What Are Passkeys and Why They Matter in 2026

What are passkeys?

A passkey is a FIDO2/WebAuthn credential that uses public-key cryptography instead of a shared password. When you create a passkey for a website, your device generates a unique key pair: a private key that stays on your device (or in your password manager) and a public key that the website stores. During login, your device proves it holds the private key by signing a challenge—without ever transmitting the key itself.

This means there is no password to remember, no password to type, and no password for an attacker to steal. Authentication happens through biometrics (Face ID, fingerprint), a device PIN, or a security key— making the experience both more secure and more convenient than traditional passwords.

How do passkeys work under the hood?

Passkeys follow the W3C WebAuthn Level 2 standard and the FIDO2 protocol. The flow breaks down into two ceremonies:

1. Registration: The website (called a "relying party") requests a new credential. Your authenticator—a hardware key, your phone, or your password manager—generates an asymmetric key pair using algorithms like ES256 or RS256. The public key is sent to the server; the private key never leaves secure storage.
2. Authentication: The server sends a random challenge. Your authenticator signs it with the private key. The server verifies the signature using the stored public key. If valid, you're in—no password transmitted, no secret shared.

Each passkey is bound to a specific domain (the "relying party ID"), which means a phishing site on a lookalike domain cannot trigger the credential. This is a structural defense against phishing that passwords simply cannot provide.

Why passkeys matter for security

The security advantages of passkeys are not incremental—they are structural:

• Phishing-resistant: Passkeys are cryptographically bound to the relying party's domain. A fake login page on a different domain cannot trigger the credential.
• No credential stuffing: There is no password to reuse across sites. Each passkey is unique to a single service.
• No server-side secrets: Servers only store public keys. A database breach exposes nothing useful to an attacker.
• Replay attack protection: Every authentication includes a server-issued challenge and a signature counter, making replay attacks detectable and ineffective.
• Built-in MFA: Passkeys combine "something you have" (the device/key) with "something you are" (biometric) or "something you know" (PIN)—eliminating the need for separate 2FA in many cases.

Passkeys vs. passwords: a practical comparison

Passkey adoption in 2026

Passkey adoption has reached a tipping point. Apple, Google, and Microsoft have built passkey support into their operating systems and browsers. Major services like GitHub, Google Workspace, Amazon, PayPal, and Shopify now accept passkeys for login. The FIDO Alliance reports that passkey-capable devices now cover over 90% of consumer platforms globally.

For businesses, the shift is equally significant. Regulatory frameworks like NIST SP 800-63B now explicitly recommend phishing-resistant authentication. Organizations adopting passkeys see measurable reductions in account takeover incidents and help-desk password reset costs.

The role of password managers in a passkey world

Passkeys do not make password managers obsolete—they make them more important. Here's why:

• Cross-device sync: Platform passkeys (stored by Apple or Google) only sync within their ecosystem. A password manager like Passwall syncs passkeys across all devices and platforms—iOS, Android, Windows, macOS, and Linux.
• Unified management: You still have passwords, TOTP codes, secure notes, payment cards, and now passkeys. A single vault keeps everything organized and searchable.
• Team sharing: Sharing a passkey for a shared team account? Password managers handle encrypted sharing with proper access controls—something platform keystores don't support.
• Backup and recovery: If you lose your device, platform passkeys may be recoverable through iCloud or Google—but only if you're in that ecosystem. A password manager provides an independent backup layer.
• Transition period: Most people will use passwords and passkeys side by side for years. A password manager bridges both worlds seamlessly.

Passkey support in Passwall

Passwall supports passkeys end to end: you can create new passkeys on websites and sign in with passkeys—all stored and synced in your vault with the same zero-knowledge encryption that protects your passwords.

Create passkey

When a site offers to create a passkey (e.g. “Create a passkey” or “Sign up with passkey”), the Passwall browser extension can handle registration. The new credential is saved into your vault—encrypted and synced across all your devices. You get a single place for all passkeys, whether you created them on desktop or mobile.

Passkey login

When a site asks you to sign in with a passkey, Passwall can provide the matching credential from your vault. Choose the passkey you want to use, confirm with your master password or biometrics, and you’re in—no typing, no phishing risk. Works on any device where Passwall (extension or app) is installed.

Under the hood, passkeys in Passwall are first-class vault items with full WebAuthn Level 2 metadata: credential ID, public key, encrypted private key, AAGUID, transports, backup status, sign counter, and discoverable flag. You can organize them in collections, share them with your team (with the same permission model as other items), and import or export them for migration. Private key material is always encrypted at rest—even Passwall cannot read your passkey secrets.

For a step-by-step guide on creating passkeys and signing in with passkeys in Passwall, see our Passkeys documentation.

Getting started with passkeys

Ready to move beyond passwords? Here's a practical starting point:

1. Enable passkeys on your most important accounts first: Google, Microsoft, GitHub, and Apple accounts all support passkeys today. Start with these high-value targets.
2. Create and sign in with passkeys in Passwall: Install the Passwall extension, then create a passkey on a supported site—it’s saved to your vault. Next time you sign in with passkey on that site, Passwall will offer the credential so you can log in with one tap.
3. Store passkeys in your password manager: Using Passwall ensures your passkeys sync across all your devices, regardless of platform.
4. Keep your passwords as fallback: Don't delete passwords for services that support passkeys—keep them in your vault as a recovery option during the transition.
5. Review your vault regularly: As more services adopt passkeys, migrate your credentials progressively. Passwall makes it easy to see which accounts still rely on passwords alone.