What Are Passkeys?

Passkeys are a consumer-friendly implementation of the FIDO2/WebAuthn standard that enable passwordless login using cryptographic key pairs stored on user devices. Instead of remembering passwords, users authenticate using something they have (their device with a biometric sensor, PIN, or security key) and optionally something they are (biometric verification). Passkeys use public-key cryptography where a private key stored on the user's device signs authentication challenges, and the public key is registered with services. The private key never leaves the device, making passkeys phishing-resistant because authentication is cryptographically bound to the legitimate service domain. Passkeys can be stored exclusively on one device (device-bound passkeys) or synced across multiple devices via secure cloud services like iCloud Keychain, Google Password Manager, or third-party password managers (synced passkeys). According to Auth Signal's 2025 research, 69% of users now have at least one passkey, and the passwordless market is valued at $24.1 billion in 2025, projected to reach $55.7 billion by 2030.

How do Passkeys work?

Passkeys operate through cryptographic authentication that replaces passwords with device-based credentials.

Passkey Registration (Setup): When a user creates an account or adds a passkey to an existing account, the website prompts for passkey creation. The user's device (phone, computer, tablet) displays a passkey creation dialog. The user verifies their identity using a biometric (Face ID, fingerprint, iris scan) or device PIN. The device generates a public-private key pair specifically for this website. The private key is stored securely on the device using hardware-backed storage (Trusted Platform Module, secure enclave, or operating system keychain). For device-bound passkeys, the key stays only on that device. For synced passkeys, the encrypted private key is backed up to a cloud service (iCloud Keychain, Google Password Manager, or third-party password manager). The public key is sent to the website securely. The website stores the public key and can now authenticate this user.

Passkey Login (Authentication): When a user visits a website and selects "Sign in with passkey," the website prompts for passkey authentication. The user's device shows an "unlock with biometric/PIN" prompt. The user provides their biometric or enters their device PIN. The device retrieves the private key for this specific website. The device cryptographically signs the login challenge sent by the website. The signature is sent to the website. The website verifies the signature using the stored public key. If the signature is valid, the user is authenticated and logged in.

Key Security Properties: No password is entered, remembered, or transmitted over the network. Biometric data and device PIN never leave the device—they unlock the device to access the private key, but aren't sent to websites. The private key never leaves the device (or encrypted cloud backup for synced passkeys). Authentication is specific to the service's domain through cryptographic origin binding, making phishing impossible even if users visit fake websites.

Device-Bound Passkeys: Device-bound passkeys are stored exclusively on one device and don't sync to other devices or cloud services. They provide the highest security because the private key never leaves the physical device. If the device is lost, recovery requires backup codes or account recovery procedures. Device-bound passkeys are ideal for hardware security keys (YubiKey), work devices with strong mobile device management, and high-security accounts where maximum protection is required. According to NIST SP 800-63-4, device-bound passkeys meet AAL3 (highest assurance) requirements.

Synced Passkeys: Synced passkeys are backed up to cloud services and accessible from multiple devices registered to the user. Private keys are encrypted end-to-end before syncing—cloud providers cannot access decrypted keys. If a device is lost, users can still sign in from other devices. Synced passkeys are ideal for consumer scenarios and employee multi-device use cases. According to NIST SP 800-63-4, synced passkeys meet AAL2 (multi-factor, phishing-resistant) requirements. Storage options include Apple iCloud Keychain (synced across Mac, iPhone, iPad), Google Password Manager (synced across Android devices and web), Microsoft Authenticator (for Microsoft Entra ID, syncs across devices), and third-party password managers (1Password, LastPass, Dashlane).

How do Passkeys differ from other authentication methods?

| Authentication Method | Passwordless | Phishing-Resistant | Password Reuse Risk | Recovery Complexity | Ideal For |

|---|---|---|---|---|

| Passwords | No | No | High (60% reuse rate) | Low (reset via email) | None—legacy only | | TOTP/SMS MFA | No (password + code) | No (code phishable) | High (password reused) | Medium (backup codes) | Transitional MFA | | Push Notification MFA | No (password + approval) | No (AitM susceptible) | High (password reused) | Low (familiar UX) | User-friendly MFA | | Device-Bound Passkeys | Yes | Yes (origin-bound) | None (unique per site) | High (device loss critical) | High-security accounts (admin, privileged) | | Synced Passkeys | Yes | Yes (origin-bound) | None (unique per site) | Low (multi-device access) | Mainstream users (consumer and enterprise) |

Key Tradeoffs: Passwords are familiar but vulnerable to phishing and credential reuse. TOTP and push notification MFA add security but still rely on underlying passwords that can be phished. Device-bound passkeys provide maximum security by keeping keys on a single device but create recovery complexity if that device is lost. Synced passkeys balance security and convenience by backing up to cloud services, enabling multi-device access at the cost of trusting the cloud provider's encryption. Passkeys eliminate password reuse entirely because each website gets a unique cryptographic key pair.

