Passwords are the part of your digital life most likely to get you hacked, and the part you’re most likely to reuse, scribble on a sticky note, or reset at 2 a.m. Passkeys flip the model: instead of a secret string you have to remember and a server has to store, a passkey is a cryptographic key pair that lives on your phone or computer. The private key never leaves your device, and signing in proves you’re you without ever transmitting the secret. If you’ve been putting this off, the good news is that by mid-2026 every major platform — Google, Apple, and Microsoft — supports passkeys as a first-class sign-in, and the setup takes minutes.
This guide walks through creating your first passkey, using it to log in, syncing it safely across devices, and the hardware-key option for when you want maximum protection.
What a passkey actually is (in plain terms)
A passkey is a key pair built on the FIDO2 / WebAuthn standard (FIDO Alliance: Passkeys). One half — the public key — is registered with the website. The other half — the private key — stays locked inside your device’s secure hardware (the Secure Enclave on Apple devices, a similar trusted module on Android and Windows). When you sign in, the site sends a challenge; your device answers it using the private key after you approve with a fingerprint, face scan, or device PIN.
Two properties make this fundamentally safer than passwords. First, there is no password to phish: a attacker who clones the login page gets a one-time challenge they cannot answer without your physical device. Second, there is no shared secret sitting in the company’s database that can leak in a breach. Google’s own help documentation describes passkeys as resistant to phishing, and notes that adding one “doesn’t change or remove any authentication or recovery” you already use (Google Account Help: Sign in with a passkey).
What you need before you start
- A phone or computer signed into your account with a recent OS: iPhone/iPad on iOS 16+, Mac on macOS Ventura+, Android 9+ with Google Play services, or Windows 10/11 with Windows Hello.
- A screen lock enabled (biometric or PIN). Passkeys are only as safe as the lock that gates them.
- Your account’s recovery options up to date (a recovery email or phone), so a lost device doesn’t lock you out.
If you share a device with someone else, each person should use their own profile — passkeys are tied to the local user and the account that created them.
Step 1: Create your first passkey on Google
- On your phone or computer, open your Google Account and go to Security → How you sign in to Google → Passkeys.
- Tap Create a passkey. Your device will prompt for your fingerprint, face, or PIN to confirm it’s you.
- Google registers the public key. You’ll see the new passkey listed with the device name.
From now on, when you sign in on a new device, Google can offer a passkey prompt. On the same phone you’ll simply authenticate locally; from another device you’ll get a QR code you scan with your phone to approve the sign-in (Google Account Help: Sign in with a passkey). That QR handoff is the “use a passkey from another device” flow, and it’s the part that lets you log in even when the keyboard isn’t on the device holding the key.
Step 2: Turn on passkeys for your Apple Account
Apple ships passkey support across iPhone, iPad, and Mac, with keys synced through iCloud Keychain so they travel with your account (Apple Support: Use passkeys).
- On iPhone/iPad, open Settings → [your name] → Sign in & Security → Passkeys (or, when prompted at sign-in, choose Use passkey).
- Authenticate with Face ID or Touch ID. The passkey is created and stored in iCloud Keychain.
- On a Mac, the same keychain surfaces the passkey automatically in Safari — no copy-paste, no typing.
Because the key lives in iCloud Keychain, a new Apple device you sign into picks up your passkeys. That convenience is also the reason your Apple Account recovery (a trusted phone number and, ideally, a recovery contact) matters: it’s your fallback if every device is lost.
Step 3: Sign in with a passkey (the actual flow)
The experience varies slightly by site, but the pattern is consistent:
- Same device: You tap “Sign in with passkey,” your OS pops a biometric prompt, you approve, you’re in.
- Another device (desktop): The site shows a QR code; you scan it with your phone, approve on the phone, and the desktop session unlocks.
- Cross-platform: Sites that support passkeys usually still let you use a saved password as a fallback until you’ve fully migrated — don’t delete your passwords until you’ve confirmed passkey sign-in works everywhere you need it.
The single most common mistake is deleting the password too early. Keep the password as a backup for at least a week of real sign-ins across your devices.
Step 4: Sync and back up
There are two flavors of passkey, and knowing the difference saves you grief:
- Synced passkeys are copied across your devices by your provider (iCloud Keychain for Apple, Google Password Manager for Google, Microsoft account for Windows). Lose one phone and your other devices still have the key.
- Device-bound passkeys (often on a hardware security key like a YubiKey) exist only on that one physical token. They don’t sync, which makes them tamper-resistant but also means you need a second registered key as a spare.
For most people, synced passkeys are the right default: they’re nearly as phishing-resistant as hardware keys and they don’t strand you when a phone dies. Apple documents this synced-through-iCloud-Keychain behavior explicitly (Apple Support: Use passkeys).
Step 5: Add a hardware key for high-value accounts
If an account is high-stakes — email, a password manager, domain registrar — consider registering a physical security key as a device-bound passkey in addition to your synced one. Plug it in (or tap it via NFC), approve the prompt, and you now have a second factor that cannot be phished remotely. Keep a second hardware key in a drawer as the spare; most platforms let you register multiple passkeys per account.
When a site doesn’t support passkeys yet
Adoption is broad but not universal. For holdouts, keep using a strong, unique password stored in a password manager, and turn on TOTP or app-based two-factor authentication as a stopgap. Prioritize moving your email, password manager, and financial logins to passkeys first — those are the accounts an attacker would compromise to reset everything else.
Troubleshooting
- “Passkey not found” on a new device: You’re likely on a synced passkey from another ecosystem. Use the QR handoff from the device that holds the key, or sign in with your backup password and register a new passkey on the current device.
- Biometric prompt won’t appear: Make sure the device’s screen lock and biometric enrollment are active; passkeys ride on top of that lock.
- Lost the only device: Use account recovery (recovery email/phone or a recovery contact) to regain access, then register fresh passkeys on your replacement device.
Bottom line
Set up one passkey today on the account you use most — almost certainly your Google or Apple sign-in. Confirm it works on a second device via the QR handoff, keep the old password as a backup for a week, then repeat for email, your password manager, and banking. Within an afternoon you can remove the single biggest source of account breaches without installing anything new or memorizing another string of characters. Passkeys aren’t a future standard you’re waiting on; they’re the default sign-in on every platform that matters, and the cost of switching is a few minutes.
