The Bottom Line
Passkeys are the most significant security upgrade since HTTPS. They're phishing-resistant by design—no amount of social engineering can steal a passkey the way it can steal a password or TOTP code. Google, Apple, and Microsoft are pushing them hard. Within a few years, passwords may be legacy technology.
Quick Comparison
| Method | Phishing Resistance | User Experience | Recovery | Best For |
|---|---|---|---|---|
| Synced Passkeys | Excellent | Excellent | Cloud backup | Most users |
| Hardware Key (FIDO2) | Excellent | Good | Backup key needed | High-security needs |
| TOTP Apps | Poor | Good | Backup codes | Legacy compatibility |
| SMS 2FA | Very Poor | Easy | Phone number | Last resort only |
| Password Only | None | Easy | Email reset | Never |
Understanding the Terminology
FIDO2: The Technical Standard
FIDO2 is a set of specifications from the FIDO Alliance for passwordless authentication. It combines:
- WebAuthn — The web browser API for authentication
- CTAP — Protocol for communicating with authenticators (security keys, phones)
When a website supports "security keys" or "passkeys," they're implementing FIDO2.
Passkeys: Consumer-Friendly FIDO2
Passkeys are FIDO2 credentials with a key difference: they can sync across your devices.
- Apple: Syncs passkeys via iCloud Keychain
- Google: Syncs passkeys via Google Password Manager
- Password Managers: 1Password, Bitwarden, Dashlane offer passkey storage
This solves the "I lost my security key" problem that plagued earlier FIDO adoption.
Device-Bound vs. Synced Credentials
Device-Bound (Hardware Keys)
Private key never leaves the device. YubiKey, Nitrokey, etc. Maximum security—if an attacker compromises your cloud account, they still can't get your keys.
Synced Passkeys
Private key encrypted and synced via cloud. Convenient—works on all your devices. Security depends on cloud account protection.
How Passkeys Work
Here's the magic that makes passkeys phishing-proof:
Registration (One Time)
- Website asks your device to create a passkey
- Your device generates a public-private key pair
- Private key stays on device (or syncs encrypted)
- Public key sent to website
- Website stores the public key tied to your account
Login (Every Time)
- Website sends a random challenge
- Your device signs the challenge with your private key
- Signature sent to website
- Website verifies with your stored public key
- You're in—no password transmitted
Why Phishing Fails
The critical detail: your device cryptographically verifies the website's origin before responding.
- Real Google:
accounts.google.com→ authentication proceeds - Fake phishing:
accounts.goog1e.com→ device refuses to respond
There's no code to enter, no password to type on the fake site. The authentication simply fails silently.
TOTP vs. Passkeys: Why Apps Are Obsolete
Traditional TOTP (Time-based One-Time Password) apps like Google Authenticator work differently:
- Website gives you a secret key (QR code)
- Your app stores it and generates 6-digit codes
- You type the current code to log in
The problem: you're typing the code manually. A phishing site can capture that code in real-time and use it before it expires.
20-50%
Phishing resistance of password + SMS
60-80%
Phishing resistance of password + TOTP
99%+
Phishing resistance of FIDO2/passkeys
TOTP is better than SMS. Passkeys are better than both.
Synced Passkeys: The Options
Apple (iCloud Keychain)
- Works across iPhone, iPad, Mac
- Syncs automatically when signed into iCloud
- Protected by device biometrics (Face ID, Touch ID)
- Can share with AirDrop to other Apple devices
Google (Password Manager)
- Works on Android, Chrome on any platform
- Syncs to Google account
- Protected by device screen lock
- Cross-platform via Chrome browser
Password Managers
- 1Password: Full passkey support, cross-platform
- Bitwarden: Passkey support added 2024
- Dashlane: Passkey support available
Using a password manager for passkeys gives you platform independence—switch from iPhone to Android without losing passkeys.
Hardware Security Keys
For maximum security, use device-bound credentials on a hardware key.
