Security Awareness
What is a Passkey?
A modern replacement for passwords — stronger, simpler, and built to resist phishing by design.
The Basics
What is a passkey?
A passkey is a modern replacement for a password. Instead of typing a secret string of characters you have to remember, you prove who you are with your fingerprint, face, or device PIN — and your device handles the rest behind the scenes using strong cryptography.
Unlike passwords, passkeys can’t be phished, guessed, or stolen in a data breach. They’re built on open industry standards (FIDO2 and WebAuthn) and are already supported by Apple, Google, Microsoft, and most major websites and business applications.
Why it matters
Over 80% of data breaches involve stolen, weak, or reused passwords. Passkeys eliminate that risk entirely — they can’t be typed into a fake website, sold on the dark web, or cracked in a brute-force attack. They’re the biggest step forward in login security in 25 years.
Types of Passkeys
Not all passkeys live in the same place
Passkeys can be stored a few different ways depending on your device and preferences:
Platform Passkeys
Built into your device — Touch ID on Mac, Face ID on iPhone, Windows Hello on PC. Tied to that single device.
Synced Passkeys
Backed up to iCloud, Google, 1Password, or Bitwarden and available across every device you sign into.
Hardware Security Keys
Physical devices like YubiKey. The highest assurance — your credential never leaves the key.
Cross-Device Sign-In
Already set up on your phone? Scan a QR code to sign into any new device — no new passkey needed.
Which should you use?
For most small businesses, synced passkeys through a trusted password manager offer the best balance of security and convenience. Hardware keys are ideal for executives, IT admins, and anyone handling financial or highly sensitive data.
How It Works
Signing in with a passkey — annotated
Here’s what signing in with a passkey actually looks like, and why it’s more secure than a password:
Behind the scenes: your device stores a private key that never leaves it. The website only knows the matching public key. When you sign in, the site asks your device to prove itself by signing a unique challenge — something only the real device, unlocked with your fingerprint or PIN, can do. No password ever crosses the network, so there’s nothing for an attacker to intercept or steal.
Why Switch
What passkeys do better than passwords
Passkeys solve problems passwords never could:
-
Phishing-resistant by design — a passkey only works on the real website it was created for. There’s no way to enter it on a fake login page.
-
Nothing to remember — no passwords to forget, reset, or write on a sticky note.
-
Can’t be stolen in a breach — only public keys are stored on servers. Even if a company is hacked, your credentials stay safe.
-
Unique to every account — no reuse risk across websites. One breach can’t cascade into another.
-
Faster to use — sign in with a fingerprint or a glance. No typing, no waiting for SMS codes.
-
Follow you across devices — synced passkeys work seamlessly from phone to laptop to tablet.
-
No more SMS codes — passkeys replace weaker forms of MFA that can be intercepted via SIM swap attacks.
-
Backed by the entire industry — Apple, Google, Microsoft, AWS, and major banks already support passkeys.
The Bottom Line
Passkeys solve the three biggest problems with passwords: they can be phished, stolen, or reused. Switching doesn’t just improve security — it removes one of the biggest sources of daily friction for your team.
Getting Started
How to start using passkeys
KB-SEC-005 · Security Awareness