Sunday, 12 July 2026Clear-eyed news, from daybreak on.
DaybreakWire
Independent news, around the clock
Tech

What Is a Passkey, and How Does It Actually Work?

Google, Apple and your bank keep asking you to make one. A passkey is a login that never sends its secret across the wire, which is why it beats the password at the thing passwords fail at most: phishing.

A smartphone fingerprint sensor, the kind of biometric unlock used to approve a passkey sign-in.
A smartphone fingerprint sensor, the kind of biometric unlock used to approve a passkey sign-in.

Your bank wants you to use one. So does Google, Apple, Microsoft, WhatsApp and, increasingly, your employer. The prompt shows up mid-login — "Create a passkey?" — and most people tap "not now" because nobody ever explained what they'd be agreeing to. Here's the explanation, and why the technology underneath is genuinely different from the password it replaces.

A passkey is a login credential that lives on your device and lets you sign in the same way you unlock your phone: a fingerprint, a face scan, or a PIN. That's the surface. The interesting part is what's happening underneath, because a passkey isn't a secret you type — it's a secret your device proves it holds without ever revealing it.

How does a passkey work?

When you create a passkey for a site, your device generates two mathematically linked keys. One is public and gets handed to the website. The other — the private key — never leaves your device. It is not uploaded, not typed, not shown to the site, not shared with the company whose account you're protecting.

Logging in becomes a challenge-and-response. The site sends your device a puzzle that only the matching private key can solve. Your device asks you to confirm it's really you — Face ID, a fingerprint, the screen lock you already use — then solves the puzzle and sends back proof. The website checks that proof against the public key it stored and lets you in. The private key stays put the whole time. There is nothing on the server for a hacker to steal that would let them log in as you; a stolen public key is, on its own, useless.

That single design choice — the secret never travels — is what dismantles the entire economy of password theft.

Are passkeys actually safer than passwords?

Yes, and not marginally. Passwords fail in predictable ways: they get phished on fake login pages, reused across sites, guessed, or spilled in a database breach. A passkey resists all three. It is phishing-resistant because it is cryptographically bound to the real website's domain — present a passkey to a lookalike scam site and it simply won't work, because the domains don't match. There is no reusable string to spill in a breach. And nobody can be socially engineered into reading a passkey aloud over the phone, because there's nothing to read.

Britain's National Cyber Security Centre put its recommendation bluntly: use passkeys over passwords wherever they're available. Its technical comparison found passkeys are always as secure as, or more secure than, two-step verification built on even the strongest password. The convenience is real too — the NCSC cites passkey logins as up to eight times faster than typing a username, password and a texted code.

"Passkeys are resistant to phishing, as they can't be intercepted, reused or stolen like passwords. This removes one of the most common ways accounts are compromised."

UK National Cyber Security Centre

That phishing point is the one that matters most in practice. Daybreak Wire has covered the platforms racing to close that gap from other angles — Apple's iOS 27 scam-detection features and WhatsApp's move to hide phone numbers behind usernames — but passkeys attack the root of the problem rather than the symptoms.

Video: Microsoft Security — a short walkthrough of how passkeys replace passwords. Watch on YouTube.

What happens if I lose my phone?

This is the fear that keeps people on passwords, and it's mostly outdated. On the major platforms, your passkeys are created and looked after by a credential manager — Apple Passwords, Google Password Manager, Samsung Pass, or a third-party tool like 1Password or Bitwarden. That manager backs your passkeys up and syncs them, encrypted, across the devices signed into your account. Lose the phone, sign into a new one, and your passkeys come with you. The NCSC's guidance is explicit that a good credential manager keeps a backup precisely so a lost device doesn't lock you out.

The genuine edge cases are worth knowing. A passkey that exists on only one device, with no sync and no backup, can be lost with that device — which is why the sync feature matters and why keeping a second sign-in method during the transition is sensible. But the "one dropped phone and I'm locked out forever" scenario is not how the mainstream implementations are built.

Passkey vs. password: do you still need both?

For now, yes — and that's fine. Passkey support is wide but not universal; plenty of services still haven't added it. The pragmatic move is to turn passkeys on where they're offered, especially for the accounts that hurt most if breached — email, banking, your primary cloud login — and keep strong, unique passwords with two-step verification everywhere else. Email first is the highest-value swap, because whoever controls your inbox can reset everything downstream.

The direction of travel is not subtle. When the FIDO Alliance, three platform giants, national cyber agencies and your bank all push the same replacement at once, the password's remaining years are numbered. The thing worth internalizing isn't the marketing — it's the mechanism. A login that never sends its secret across the wire is a login a thief on the other end has nothing to catch. Tap "create a passkey" the next time your inbox offers, and you've quietly removed yourself from the single most common way accounts get stolen.

Reporting based on coverage by UK National Cyber Security Centre.

Related stories