YubiKey
- Industry standard, wide compatibility
- FIDO2, U2F, OTP, PIV all in one device
- USB-A, USB-C, NFC options
- $50+ per key
- Closed-source firmware (can't be updated)
Nitrokey
- Open-source firmware
- FIDO2, OpenPGP support
- Made in Germany
- ~$50+ per key
OnlyKey
- Physical button-based PIN entry
- Open-source
- Password storage built-in
- ~$50
See our Hardware Security Keys Comparison for detailed breakdowns.
When to Use What
Use Synced Passkeys For:
- Most websites and apps
- Accounts where convenience matters
- When you trust your cloud provider (Apple, Google, or password manager)
Use Hardware Keys For:
- Cryptocurrency exchanges and wallets
- Primary email (controls password resets everywhere)
- Admin/root accounts
- Bank accounts (if supported)
- SSH keys
Keep TOTP Apps For:
- Sites that don't support passkeys yet
- Backup authentication method
- Services requiring app-based codes
Setting Up Passkeys
On Websites That Support Them
- Go to account security settings
- Look for "Passkeys," "Security Keys," or "Passwordless"
- Click "Add passkey"
- Your browser prompts to save—confirm with biometric/PIN
- Done—next login uses passkey
Major Services with Passkey Support
- Google — accounts.google.com → Security → Passkeys
- Apple — Native support on Apple devices
- Microsoft — account.microsoft.com → Security → Passkey
- GitHub — Settings → Password and authentication → Passkeys
- PayPal — Settings → Security → Passkeys
- Amazon — Account → Login & security → Passkeys
- Discord — Settings → My Account → Passkeys
- Cloudflare — Profile → Authentication → Passkeys
Check passkeys.directory for current support.
Recovery: Don't Lock Yourself Out
Passkeys are great until you can't access any registered device. Plan ahead:
Register Multiple Methods
Add passkeys on multiple devices. Register a hardware key as backup. Keep TOTP as fallback where available.
Save Backup Codes
Most services provide one-time backup codes. Store them in a password manager or secure offline location.
Second Hardware Key
If using YubiKey, buy two. Register both. Store backup separately from primary.
Cloud Account Security
If using synced passkeys, your cloud account becomes critical. Secure it with the strongest methods available.
Passkeys vs. Password Managers
Some people ask: "Do passkeys replace password managers?"
Not yet. You still need passwords for sites without passkey support. But the role is shifting:
- Today: Password manager stores passwords + TOTP codes + passkeys
- Future: Password manager primarily stores passkeys, with legacy passwords for stragglers
Password managers like 1Password and Bitwarden are adapting—they're becoming passkey managers that also handle legacy passwords.
Privacy Considerations
Synced Passkeys
Your passkey private keys are encrypted in transit and at rest, but:
- Apple/Google/Microsoft can see which services you have passkeys for
- A compromised cloud account could theoretically access passkeys
- Law enforcement with valid orders might compel access
Hardware Keys
Private keys never leave the device:
- No cloud provider involvement
- No sync means no metadata exposure
- Physical access required for use
For maximum privacy: use hardware keys for critical accounts, accept synced passkeys for convenience elsewhere.
The Future
Microsoft is making passkeys the default for new accounts. Google pushes passkeys prominently. Apple builds them into the OS.
Within 5 years, passwords may be legacy technology—like fax machines. Still supported, rarely used, eventually deprecated.
Start adopting passkeys now. Your future self will thank you when the next credential database breach happens and your accounts aren't in it.
References
- FIDO Alliance - Passkeys
- What is FIDO2? - Passkeys.com
- Difference Between FIDO2 and Passkeys - Corbado
- Why FIDO2 Passkeys are Safer than MFA and Passwords
- Password vs Passwordless Authentication Guide - Clerk
- Passkeys Directory - Which sites support passkeys
Related Guides
- 2FA App Comparison — Aegis vs Ente Auth vs Authy for TOTP
- Hardware Security Keys — YubiKey vs Nitrokey vs OnlyKey
- Password Manager Comparison — Where to store your legacy passwords
- Two-Factor Authentication Guide — Why any 2FA is better than none