Passwords have a structural problem. They are a shared secret: you know it, the service knows it, and anyone who intercepts, guesses, or steals it gains full access. Every layer built on top of passwords, two-factor authentication, breach alerts, password managers, exists to compensate for that weakness. Passkeys do not compensate for it. They eliminate it.
Passkeys are now supported across most major platforms and services, and the case for adopting them is strong. But how you adopt them matters. Handing your passkeys to the same companies whose data collection practices drove the demand for privacy tools in the first place is not the only option.
This article explains what passkeys are, why they represent a genuine step forward in secure authentication, and how to use them in a way that keeps control in your hands.
If you cannot access any links in this article due to regional restrictions, try using a VPN to reach them.
What Are Passkeys?
A passkey is a cryptographic login credential built on public key cryptography. When you create one for a service, your device generates two mathematically linked cryptographic keys: a private key that stays on your device and never leaves it, and a public key that is stored by the service. When you log in, the service issues a challenge to your device. Your device signs that challenge using the private key, after verifying your identity through biometric authentication such as Face ID, Touch ID, or facial recognition, or a device PIN, and returns the signed response. The service checks it against the public key and grants access.
The private key never moves. The service never sees your biometric data. There is no password database to breach, no credential to phish, and no shared secret to reuse across accounts.
The underlying standard is FIDO2 developed by the FIDO Alliance. FIDO2 is built into all major browsers and operating systems. Web Authentication (WebAuthn) is the web standard that implements it, and together they form the technical backbone of passkey authentication across the internet.
Passkeys come in two forms. Synced passkeys, also called multi-device passkeys, are stored in a credential manager and synchronized across your devices via a cloud account. Device-bound passkeys are tied to a single physical device and cannot be copied, making them the higher-security option favored in enterprise and high-sensitivity environments.
Why Passkeys Are More Secure
Phishing resistance by design
Passkeys are cryptographically bound to the specific domain they were created for. This is one of the most important security properties they carry. A convincing fake login page cannot capture a passkey because the passkey is scoped to the original domain. WebAuthn ensures the private key will only authenticate on the correct registered domain. If a phishing attack directs you to a lookalike site, the authentication simply will not complete. No amount of user vigilance can replicate this protection with traditional passwords. Phishing attacks remain one of the most common and effective vectors for account takeover, and passkeys eliminate them at the credential level.
No breach exposure
When a service is breached and its credential database is stolen, every password in that database is at risk. With passkeys, the service holds only your public key. Stolen public keys are mathematically useless without the corresponding private key, which never left your device.
No reuse across services
Password reuse is one of the most common causes of account takeover. A single breach can cascade across every service where the same password was used. Passkeys are unique per service by design. There is nothing to reuse, because there is no password.
Replaces SMS authentication
SMS-based one-time passwords are vulnerable to SIM swapping, network interception, and social engineering of mobile carriers. These are not theoretical risks. They have been used to drain bank accounts and cryptocurrency wallets. Passkeys replace both the password and the SMS code in a single step that is resistant to all of these attacks. US federal agencies including the FBI and CISA have explicitly warned against SMS-based authentication. The UAE Central Bank mandated its removal from financial services by early 2026. The direction of travel is clear.
Platform Compatibility
Passkey support is now widespread across operating systems and browsers. Apple devices running iOS 16 or macOS Ventura and later support passkeys natively. Android devices running Android 9 or higher support passkeys, with Google Password Manager handling cross-device synchronization. Windows 10 and Windows 11 users can use passkeys through Windows Hello. Browser support includes Google Chrome (version 109 or later), Safari (version 16 or later), and Microsoft Edge (version 109 or later). Firefox support is available with some limitations.
The Problem With Letting Big Tech Hold Your Passkeys
Passkeys need to be stored somewhere, and the defaults are platform-native. When you create a passkey on an iPhone, an Apple account stores it in iCloud Keychain. On an Android device, a Google account stores it in Google Password Manager. On Windows, Microsoft stores it in Windows Hello. These are the default passkey providers built into each platform.
The security of the passkey itself is sound regardless of where it is stored. The problem is a different one: platform lock-in and data visibility. Storing your passkeys in iCloud Keychain ties you to the Apple ecosystem. Storing them in Google Password Manager means Google has a detailed record of every service you authenticate to and when. These companies built their business models on behavioral data. Your login patterns are behavioral data.
Beyond the privacy concern, platform-native credential managers create a single point of failure. If your Google account is suspended, compromised, or inaccessible in a region where Google Workspace or Google services are restricted, your passkeys go with it. That is a meaningful risk for readers in countries where platform access is unreliable or subject to government interference.
If you cannot reach a platform’s credential manager due to regional restrictions, a VPN will often resolve this. However, relying on a platform-native manager in a restricted region is itself a structural risk worth addressing at the tool level.
Independent Passkey Managers: The Better Option
The alternative is to store your passkeys in a dedicated password manager that is independent of the major platforms. These managers sync passkeys across devices without tying you to a single ecosystem, give you more control over your data, and in several cases are open-source and independently audited. A browser extension is typically available for each, allowing the manager to intercept passkey creation automatically and store it outside the platform default.
For context on each of these managers beyond passkey support, see our full guide: Best Password Managers to Use.
Bitwarden
Bitwarden is open-source, zero-knowledge, independently audited, and SOC 2 Type 2 certified. Passkey storage and sync are included on both the free and paid tiers. Because the code is publicly available, the passkey implementation can be independently verified. The browser extension intercepts passkey creation and stores credentials in Bitwarden rather than in your operating system’s default manager. For users who want maximum transparency without paying for it, Bitwarden is the strongest option on this list.
