Passkeys, FIDO2, and the Death of Passwords

The Bottom Line

Passkeys are the most significant security upgrade since HTTPS. They're phishing-resistant by design—no amount of social engineering can steal a passkey the way it can steal a password or TOTP code. Google, Apple, and Microsoft are pushing them hard. Within a few years, passwords may be legacy technology.

Quick Comparison

Method Phishing Resistance User Experience Recovery Best For
Synced Passkeys Excellent Excellent Cloud backup Most users
Hardware Key (FIDO2) Excellent Good Backup key needed High-security needs
TOTP Apps Poor Good Backup codes Legacy compatibility
SMS 2FA Very Poor Easy Phone number Last resort only
Password Only None Easy Email reset Never

Understanding the Terminology

FIDO2: The Technical Standard

FIDO2 is a set of specifications from the FIDO Alliance for passwordless authentication. It combines:

  • WebAuthn — The web browser API for authentication
  • CTAP — Protocol for communicating with authenticators (security keys, phones)

When a website supports "security keys" or "passkeys," they're implementing FIDO2.

Passkeys: Consumer-Friendly FIDO2

Passkeys are FIDO2 credentials with a key difference: they can sync across your devices.

  • Apple: Syncs passkeys via iCloud Keychain
  • Google: Syncs passkeys via Google Password Manager
  • Password Managers: 1Password, Bitwarden, Dashlane offer passkey storage

This solves the "I lost my security key" problem that plagued earlier FIDO adoption.

Device-Bound vs. Synced Credentials

Device-Bound (Hardware Keys)

Private key never leaves the device. YubiKey, Nitrokey, etc. Maximum security—if an attacker compromises your cloud account, they still can't get your keys.

Synced Passkeys

Private key encrypted and synced via cloud. Convenient—works on all your devices. Security depends on cloud account protection.

How Passkeys Work

Here's the magic that makes passkeys phishing-proof:

Registration (One Time)

  1. Website asks your device to create a passkey
  2. Your device generates a public-private key pair
  3. Private key stays on device (or syncs encrypted)
  4. Public key sent to website
  5. Website stores the public key tied to your account

Login (Every Time)

  1. Website sends a random challenge
  2. Your device signs the challenge with your private key
  3. Signature sent to website
  4. Website verifies with your stored public key
  5. You're in—no password transmitted

Why Phishing Fails

The critical detail: your device cryptographically verifies the website's origin before responding.

  • Real Google: accounts.google.com → authentication proceeds
  • Fake phishing: accounts.goog1e.com → device refuses to respond

There's no code to enter, no password to type on the fake site. The authentication simply fails silently.

TOTP vs. Passkeys: Why Apps Are Obsolete

Traditional TOTP (Time-based One-Time Password) apps like Google Authenticator work differently:

  1. Website gives you a secret key (QR code)
  2. Your app stores it and generates 6-digit codes
  3. You type the current code to log in

The problem: you're typing the code manually. A phishing site can capture that code in real-time and use it before it expires.

20-50%

Phishing resistance of password + SMS

60-80%

Phishing resistance of password + TOTP

99%+

Phishing resistance of FIDO2/passkeys

TOTP is better than SMS. Passkeys are better than both.

Synced Passkeys: The Options

Apple (iCloud Keychain)

  • Works across iPhone, iPad, Mac
  • Syncs automatically when signed into iCloud
  • Protected by device biometrics (Face ID, Touch ID)
  • Can share with AirDrop to other Apple devices

Google (Password Manager)

  • Works on Android, Chrome on any platform
  • Syncs to Google account
  • Protected by device screen lock
  • Cross-platform via Chrome browser

Password Managers

  • 1Password: Full passkey support, cross-platform
  • Bitwarden: Passkey support added 2024
  • Dashlane: Passkey support available

Using a password manager for passkeys gives you platform independence—switch from iPhone to Android without losing passkeys.

Hardware Security Keys

For maximum security, use device-bound credentials on a hardware key.

