AIO APEX
Software & Apps

Passkeys Are Replacing Passwords — Here's Where Things Actually Stand

Share:
Passkeys Are Replacing Passwords — Here's Where Things Actually Stand

How Passkeys Work

A passkey is a cryptographic credential built on the WebAuthn / FIDO2 standards. When you register, your device generates a public–private key pair. The private key never leaves your device; the server stores only the public key. When you authenticate, the device signs a challenge with the private key, and the server verifies the signature with the public key.

Because the credential is origin-bound — cryptographically tied to a specific domain — a phishing site can never harvest a passkey. Even if an attacker tricks you into visiting paypa1.com, the passkey for paypal.com simply will not work there. This phishing immunity is the single biggest security leap passkeys offer over passwords or SMS OTP.

Adoption Numbers

Google reported surpassing 800 million passkey authentications per month in late 2025, across more than 400 million accounts. The FIDO Alliance's compatible-services list has crossed 300 major platforms. Microsoft reports that over 99% of its consumer sign-ins are now passwordless (a broader category that includes passkeys and Windows Hello).

Which Services Support Passkeys

  • Google — passkeys are the default sign-in for personal accounts
  • Apple — supported on all Apple ID sign-ins; iCloud Keychain syncs across devices
  • Microsoft — Windows Hello and Authenticator app on personal and Entra-managed accounts
  • GitHub — passkeys available for all account types since 2023
  • PayPal — passkeys in the US and expanding globally
  • eBay — passkey support rolled out in 2024
  • Shopify — merchant and buyer passkey flows live
  • WhatsApp — passkeys on Android and iOS

Cross-Device Sync

Passkeys are most convenient when synced across your devices. Three major ecosystems handle this today:

  • Apple Keychain — passkeys sync end-to-end encrypted across iPhone, iPad, and Mac via iCloud
  • Google Password Manager — passkeys sync across Android and Chrome on any OS
  • 1Password & Dashlane — third-party managers that work cross-platform and allow business teams to share passkeys

Cross-Platform Friction

The roughest edge in 2026 is cross-ecosystem authentication. If your passkey lives in Apple Keychain and you need to sign in on a Windows PC, you must use the QR code + Bluetooth hybrid flow: the PC shows a QR code, you scan it on your iPhone, and Bluetooth proximity confirms you are physically present. It works, but it's jarring enough that many users abandon and fall back to a password.

Progress is coming. The FIDO Alliance's Credential Exchange Protocol (CXP), finalized in 2025, lets users export passkeys from one manager and import them into another — ending vendor lock-in once managers ship the feature.

Enterprise: Okta and Microsoft Entra

Enterprises are adopting passkeys through identity providers. Okta supports FIDO2 passkeys in its Workforce Identity Cloud, and phishing-resistant MFA is now a compliance checkbox for US federal contractors. Microsoft Entra (formerly Azure AD) supports hardware security keys and device-bound passkeys via Windows Hello for Business, with synced passkeys on the roadmap.

Device Loss and Recovery

The biggest usability question: what happens if you lose your phone? Because synced passkeys exist in the cloud (encrypted), recovering them is tied to your cloud account recovery flow — Apple ID recovery contacts, Google Account recovery email/phone. For device-bound passkeys (like a FIDO2 hardware key), you should register at least two keys and store one offsite. Most services also maintain a backup recovery code or email flow, though these reintroduce phishing surface.

Why SMS OTP Persists

Despite passkeys' advantages, SMS OTP remains widespread because it requires zero client-side setup, works on any phone, and is familiar to billions of users. SIM-swapping attacks are real but rare compared to credential stuffing. Regulated industries (banking, healthcare) also face compliance requirements written around OTP. Expect SMS OTP to fade slowly over the next five years as passkey UX matures, not vanish overnight.

Developer WebAuthn API Overview

Adding passkey support requires two flows: registration and authentication.

Registration:

const credential = await navigator.credentials.create({
  publicKey: {
    challenge: serverChallenge,
    rp: { name: "My App", id: "myapp.com" },
    user: { id: userId, name: userEmail, displayName: userName },
    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
    authenticatorSelection: { residentKey: "required" }
  }
});

Authentication:

const assertion = await navigator.credentials.get({
  publicKey: { challenge: serverChallenge, rpId: "myapp.com" }
});

Server-side, libraries like SimpleWebAuthn (Node.js), py_webauthn (Python), and webauthn4j (Java) handle the cryptographic verification. Passkeys that use residentKey: required are stored on the authenticator and enable fully passwordless, usernameless login.

Actionable Takeaways

  • Users: Enable passkeys on Google, Apple ID, and GitHub today. Use 1Password or Dashlane if you want cross-platform flexibility.
  • Developers: Add WebAuthn registration alongside your existing login. The browser API is stable; use a server library. Support both synced and device-bound credentials.
  • Enterprises: Require phishing-resistant MFA (passkey or hardware key) for privileged access. Okta and Entra both support this now.
  • Everyone: Keep a backup recovery method. Passkeys are not a reason to skip account recovery setup.

The password era is not over — 300 platforms out of millions means most login boxes still expect a string of characters. But the infrastructure is in place, the UX is improving, and the security case is overwhelming. The question is no longer whether passkeys will replace passwords, but how quickly.

passkeysauthenticationsecurityFIDO2WebAuthnpasswords
Share: