What Is a Passkey? Here’s How to Set Up and Use Them (2025)

Passwords suck. They're hard to remember, but worse is playing the ever-evolving game of cybersecurity whack-a-mole with your most important accounts. That’s where passkeys come into play. The so-called “war on passwords” has taken off over the past two years, with titans like Google, Microsoft, and Apple pushing for a password-less future that the FIDO Alliance (a consortium made to “help reduce the world’s over-reliance on passwords”) has been trying to realize for over a decade. Like it or not, you’ll be prompted to create a passkey at some point, and you likely already have. That’s a good thing, as passkeys aren’t only much easier to use than a traditional password, they’re also a lot safer. Here's everything you need to know about using them. What Is a Passkey? Passkeys offer a way of confirming you are who you say you are without remembering a long, complicated password, and in a manner that's resistant to common attacks on passwords like phishing and dictionary attacks. “Passkeys are built to replace passwords and outdated forms of two-factor authentication entirely,” Andrew Shikiar, executive director and CEO of the FIDO Alliance, tells WIRED. They represent a rare step forward in cybersecurity; one that’s not only easier to use than previous methods but also safer. eBay via Jacob Roach Conceptually, passkeys can come in many forms, but you’ll most commonly interact with them on a device you own. For example, imagine you want to sign in to your Google Account on a new device. Instead of entering a password, a passkey allows you to log in to your account with a device you’ve already verified. You can use your phone as a passkey, which instantly grants access to your Google Account without ever entering a password. The best implementations of passkeys don’t even need a username. Passkeys end up being safer and more convenient than passwords because they work in a fundamentally different way. Passwords are what you’d call a “shared secret” in the world of cybersecurity. You know the secret, and so does the service you’re signing in to. The problem is that you have to remember that secret, and you aren’t fully in control of it, as you have to share that secret with whatever service you’re using. A data breach and a little decryption time are all that's needed to end up with a compromised account, and you didn't even do anything wrong. Passkeys use public-key cryptography. Instead of matching a shared secret, public-key cryptography works by matching a pair of keys—a public key that anyone can see, and a private key that only you have access to. It’s safer because only you have access to your private key, and it’s easier because that key is bound to some device you own and usually secured with biometrics. Are Passkeys Safe? Passkeys are safe, even more so than a long, random password. When you sign in with a passkey, you send a handful of information to the service you’re signing into, including your public key, which is stored as a representation of you as a user. This information alone doesn’t do anything. On the device where you created the passkey, you'll have to engage in a “challenge” to unlock your private key, usually some form of biometric authentication. If the challenge is successful, it’s signed and sent back to the service you’re trying to log into. That challenge is then checked against the public key, and if it’s a match, you’re given access. Critically, this authentication happens on your device, not on a server far away.