Passkeys Are Replacing Passwords at Apple, Google, and Microsoft — Here Is What Actually Changes for You

In May 2022, Apple, Google, and Microsoft jointly announced expanded support for a passwordless authentication standard built on WebAuthn and FIDO2. By 2024, Apple had moved iCloud accounts to passkeys by default, Google had enrolled over 800 million Google accounts, and Microsoft had begun removing passwords entirely from new consumer accounts. Despite this scale, most users still think passkeys are just another form of two-factor authentication — they are not. Passkeys are a fundamentally different authentication model, and understanding the mechanics explains why they eliminate entire categories of attack that passwords cannot.

The core thesis: passkeys replace the shared-secret model of passwords with asymmetric cryptography. When you create a passkey, your device generates a key pair — a private key stored in a hardware-secured enclave on your device, and a public key registered with the service. At login, the service sends a cryptographic challenge; your device signs it with the private key and returns the signature. The server verifies the signature against your public key. At no point is a secret transmitted, and the private key never leaves your hardware. Compare this to password authentication, where your secret — or a derivative of it — must be transmitted to the server on every login.

WebAuthn Under the Hood

WebAuthn (Web Authentication API) is the W3C standard that browsers implement to expose passkey functionality to websites. The API was finalized as a W3C Recommendation in March 2019 (Level 1) and updated in April 2021 (Level 2). When a site calls navigator.credentials.create(), the browser delegates to an authenticator — either a platform authenticator (your device's secure enclave, such as Apple's Secure Enclave, Android's StrongBox, or Windows Hello's TPM chip) or a roaming authenticator (a hardware key like a YubiKey).

The authenticator generates an ES256 (ECDSA with P-256 curve) or RS256 key pair for that specific relying party — identified by its registered domain (RP ID). The private key is sealed inside the secure element, where it can only be used after local user verification (biometric or PIN). The public key and a credential ID are sent to the server and stored in its database. No password hash, no PBKDF2 rounds, no bcrypt cost factor — just a public key that is mathematically useless to an attacker without the corresponding private key.

The Attestation Step

During registration, authenticators can optionally produce an attestation statement — a cryptographically signed declaration of the device's make, model, and security level, signed by a certificate chain rooted in the FIDO Alliance's Metadata Service (MDS). This lets high-security services (banks, governments) verify they are accepting credentials from a genuine hardware secure element, not a software emulation. Consumer services typically skip attestation and accept any conformant authenticator.

Phishing Resistance Is Structural, Not Behavioral

Password phishing works because users cannot reliably distinguish accounts.google.com from accounts.g00gle.com under time pressure. Even hardware 2FA keys that implement TOTP (time-based one-time passwords) are phishable — the attacker relays the OTP in real time to the real site. Passkeys close this attack surface at the protocol level.

The private key is bound to the RP ID — the registered domain. When the WebAuthn assertion ceremony begins, the browser includes the RP ID in the signed data. If you are on a phishing site at a different domain, the RP ID in the assertion will not match the credential's binding, and the authentication fails. The attacker cannot redirect the assertion to the real site because the signature is non-transferable — it was computed with the phishing site's origin baked in. This is not a user-education problem with a passkey system; it is impossible by construction.

The 2023 FIDO Alliance Passkey Central report documented that credentials compliant with CTAP2.1 (Client to Authenticator Protocol version 2.1) are resistant to real-time phishing, adversary-in-the-middle (AiTM) attacks, and credential stuffing. AiTM proxy attacks — which successfully bypass SMS OTP and TOTP — have no equivalent attack vector against WebAuthn assertion signatures.

Sync Passkeys: Convenience vs. Device-Bound Security

The original FIDO2 model was device-bound: a hardware authenticator held one copy of the private key. Losing the device meant losing the credential. This was secure but created usability problems — it was a non-starter for mass adoption. The FIDO Alliance's 2022 extension introduced multi-device credentials, colloquially called sync passkeys.