YubiKey

  • Industry standard, wide compatibility
  • FIDO2, U2F, OTP, PIV all in one device
  • USB-A, USB-C, NFC options
  • $50+ per key
  • Closed-source firmware (can't be updated)

Nitrokey

  • Open-source firmware
  • FIDO2, OpenPGP support
  • Made in Germany
  • ~$50+ per key

OnlyKey

  • Physical button-based PIN entry
  • Open-source
  • Password storage built-in
  • ~$50

See our Hardware Security Keys Comparison for detailed breakdowns.

When to Use What

Use Synced Passkeys For:

  • Most websites and apps
  • Accounts where convenience matters
  • When you trust your cloud provider (Apple, Google, or password manager)

Use Hardware Keys For:

  • Cryptocurrency exchanges and wallets
  • Primary email (controls password resets everywhere)
  • Admin/root accounts
  • Bank accounts (if supported)
  • SSH keys

Keep TOTP Apps For:

  • Sites that don't support passkeys yet
  • Backup authentication method
  • Services requiring app-based codes

Setting Up Passkeys

On Websites That Support Them

  1. Go to account security settings
  2. Look for "Passkeys," "Security Keys," or "Passwordless"
  3. Click "Add passkey"
  4. Your browser prompts to save—confirm with biometric/PIN
  5. Done—next login uses passkey

Major Services with Passkey Support

  • Google — accounts.google.com → Security → Passkeys
  • Apple — Native support on Apple devices
  • Microsoft — account.microsoft.com → Security → Passkey
  • GitHub — Settings → Password and authentication → Passkeys
  • PayPal — Settings → Security → Passkeys
  • Amazon — Account → Login & security → Passkeys
  • Discord — Settings → My Account → Passkeys
  • Cloudflare — Profile → Authentication → Passkeys

Check passkeys.directory for current support.

Recovery: Don't Lock Yourself Out

Passkeys are great until you can't access any registered device. Plan ahead:

Register Multiple Methods

Add passkeys on multiple devices. Register a hardware key as backup. Keep TOTP as fallback where available.

Save Backup Codes

Most services provide one-time backup codes. Store them in a password manager or secure offline location.

Second Hardware Key

If using YubiKey, buy two. Register both. Store backup separately from primary.

Cloud Account Security

If using synced passkeys, your cloud account becomes critical. Secure it with the strongest methods available.

Passkeys vs. Password Managers

Some people ask: "Do passkeys replace password managers?"

Not yet. You still need passwords for sites without passkey support. But the role is shifting:

  • Today: Password manager stores passwords + TOTP codes + passkeys
  • Future: Password manager primarily stores passkeys, with legacy passwords for stragglers

Password managers like 1Password and Bitwarden are adapting—they're becoming passkey managers that also handle legacy passwords.

Privacy Considerations

Synced Passkeys

Your passkey private keys are encrypted in transit and at rest, but:

  • Apple/Google/Microsoft can see which services you have passkeys for
  • A compromised cloud account could theoretically access passkeys
  • Law enforcement with valid orders might compel access

Hardware Keys

Private keys never leave the device:

  • No cloud provider involvement
  • No sync means no metadata exposure
  • Physical access required for use

For maximum privacy: use hardware keys for critical accounts, accept synced passkeys for convenience elsewhere.

The Future

Microsoft is making passkeys the default for new accounts. Google pushes passkeys prominently. Apple builds them into the OS.

Within 5 years, passwords may be legacy technology—like fax machines. Still supported, rarely used, eventually deprecated.

Start adopting passkeys now. Your future self will thank you when the next credential database breach happens and your accounts aren't in it.

References

  1. FIDO Alliance - Passkeys
  2. What is FIDO2? - Passkeys.com
  3. Difference Between FIDO2 and Passkeys - Corbado
  4. Why FIDO2 Passkeys are Safer than MFA and Passwords
  5. Password vs Passwordless Authentication Guide - Clerk
  6. Passkeys Directory - Which sites support passkeys

Related Guides