delivers. Here's how it works and how it differs from passwords and SMS codes (no attack steps).
How it works: the secret never leaves the device
A passkey runs on public-key cryptography (the FIDO2 / WebAuthn standard). At registration your device creates a key pair and hands the server only the public key. At login, you just sign the server's "challenge" with the private key on your device and send it back. The private key never leaves your device's secure storage.
Password
you and the server share one secret. stolen if the server leaks or you type it into a fake site
Passkey
private key stays on the device only. server holds the public key = useless if leaked
"The server has only the public key" is what matters. A public key is, by definition, fine to publish, so even if the database leaks, it can't be used to log in on its own (the opposite premise from password storage → what hashing is).
How it differs from password + SMS
Password + SMS code
- The shared secret (password) can leak / chains via reuse
- Type it into a fake site and the code is relayed too
- Tends to rely on "I can spot the fake"
Passkey
- No shared secret = no string to steal
- The signature is bound to the domain = won't complete on a fake site
- Blocks the fake site by design, even if the user doesn't notice
Adversary-in-the-middle phishing (AiTM) relays the correct code along with everything else, even if you carefully enter it (→ what phishing is). Because a passkey's signature is tied to the domain, that route is closed off in principle.
This site's view: you don't have to replace everything at once
Passkeys are powerful, but you don't need to go fully passwordless across every account today. Our stance: migrate important accounts first. Add passkeys to the "keys to the kingdom" accounts — email, cloud, your password manager's vault — and set up recovery (register on multiple devices, keep a backup). For services where a password remains, protect them with a password manager and phishing-resistant MFA, then move to passkeys as each service adds support.
Read next
- Learn: how to choose a password manager (it also handles storing/syncing passkeys)
- Two-step: choosing MFA the right way (what phishing resistance means)
- How it works: how to store passwords safely / Glossary: what phishing is
FAQ
QHow is a passkey different from a password?
A password is a secret string you and the server share, so anyone who gets it can use it. A passkey has no shared secret. Your device signs with a private key it holds, and the server stores only the matching public key. There's no string to steal, and even if the server is breached, the public key alone can't be used to log in — that's the fundamental difference.
QWhy is a passkey resistant to phishing?
A passkey's signature is bound to which site (domain) it's for. If a fake site tries to make you log in, the domain doesn't match, so the signature simply won't complete. Even if the user never notices the fake site, it won't work by design — unlike a password + SMS code, which an adversary-in-the-middle can relay wholesale.
QIf I lose my device, am I locked out?
In most cases passkeys are backed up via your OS or password manager's cloud sync and work on other devices (synced passkeys). It's also safest to register passkeys on multiple devices/keys and set up a recovery method. Avoid binding to a single device with no recovery path.