In the event your device is lost or stolen, you can restore your passkeys using the account you created it with. For instance, Google allows you to store passkeys in the Google Password Manager and sync them across your devices. Windows and iCloud Keychain only work on their respective operating systems, but they’re tied to your Microsoft and Apple accounts, respectively.
Are Passkeys Safe?
Passkeys are safe, even more so than a long, random password. When you sign in with a passkey, you send a handful of information to the service you’re signing into, including your public key, which is stored as a representation of you as a user. This information alone doesn’t do anything.
On the device where you created the passkey, you’ll have to engage in a “challenge” to unlock your private key, usually some form of biometric authentication. If the challenge is successful, it’s signed and sent back to the service you’re trying to log into. That challenge is then checked against the public key, and if it’s a match, you’re given access. Critically, this authentication happens on your device, not on a server far away.
Although biometric authentication is how you’ll typically interact with passkeys on a mobile device, it’s not a requirement. On Windows, for example, you need to authenticate with Windows Hello, which can use your device’s PIN. On Android, you can use a pin or pattern.
With a password, there’s a ton of room for an attacker to potentially steal your password. Data breaches might expose your password, and even if it’s encrypted, it can be cracked. Phishing schemes are an easy vector of attack for hackers looking to steal passwords. And, if you’re using a service with spotty security practices, you could have a password exposed as plaintext in a breach; there are dozens and dozens of examples of this happening before.
Passkeys vs. 2FA and MFA
Passkeys are tricky because they fly in the face of security conventions that have been around for years—namely, two-factor (2FA) or multifactor authentication (MFA). Although you don’t need to plug in a code from a text or copy something over from an authenticator app, passkeys inherently use multifactor authentication. It just happens so fast that it’s easy to miss.
MFA is about adding additional layers of protection beyond your password. Instead of just your password, you need it and a code texted to you, for example. Passkeys already work that way. You need to match the public-private key pair, but you also need to authenticate that you have access to that private key. It’s not “something you know and something you own,” as 2FA is normally described, but it’s still two layers of authentication.
Here’s how Shikiar describes it: “When you sign in, the service issues a cryptographic challenge that can only be answered with the private key on your device, verified by something you have (like your phone or laptop) and often something you are (like a biometric). The result is a phishing-resistant login with no reusable credentials to steal.”
Devices and Browsers That Support Passkeys
Passkeys are broadly integrated at an operating system level. If you’re using an OS that doesn’t natively support passkeys—i.e., Linux—you can still use them. However, you’ll need to use another device, like your phone, to scan a QR code and authenticate yourself, or a third-party password manager.
Here are the operating systems that fully support passkeys:
