Passkeys: Understanding and Adopting the Password Alternative

Passkeys replace passwords with a cryptographic key tied to your device. No more memorizing, typing, or resetting anything. Here's how they work, what they change in practice, and what you need to know before adopting them.

What is a passkey and how does it work?

A passkey is a pair of cryptographic keys — a private key stored on your device, and a public key registered with the online service. To sign in, your device proves it holds the private key without ever transmitting it.

In practice, each time you log in, the server sends a unique challenge (a random string). Your device signs it with the private key, and the server verifies the signature using the public key. Even if someone intercepts that signed response, it's useless: it's only valid for that specific challenge, which has already been consumed. This is fundamentally different from a password, which is always the same and always replayable.

Authentication is triggered by a simple gesture: Touch ID, Face ID, a fingerprint, or the device PIN.

Are passkeys really more secure than a password?

Yes, by a wide margin. Passkeys rely on elliptic-curve cryptography (P-256 / ECDSA), delivering roughly 128 bits of effective security. To reach an equivalent level with a password, you'd need around 20 fully random characters drawn from the 95 printable ASCII characters — something no human naturally generates or remembers.

Beyond raw strength, passkeys eliminate an entire category of risks:

  • No weak or reused passwords across sites
  • No password database to steal (the server only stores the public key, which is useless without the private key)
  • No credential stuffing (testing millions of username/password pairs leaked from breaches)
  • No forced password rotation every 90 days
  • No forms with arbitrary rules (uppercase required, special character, no more than 16 characters…)

Why are passkeys resistant to phishing?

A passkey is cryptographically bound to the exact domain for which it was created. On a fake site — even one that looks identical — the passkey simply doesn't activate. There's nothing to intercept and nothing to replay.

This is a structural difference from passwords. A fake site can display a login form that looks identical to the real one and capture your credentials. With a passkey, even if the user doesn't notice the deception, authentication fails silently at the technical level. No exploitable information is transmitted to the fraudulent site.

This protection also works against real-time Adversary-in-the-Middle (AiTM) attacks, which even traditional 2FA cannot stop.

Can my fingerprint be stolen like a password?

No. Your fingerprint (or Face ID) never leaves your device. It doesn't travel over the network and isn't stored on the website's server. It is used solely to unlock the cryptographic key locally — and that key is what performs the authentication.

The site never sees your fingerprint, never receives it, and therefore cannot have it stolen. This is fundamentally different from a password, which is sent to the server at every login and can be compromised if the database is breached.

And if Touch ID or Face ID isn't available (injured finger, faulty sensor), the device PIN takes over. Biometrics are a convenience, not a dependency.

What happens if I lose my phone or computer?

The answer depends on where your passkeys are stored. If they are synced via iCloud Keychain (Apple) or Google Password Manager, they are automatically available on your other devices within the same ecosystem. Switching to a new iPhone or a new PC using the same Google account is seamless.

However, if a passkey was created locally on a single device only, losing that device means losing access. That's why most services keep the password as an alternative login method during the transition period. A password manager that syncs passkeys across devices and browsers significantly reduces this risk.

Where are my passkeys stored, and who has access to them?

Passkeys are stored by the provider you choose — or that gets selected by default — at the time of creation. The main providers are iCloud Keychain (Apple), Google Password Manager (Chrome), and third-party password managers.

Each provider has its own sync scope:

  • iCloud Keychain syncs across all Apple devices, but not beyond
  • Google Password Manager syncs across all Chrome browsers regardless of OS, but not in Safari
  • A third-party password manager can work across all devices and browsers

The common pitfall: when creating a passkey, multiple providers may appear at the same time — the password manager extension, the browser, and the operating system. Touch ID, for example, gives the impression that "the Mac is handling this," when in reality it's either Chrome or macOS storing the passkey behind that gesture. If you don't pay attention to your initial choice, you may not find your passkey on another device.

How do you manage passkeys day to day?

The trickiest part today is management. There is no single place to view all your passkeys. They are spread across different interfaces depending on the provider chosen at creation.

To find or delete a passkey depending on where it's stored:

  • In Chrome: go to the browser's password settings
  • On macOS: System Settings, Passwords section
  • In a third-party manager: inside the vault, in the dedicated passkeys section

It's possible to accidentally create multiple passkeys for the same account across different providers. To avoid confusion, the simplest approach is to pick one provider and stick with it. On the service side, reputable sites display a list of registered passkeys for your account along with a revocation option.

Will passkeys replace passwords?

Not right away, but the direction is clear. Not all sites support passkeys yet, and users need to navigate both systems during the transition. Passwords remain a necessary fallback for services that don't yet offer passkeys, or as a recovery method.

Adoption is accelerating: major players (Google, Apple, Microsoft) are integrating passkeys natively into their platforms. Eventually, passwords should become the exception rather than the rule. In the meantime, a password manager capable of handling both traditional passwords and passkeys offers the best transition experience.

Key takeaways

  • A passkey is a cryptographic key tied to your device — more robust and simpler than a password
  • Passkeys are structurally resistant to phishing: they only work on the exact domain for which they were created
  • Your fingerprint never leaves your device and cannot be stolen through a website
  • Choose a single provider to store your passkeys and avoid confusion across devices
  • Passwords remain necessary alongside passkeys during the transition period
  • A password manager that supports passkeys simplifies multi-device management

Try passkeys with Octopussian – passwordless login, maximum security →

Free signup

No credit card. Sign up in 1 minute

Boost your productivity starting today. Sign up and try for free.

We use your email and name
to create your Octopussian workspace.

or
@ Continue with my email

We respect your privacy. Your information will not be used for any other purpose.
By signing up, you agree to our Terms and Conditions and Privacy Policy