Proton Pass
Proton Pass is built by the team behind ProtonMail and Proton VPN, making it the most natural fit for users already in the Proton ecosystem. It is open-source, zero-knowledge, and independently audited. Passkey support is included on the free tier. Proton Pass integrates with Proton’s broader suite of privacy tools, meaning your passkeys, passwords, aliases, and email can all operate under the same privacy-first infrastructure. For readers who have adopted Proton Mail or Proton VPN, extending that trust to Proton Pass is a coherent step.
If you cannot access proton.me due to regional restrictions, try a VPN.
NordPass
NordPass uses XChaCha20 encryption with Argon2id key derivation, a modern combination that goes beyond the AES-256 standard used by most competitors. It supports passkey storage and sync across all major platforms, has never experienced a breach, and is independently audited and SOC 2 certified. NordPass is part of the Nord Security ecosystem, which also includes NordVPN, giving it a familiar home for users already in that stack. A free tier is available with limited device access.
1Password
1Password stores and syncs passkeys across all major platforms and browsers. It holds SOC 2 Type 2 certification, has been independently audited multiple times, and uses a unique 128-bit Secret Key in addition to your master password, making brute-force attacks against the vault practically impossible. It is a polished, well-supported option for individuals and families who want reliable cross-platform passkey management.
Keeper
Keeper supports passkey storage and sync with zero-knowledge AES-256 encryption and a strong security record. It has never experienced a major data breach, which in the current landscape is a meaningful distinction. Keeper is a solid choice for users who want enterprise-grade security infrastructure at a consumer price point.
YubiKey: Passkeys Without Any Cloud
For users who want to take passkey security further and remove cloud storage from the equation entirely, YubiKey is the hardware alternative. A YubiKey is a physical security key, roughly the size of a USB drive, that stores your passkeys and cryptographic credentials directly on the device. Authentication requires the physical key to be present. There is no cloud sync, no remote access, and no platform dependency. These are device-bound passkeys in hardware form.
YubiKeys support FIDO2 and WebAuthn, the same standards that underpin software-based passkeys, and are compatible with all major browsers, operating systems, and services that support passkeys. They also support traditional two-factor authentication for services that do not yet support passkeys, making them a useful transitional tool.
The trade-off is the same as any hardware credential: if you lose the key and have no backup, account recovery depends entirely on the service’s fallback options. The standard practice is to register two YubiKeys per account, keeping one as a backup stored separately. YubiKey 5 series models support NFC for mobile use on Android devices and Apple devices with NFC capability.
How to Set Up a Passkey
The passkey creation process is consistent across most services that support passkeys. Go to the security or account settings of a supported service and look for a passkey, passwordless login, or security key option. The service will prompt your device or manager to begin passkey creation. Your device will ask you to verify your identity through biometrics or a PIN. The key pair is generated, the public key is sent to the service, and the private key is stored in whichever credential manager you have chosen.
If you are using a password manager like Bitwarden, Proton Pass, NordPass, 1Password, or Keeper, the browser extension will intercept the passkey creation and store it there rather than in your platform’s default manager. Most managers prompt you automatically when a passkey is detected.
For login, select the passkey option at the service’s sign-in page. Your manager or device will present the relevant passkey and ask for biometric authentication or PIN confirmation. The process takes seconds and requires no typing. There is no password to reset, no complex password to recall, and no SMS code to wait for.
Managing Passkeys Across Your Accounts
When you use a dedicated manager, the ability to manage passkeys across all your accounts is centralized in one place. You can view which services have passkeys enrolled, delete them if you switch services or devices, and add new ones as more platforms roll out passkey support. This is meaningfully different from managing passkeys stored across multiple platform-native managers where visibility is fragmented.
Setting up a passkey on a trusted device from the start, rather than migrating later, avoids the cross-platform portability friction that has historically made passkey transfers cumbersome. The Credential Exchange standard, introduced in 2025, is designed to address interoperability between managers, but full support across all platforms is still maturing.
If you lose access to a device, account recovery falls back to each service’s own process. Setting up passkeys on multiple devices or using a manager that offers encrypted backup reduces this risk significantly. Do not set up a passkey as your only access method without understanding the recovery options first.
Passkey Limitations Worth Knowing
Not universally supported yet
Passkey support is now widespread across major platforms but uneven across the broader web. Smaller services, regional platforms, and older systems may not support them for some time. You will be managing passkeys and traditional passwords in parallel for the foreseeable future. A password manager that handles both is the practical solution.
Device and account recovery
If you lose access to your device and your credential manager, account recovery falls back to each service’s own process. This can include email verification, backup codes, or account recovery services depending on the platform. Setting up passkeys on multiple devices and using a manager that offers encrypted backup reduces this risk significantly.
Cross-platform portability
Moving passkeys between credential managers has historically required re-enrolling on each service. The Credential Exchange standard introduced in 2025 is designed to address this, but full interoperability is still maturing.
Final Word
Passkeys are a genuine improvement over passwords, not an incremental one. The phishing resistance alone addresses one of the most damaging attack vectors in use today. Passwordless authentication at this level is not a feature that benefits only technically sophisticated users. It removes a structural vulnerability that affects everyone.
The question is not whether to adopt passkeys but how. Storing passkeys with Google or Appleis convenient and cryptographically sound, but it hands behavioral data to the same platforms that monetised it, and it creates dependencies that are a real liability in regions where platform access is restricted or unreliable.
Bitwarden, Proton Pass, NordPass, 1Password, and Keeper are all capable of holding your passkeys independently of the major platform ecosystems. For users who want no cloud dependency at all, a YubiKey removes the question entirely.
Enable passkeys where you can. Store them somewhere you control. And for the accounts that still require a password, make sure each one is strong and unique. Our password manager guide and encrypted email guide cover the rest of the infrastructure worth having in place.
If you are also evaluating two-factor authentication tools, our authenticator app guide covers your options there.