Skip to content
NeoGuard

Passkeys

A passwordless authentication standard that uses cryptographic key pairs stored on your device, replacing traditional passwords with phishing-resistant, biometric-backed login.

Passkeys are a modern replacement for passwords, built on the FIDO2/WebAuthn standard. Instead of typing a password, you authenticate with your device’s biometrics (fingerprint, face scan) or a PIN. Behind the scenes, a cryptographic key pair handles verification: a private key stays on your device, and a public key is stored by the service. The server never sees your secret.

How Passkeys Work

  1. When you register a passkey with a website, your device generates a unique key pair
  2. The private key is stored securely on your device (in the secure enclave or TPM chip)
  3. The public key is sent to the website
  4. To log in, the website sends a challenge. Your device signs it with the private key after you verify with biometrics or PIN
  5. The website verifies the signature with the public key

This process is invisible to you. You see a fingerprint prompt or Face ID, tap confirm, and you are logged in.

Why Passkeys Are More Secure Than Passwords

  • Phishing-proof. A passkey is bound to the exact domain it was created for. A phishing site with a lookalike URL cannot request your passkey, because the domain does not match. This eliminates the most common attack vector against passwords entirely.
  • No shared secrets. With passwords, both you and the server know the secret. If the server is breached, your password leaks. With passkeys, the server only has the public key, which is useless to an attacker.
  • No reuse possible. Each passkey is unique to one service. There is no equivalent of credential stuffing against passkeys.
  • Built-in second factor. A passkey combines “something you have” (your device) with “something you are” (biometrics) or “something you know” (PIN). It replaces both the password and 2FA in a single step.

Where Passkeys Work Today

As of 2026, passkeys are supported by most major platforms and services:

  • Operating systems: iOS 16+, Android 14+, macOS Ventura+, Windows 11
  • Browsers: Chrome, Safari, Firefox, Edge
  • Major services: Google, Apple, Microsoft, Amazon, PayPal, GitHub, WhatsApp, many banks
  • Password managers: 1Password, Bitwarden, Dashlane, and Apple Passwords all support storing and syncing passkeys across devices

Adoption is growing rapidly. Google reports that passkey sign-ins are now faster and more common than password+2FA on its platform.

Passkeys and Password Managers

You do not need to choose between passkeys and a password manager. Modern password managers store passkeys alongside traditional credentials, syncing them across all your devices. This solves the main limitation of device-bound passkeys: if you lose your phone, your passkeys are recoverable through your password manager’s cloud sync.

For the transition period (not every service supports passkeys yet), a password manager handles both: passkeys for services that support them, strong unique passwords for the rest.

Limitations

  • Not yet universal. Many services, especially smaller ones, do not support passkeys yet. You will still need passwords for some accounts.
  • Account recovery. If you lose all devices and have no password manager syncing your passkeys, recovery can be difficult. Always keep a backup method configured.
  • Enterprise adoption. Rolling out passkeys across a team requires planning. FIDO2-compatible hardware keys (YubiKey) offer a managed alternative for organizations.

Passkeys and Swiss Compliance

For nDSG purposes, passkeys qualify as a strong authentication measure. Their phishing resistance and cryptographic foundation exceed the security of password+TOTP combinations. FINMA-regulated organizations can use passkeys as part of their multi-factor authentication requirements, particularly when backed by hardware security modules.

Related Terms

2FA (Two-Factor Authentication)Password ManagerPhishing