With sync passkeys, the private key material is encrypted and synced across your devices through the platform vendor's cloud. Apple syncs through iCloud Keychain using end-to-end encryption with keys derived from your device passcode. Google syncs through Google Password Manager, also end-to-end encrypted. Microsoft syncs through Windows Hello and, as of 2024, supports cross-device sync through the Microsoft Authenticator app.

This creates a tradeoff that security teams debate actively. Sync passkeys are dramatically more secure than passwords — they still cannot be phished, and no server breach exposes them — but the threat model shifts from "compromise the device" to "compromise the cloud account plus device PIN/biometric." For most users, this is an acceptable tradeoff; their Google or Apple account already protects far more sensitive data. For high-value targets (journalists, executives, activists), device-bound passkeys on a dedicated FIDO2 hardware key (YubiKey 5 series, starting at $50, or Google Titan key at $30) remain the strongest option.

Cross-Device Authentication

When you try to log into a site on a desktop browser but your passkey is stored on your phone, WebAuthn supports a cross-device authentication flow using CTAP2's hybrid transport. The desktop browser displays a QR code; your phone scans it and establishes an encrypted BLE (Bluetooth Low Energy) channel. The phone signs the assertion locally (after biometric verification) and transmits the signature back over the encrypted channel. Your private key never crosses the BLE link — only the signed challenge response does. This requires Bluetooth to be enabled on both devices, which is a minor friction point.

What Happens to Server Breaches

The 2024 RockYou2024 leak compiled 9.9 billion plaintext passwords from prior breaches. Password databases are valuable to attackers precisely because passwords are reused — 65% of users reuse the same password across multiple sites according to Google's 2023 Password Manager Report. With passkeys, there is no password in the database to steal. The server stores only your public key. Even if an attacker exfiltrates the entire passkey database, they have a collection of public keys — mathematically equivalent to a list of padlocks with no keys. They cannot authenticate as you, cannot crack the keys offline, and cannot use them to attack other services.

Services Still Stuck on Passwords

As of mid-2025, passkey support is widespread but uneven. GitHub added passkey support in July 2023. Shopify enabled it in early 2024. Significant holdouts include many banking portals (particularly credit unions and regional banks), government services, enterprise VPNs, and any service that has not updated its authentication stack since 2020. Legacy Java EE and PHP applications often use authentication libraries that have not integrated FIDO2 server-side components (such as java-webauthn-server by Yubico or php-webauthn by lbuchs).

For services that still require passwords, the practical approach is a password manager with strong random credentials — Bitwarden (open source, free tier), 1Password ($2.99/month), or the platform keychain. This is not equivalent to passkey security — your password manager vault is encrypted with a master password that could be phished — but it eliminates credential reuse, which is the most common attack vector.

Actionable Steps

• Audit passkey support now: Check passkeys.directory (a community-maintained registry) to see which services you use already support passkeys. Enable them on Google, Apple ID, Microsoft, GitHub, and any other service listed.
• Understand your sync model: If you use Apple devices, your passkeys sync through iCloud Keychain by default. If you use Android, they sync through Google Password Manager. You can also save passkeys to 1Password or Bitwarden if you prefer vendor-neutral storage — both added passkey support in 2023.
• High-security accounts get hardware keys: For your primary email, domain registrar, and financial accounts, pair passkey setup with a backup hardware FIDO2 key. Register two keys so you have a spare. The YubiKey 5C NFC ($55) covers USB-C and NFC, handling nearly every device.
• Do not delete your old 2FA yet: When you add a passkey, keep your existing TOTP authenticator or SMS backup for service recovery. Remove the password (where the service allows it) once you have confirmed the passkey works across all your devices.
• Legacy services get unique passwords: For any service without passkey support, generate a unique random password in your password manager. Do not wait for the service to catch up before improving your security posture today.

Passkeys are not a future technology — they are deployed at scale now. The gap between services that support them and users who have adopted them is a user-awareness problem, not a technical one. Every passkey you create removes a credential that can be phished, breached, or guessed. Start with the accounts that matter most.