The password has survived six decades of predictions of its death because every replacement asked websites and users to change at the same time. Passkeys are the first challenger backed simultaneously by Apple, Google and Microsoft, who committed jointly in 2022 to build the FIDO Alliance's standard into their operating systems, and the design is a genuine break with the past: instead of a secret you know and type, a passkey is a cryptographic key pair your device holds and uses on your behalf.

The mechanics matter, because they explain the security claim. When you create a passkey for a site, your phone or laptop generates two mathematically linked keys under the WebAuthn standard published by the W3C. The public key goes to the website; the private key stays in the device's secure hardware, the same enclave that protects Face ID or Windows Hello. Signing in is a challenge-response exchange: the site sends a random challenge, your device signs it with the private key after you unlock it with a fingerprint, face scan or PIN, and the site checks the signature against the public key it stored. Nothing secret ever travels over the wire, and nothing secret sits in the website's database waiting to be breached.

That last point is where phishing dies. A password works anywhere you type it, which is exactly why criminals build pixel-perfect copies of bank login pages. A passkey is bound to the domain that registered it, and the binding is enforced by the browser, not by your judgement at nine o'clock on a tired Tuesday. If you land on a lookalike address, your device simply has no passkey to offer, and there is no string of characters you can be tricked into handing over. The National Cyber Security Centre has endorsed passkeys on precisely these grounds, and GOV.UK One Login, the government's shared sign-in service, began offering them as an alternative to passwords with text-message codes, which drift-net phishing kits had learned to intercept in real time.

Adoption has moved fastest where fraud is most expensive. Google reports that a majority of its account holders have now used a passkey at least once; Amazon, PayPal and most large UK banks accept them; and password managers such as 1Password, Bitwarden and Dashlane store them alongside old-style credentials. The pattern echoes contactless payments: invisible plumbing, rolled out by platforms, that users adopt because it is quicker, not because it is safer. Unlocking with a thumbprint takes around two seconds against the half-minute of retrieving and retyping a strong password.

The recovery problem

Losing a password means clicking a reset link. Losing the only device that holds your private keys is a different order of event, and the industry's answer creates the scheme's most interesting tension. Consumer passkeys sync: Apple copies them end-to-end encrypted through iCloud Keychain, Google through its Password Manager, Microsoft through your Microsoft account. Drop your phone in the Thames and your keys reappear on the replacement. But the arrangement quietly concentrates risk, because your Apple or Google account becomes the master key to everything else, and that account is often still guarded by a password and a text message. Security engineers call this the recovery paradox: the system is only as unphishable as its weakest fallback. Hardware keys such as YubiKeys avoid syncing entirely, holding device-bound passkeys that cannot be copied, which is why the sensible practice is to register two and keep one in a drawer.

Whose keys are they, anyway?

Sync also raises the lock-in question. For the first years of the rollout there was no way to move passkeys out of iCloud Keychain and into Google's manager, or vice versa, short of re-enrolling on every site, which handed the platforms a subtle switching cost measured in dozens of accounts. The FIDO Alliance has responded with a credential exchange specification, developed with the major password managers, that defines a secure format for migrating passkeys between providers, and the first implementations are arriving now. Until portability is routine, the honest summary is this: passkeys really do end the era of stolen and phished credentials, and the fights left are about custody. Passwords will linger for years as fallbacks on old accounts, and any account that still accepts one remains only as strong as that legacy door. The plan to kill the password is working; retiring the corpse will take rather longer.

Passkeys explained: the plan to kill the password
Photo: belgium24.eu / Wikimedia Commons (CC BY 2.0)