Passkey
A passkey is a phishing-resistant login credential stored on a device, password manager, or security key. It replaces passwords with public-key authentication, so the service never receives a reusable password.
How It Works
A passkey creates a key pair for a specific website. The private key stays on your device, password manager, or security key. The website stores the public key and asks your device to prove possession during login.
There is no password for a phishing site to steal. If the domain is wrong, the passkey should not work for that site.
The catch is recovery. Some passkeys are synced through Apple, Google, Microsoft, or a password manager. That can be convenient, but it also means the sync account needs strong protection.
Key Points
- Replaces reusable passwords with public-key login
- Strong against phishing when implemented correctly
- May live on a phone, laptop, password manager, or security key
- Recovery model depends on where the passkey is stored
- Protect the sync account because it may hold access to many services