The Pass Key - Secure Password Generator
Generate

Password Privacy - 8 min read

What Is a Passkey?

The best password manager in 2026 is Bitwarden for most people — free, open-source, and independently audited. For premium features and family sharing, 1Password leads on polish and security.

Learn how to judge whether an online password generator is safe, private, browser-only, and suitable for real accounts.

Updated 2026-05-12 8 min read Privacy-first advice

How passkeys work

A passkey is a cryptographic key pair — a private key stored securely on your device and a public key registered with the website. When you sign in, the website sends a challenge; your device signs it with the private key and returns the signature. The website verifies the signature using the stored public key. Your private key never leaves your device.

Passkeys are built on the FIDO2 / WebAuthn standard, jointly developed by the FIDO Alliance and the W3C. Every major browser and operating system now supports them: Chrome, Safari, Firefox, Edge, iOS, Android, Windows Hello, and macOS Touch ID / Face ID.

Because a different key pair is created for every site, passkeys are immune to credential stuffing (an attacker cannot reuse a passkey from one breach on another site) and immune to phishing (the private key only responds to the exact origin it was registered on).

Passkeys vs passwords — comparison

Feature Password Passkey
Phishing-resistant No Yfs — bound to exact origin
Credential stuffing risk High None — unique per site
Requires memorisation Yes No
Server breach exposure High (hashed or plain) Low — only public key stored
Requires 2FA Strongly recommended Built in (biometric/PIN)
Cross-device support Yes Yes (via sync or QR scan)

Which sites support passkeys in 2026?

Passkey support has grown rapidly. As of 2026, major platforms that support passkeys as a login option include: Google, Apple, Microsoft, Amazon, PayPal, GitHub, Shopify, Adobe, Uber, WhatsApp, X (Twitter), TikTok, LinkedIn, Dashlane, 1Password, and Bitwarden. The FIDO Alliance maintains a full directory at passkeys.directory.

Most implementations let you add a passkey as an additional login option rather than removing the password entirely. Full passwordless workflows — where no password is set — are less common but growing.

What if I lose my device?

Passkeys stored in a cloud keychain (Apple iCloud Keychain, Google Password Manager, a password manager like 1Password or Bitwarden) sync across your devices and survive device loss. If you lose your iPhone, your passkeys are available on your other Apple devices once you sign back in to iCloud.

For passkeys stored only on hardware (a FIDO2 security key like a YubiKey), you should register a second security key as a backup, or keep an account recovery code stored securely offline. Most services that support hardware passkeys also offer a fallback recovery flow.

During the transition period, most sites still allow password login as a fallback — so losing a passkey does not mean losing account access permanently.

Are passkeys replacing passwords?

Gradually, yes — but not immediately. The FIDO Alliance's goal is to eliminate passwords for mainstream consumer accounts. Apple, Google, and Microsoft have committed to expanding passkey support across their platforms. However, billions of accounts still use passwords, and full migration will take years.

For now, passkeys are best understood as a more secure alternative that coexists with passwords. The practical advice: enable passkeys wherever a site offers them, and use a strong unique password protected by 2FA for sites that don't yet support them.

How to create a passkey

The exact steps vary by site, but the general process is:

  1. Sign in to your account using your existing password.
  2. Go to Security settings (sometimes called "Passkeys", "Sign-in options", or "Two-step verification").
  3. Choose "Add a passkey" or "Create a passkey".
  4. Your browser or OS will prompt you to authenticate with biometrics (Face ID, Touch ID, Windows Hello) or a PIN.
  5. The passkey is created and synced to your keychain or saved on your security key.

Next time you sign in, choose "Sign in with a passkey" and authenticate with the same biometric or PIN. No password is typed.

The bottom line

Passkeys are the most significant improvement to consumer authentication in decades. They are phishing-resistant, require no memorisation, and build two-factor authentication into the login itself. If a site you use offers passkeys, enabling them is the single best security upgrade you can make to that account.

While passwords remain necessary for most sites today, the tools to generate and manage strong passwords remain important. Use the password generator for sites that haven't adopted passkeys yet, and a trusted password manager to keep them organised.