Skip to content

Identity term · last reviewed 2026-07-07

Passkey

Also known as: Passkeys

A passkey is a discoverable WebAuthn credential, usually synced across a user's devices, that replaces a password with a phishing-resistant key pair held by the platform.

How it works

A passkey is a discoverable WebAuthn credential, usually synced across a user's devices, that replaces a password with a phishing-resistant key pair. The private key is created and held by the platform (iCloud Keychain, Google Password Manager, or a third-party manager like 1Password) and, for synced passkeys, replicated across the user's devices through an end-to-end-encrypted cloud. To sign in, the device signs a server-issued challenge with the private key; the server verifies it against the stored public key. Passkeys build on FIDO2, so they inherit its origin-binding and phishing resistance.

When it matters

Passkeys matter when you want mainstream users to go passwordless without carrying a hardware key. Synced passkeys solve the recovery and adoption problem that device-bound credentials created: lose your phone, and the passkey restores automatically on your next device. For consumer products, synced passkeys are usually the right default; high-assurance systems may still require device-bound roaming keys. Design account recovery before you ship. See Implement Passkeys / WebAuthn and passkeys.dev.

Common misconceptions

  • "A passkey is stored on one device." Synced passkeys follow the user across devices via the platform cloud; device-bound ones do not.
  • "Passkeys eliminate account recovery work." They change it. A weak recovery fallback silently reintroduces phishing risk.
  • "Passkeys and [MFA](/glossary/mfa/) stack." A passkey replaces the password with a single strong factor rather than adding a second prompt.
← All terms