Why do Passkeys matter?

Passkeys represent a fundamental shift in authentication reaching mainstream adoption in 2024-2025.

Mainstream Platform Adoption: Microsoft made passkeys the default for new Microsoft accounts in May 2025, resulting in a 120% increase in passkey authentications. Amazon accounts for 39.9% of passkey authentications according to 2025 data, leading retail adoption. E-commerce drives approximately half of all passkey traffic, with eBay, Lowe's, Home Depot, and Target deploying passkey support. Apple, Microsoft, and Google now natively support passkeys across all major operating systems and browsers, making passkeys accessible to billions of users.

Government and Institutional Deployment: Australian and New Zealand governments made passkeys available to approximately 30 million citizens for government services access. The European Union launched the EU Digital Identity Wallet framework with 46 million euros in pilot funding, incorporating passkey technology. U.S. Federal agencies are deploying FIDO2-based authentication, with 40,000 USDA users already using passwordless authentication. NIST SP 800-63-4 (July 2024) recognizes synced passkeys for AAL2 and requires phishing-resistant authenticators for AAL3.

Enterprise Adoption Accelerating: According to FIDO Alliance 2024 research, 87% of U.S. and UK enterprises are piloting or rolling out passkeys internally. Organizations report a 93% login success rate with passkeys versus 63% with traditional authentication. Passkeys reduce password reset help desk tickets by 32%, significantly lowering IT support costs. Organizations deploying passkeys also eliminate SMS OTP costs by removing the need for SMS infrastructure.

User Experience Improvements: Passkeys provide faster authentication than password entry—users simply use biometrics or device PIN instead of remembering and typing complex passwords. Cross-device flows allow users to authenticate desktop logins using their phones via QR code scanning. Passkeys work offline unlike SMS-based MFA, eliminating delays waiting for codes.

Security Advantages Over Legacy Methods: Passkeys prevent phishing through cryptographic domain binding—fake sites cannot use passkeys because signatures are valid only for legitimate domains. Passkeys eliminate credential stuffing attacks because each site gets a unique cryptographic key pair. Passkeys block adversary-in-the-middle attacks that intercept traditional MFA codes in real-time. According to Microsoft's 2024 research, adversary-in-the-middle attacks increased 146% throughout 2024, targeting traditional MFA, but passkeys are immune to these attacks.

Market Growth Reflects Demand: The passwordless authentication market is valued at $24.1 billion in 2025 and projected to reach $55.7 billion by 2030, representing 18.24% CAGR. This growth is driven by security breaches, regulatory mandates, and enterprise migration from passwords. In late 2024, Bitwarden reported a 550% jump in daily passkey creation, indicating rapid acceleration in adoption.

What are the limitations and weaknesses of Passkeys?

Passkeys face practical deployment challenges despite their security and usability benefits.

Cross-Device Complexity: Setup processes differ across devices (Windows vs Mac vs iPhone vs Android), creating user confusion. Users must manage multiple passkey storage locations (iCloud, Google, third-party password managers), leading to fragmentation. Cross-device flows (using a phone to sign in to a desktop) remain confusing to many users. Recovery complexity varies by platform and provider, requiring user education on backup procedures.

Platform Support Gaps: iOS and macOS support passkeys through iOS 16+ and macOS 13+, but some enterprise features remain limited. Android support is fragmented across older devices and manufacturers, with some devices lacking FIDO2 support entirely. Legacy devices running older operating system versions cannot use passkeys at all. Enterprise mobile device management (MDM) systems are still developing passkey management capabilities.

Backup and Account Recovery Issues: Device loss creates recovery challenges for users with device-bound passkeys who didn't save backup codes. Users often misplace or lose backup codes, creating account lockout scenarios. Synced passkeys require trusting cloud providers (Apple, Google, third-party password managers) with encrypted private keys. Passwordless users with no backup codes and lost devices have no recovery option without contacting support.

Organizational Implementation Challenges: IT help desk staff must support both passkey-native flows and legacy authentication during transition. Shared accounts and service accounts are difficult to manage with user-centric passkey architecture. Legacy on-premises systems may lack WebAuthn support entirely. Phased migration requires supporting passwords and passkeys simultaneously, adding operational complexity.

User Adoption and Training: While 69% of users are aware of passkeys, actual usage remains lower. Users must shift from decades of password-based behavior to biometric or device-based authentication. Help desk teams need significant training on WebAuthn concepts and recovery flows. Dedicated user education and communication campaigns are required for successful adoption.

Synced Passkey Security Considerations: Cloud provider compromise could theoretically expose synced passkeys, though private keys are encrypted. Device compromise during an active authenticated session allows attackers to use passkeys while the session is unlocked. Recovery credential leaks (backup codes stolen) grant account access bypassing passkeys. Organizations must weigh the convenience of synced passkeys against the security of device-bound passkeys for different use cases.

How can organizations deploy Passkeys effectively?

Successful passkey deployment requires strategic planning and user enablement.

Phased Rollout Strategy: Start with a pilot phase using small, tech-savvy user groups to gather feedback. Incorporate user feedback and iterate on implementation before broader deployment. Gradually expand to the broader user base over 3-6 months. Run passwords and passkeys in parallel during the transition period. Track success metrics including adoption rates, login success rates, and help desk request volumes.

Device Strategy: For bring-your-own-device (BYOD) scenarios, support synced passkeys (iCloud, Google) on personal devices. For corporate-issued devices, use a mix of synced (for convenience) and device-bound (for security) based on risk assessment. Require device-bound passkeys only for privileged accounts including administrators and executives. Provide hardware security keys (YubiKey or similar) for highest-risk users.

User Enablement: Create clear documentation with step-by-step guides for passkey creation on different devices and platforms. Produce video tutorials showing biometric setup and authentication workflows. Enforce secure backup code storage in password managers, not sticky notes or plain text files. Train help desk staff on passkey recovery flows and troubleshooting. Maintain password options or recovery codes as fallback during transition.

Technical Implementation: Choose IAM platforms with strong passkey support including Microsoft Entra ID (market leader, synced passkeys via multiple providers), Okta (cloud-native, passkey-first approach), Auth0 (developer-friendly, flexible methods), Ping Identity (enterprise scale, granular access control), and JumpCloud (directory-as-service with passkey support). Use certified FIDO2/WebAuthn implementations following standards. Consider attestation validation for high-assurance scenarios requiring specific authenticator types. Monitor all registration and authentication events. Detect unusual registration or authentication patterns for security.

Passkey Storage Platform Selection: Apple iCloud Keychain provides device-synced passkeys with ecosystem integration across Mac, iPhone, and iPad. Google Password Manager offers Android and cross-platform passkey sync. Microsoft Authenticator integrates with Microsoft Entra ID for enterprise. Third-party password managers including 1Password (strong encryption, cross-platform), LastPass (legacy support with passkey add-on), and Dashlane (consumer and business support) provide vendor-neutral options.

Hardware Authenticator Options: YubiKey is the industry standard, FIDO2 certified, with USB/NFC/Bluetooth support. Titan Security Key from Google provides FIDO2 authentication. Kensington VeriMark and other vendors offer enterprise FIDO2 authenticators. Smart cards and PIV/CAC cards meet government and defense sector requirements for device-bound credentials.

Compliance and Standards Alignment: Align implementation with NIST SP 800-63-4 Digital Identity Guidelines recognizing passkeys. Follow OMB M-22-09 Federal Zero Trust mandate requiring phishing-resistant MFA. Use CISA Guidance on phishing-resistant authenticator deployment playbooks. Leverage FIDO Alliance Certification to validate compliant products and platforms.

Recovery and Backup Planning: Generate and distribute backup codes during passkey setup. Require users to store backup codes in password managers, encrypted files, or other secure locations. Establish IT support procedures for account recovery when users lose devices and backup codes. Test recovery procedures regularly to ensure they work. Consider offering multiple recovery options (email verification, video call with IT, in-person validation for privileged accounts).