Passkeys Explained: The Passwordless Future, in Plain English

Passkeys are the biggest change to logging in since the password itself. The promise is simple: sign in with the same fingerprint, face, or PIN you already use to unlock your device, with nothing to type, remember, or leak. Here is what passkeys actually are, how they work, and why they are more secure — without the jargon.

The problem passkeys solve

Passwords have a fundamental weakness: they are a shared secret. You know your password, and so does the website (in some form). That means it can be guessed, phished, reused, or stolen in a breach. Even strong passwords inherit these risks because the secret has to travel and be stored somewhere.

Passkeys replace the shared secret with something fundamentally safer.

How passkeys work

A passkey is based on public-key cryptography. When you create a passkey for a site, your device generates two mathematically linked keys:

• A private key that never leaves your device and is protected by your hardware (for example, the Secure Enclave on a Mac or iPhone).
• A public key that is given to the website.

To log in, the site sends a challenge. Your device uses the private key to sign it, proving you hold the key — without ever revealing the key itself. The site verifies the signature with the public key it stored.

Because the private key never leaves your device and nothing reusable is sent over the network, there is no password to steal, phish, or leak in a breach.

Why passkeys are more secure

• Nothing to phish. A fake site cannot trick you into handing over a passkey, because the signing is bound to the real site's identity. This is a major win against phishing. See how to spot a phishing attack.
• Nothing to breach. A site that gets hacked only loses public keys, which are useless to attackers.
• No reuse. Each passkey is unique to one site, so there is no reuse risk.
• Built-in second factor. Unlocking the passkey with your face, fingerprint, or device PIN bakes in a second factor automatically.

Where passkeys are stored

On Apple devices, passkeys are stored in iCloud Keychain and sync across your devices, protected by your biometrics. Password managers increasingly support passkeys too. On a Mac, your passkeys live in the same secure Keychain that tools like Passlock build on. See how the macOS Keychain works.

The catch (for now)

Passkeys are excellent but not yet universal. Not every site supports them, account recovery flows are still maturing, and using a passkey across different ecosystems can be clunky. So for the foreseeable future, you will use passkeys where available and passwords everywhere else — which means you still need a good way to manage strong, unique passwords. We explore the timeline in are passkeys replacing passwords.

What to do today

Turn on passkeys wherever a site offers them, especially for important accounts. For everything that still uses passwords, keep using a password manager with unique, strong passwords and two-factor authentication. Passkeys are the future, but the present is a sensible mix of both.