What Is a Passkey? A Plain-English Guide (From a Guy Who Was Drowning in 100+ Passwords)

I once counted my passwords. Not because I'm organised — God, no — but because my password manager smugly told me I had over a hundred of them, and roughly a third were flagged as "weak, reused, or found in a data breach." A third. Imagine a doctor telling you a third of your teeth are technically optional.

My name's Muslih Ali, and for the better part of a decade my digital security strategy was the same as everyone else's: pick a password I could remember, add a 1, then a ! when a website got pushy, and pray. Spoiler — prayer is not a recognised encryption standard. So this is the guide I wish someone had shoved in my face years ago: what a passkey actually is, why passwords were always a terrible idea wearing a security costume, and why I eventually got so annoyed I started building an identity company around the fix.

First, let's be honest about passwords

Passwords are a 1960s idea we duct-taped onto a world they were never designed for. The original computer password was invented so a handful of researchers could share one machine at MIT. It was never meant to guard your bank account, your medical records, your email, and that one shameful streaming service you forgot you're still paying for. And yet here we are, defending our entire lives with "Summer2024" and a sticky note.

The problem isn't that you're lazy (you are, we both are, it's fine). The problem is that passwords ask you to do something humans are physically incapable of: memorise dozens of long, unique, random strings and never, ever reuse them. So we reuse them. Studies keep finding that more than half of people recycle the same handful of passwords across most of their accounts. Which means the moment one badly-built website leaks its database — and one always does — attackers take your email-and-password combo and politely try it on everything else you own. This is called credential stuffing, and it's about as sophisticated as trying the same key on every door in the building until one opens.

Here's the part nobody likes to say out loud: even a "strong" password doesn't save you from the worst attack, which is phishing. You can have a 32-character monstrosity generated by a password manager, and it's still worthless if a convincing fake login page tricks you into typing it. The password's strength is irrelevant the second you hand it to the wrong person. It's like having a titanium front door and then mailing the key to a stranger because the email had your bank's logo on it.

So to summarise the case against passwords: they leak, they get reused, they get phished, and managing them properly is a part-time job nobody applied for. The whole model is built on a shared secret — a thing both you and the website know — and the fundamental flaw is right there in the sentence. If two parties know a secret, it can be stolen from either one. Your security was never fully in your hands. That always quietly enraged me.

So… what is a passkey?

A passkey is a replacement for your password that you never see, never type, never remember, and — crucially — can't give away even if you try. Instead of a secret you both share, a passkey is a pair of cryptographic keys. One is private and lives locked inside your device (your phone, your laptop, your hardware key). The other is public and gets handed to the website when you sign up. The public one is useless on its own — it's like leaving a padlock with a shop; only your private key can open it, and your private key never leaves your pocket.

When you log in, the website sends a little challenge — basically "prove you're you" — and your device signs it with the private key after you unlock it with your face, your fingerprint, or your screen lock. The website checks the signature against the public key it stored, nods, and lets you in. The secret that matters never travels across the internet, never sits in the website's database waiting to be leaked, and never gets typed into a fake page. There's nothing to steal because there's nothing shared.

If that sounds suspiciously like the security tech that protects bank transfers and military comms — yeah, it basically is. It's public-key cryptography, the same family of maths that's been quietly holding the internet together for decades. The genius of passkeys is that someone finally wrapped that maths in something my mother can use without a 40-minute phone call. You tap, you look at your phone, you're in. The cryptography happens in the background, sulking that it doesn't get more credit.

Why passkeys actually fix the problem (not just shuffle it around)

This is the bit that converted me from sceptic to fanatic. Passkeys don't just make the old problems harder — they delete several of them entirely:

• Phishing basically dies. A passkey is mathematically bound to the real website's address. If you land on paypa1-security.com instead of the real thing, your device simply won't have a key for that fake domain, so there's nothing to hand over. The scam falls apart before you even notice you were being scammed. You can't be tricked into giving away a secret you don't have.
• Database leaks stop being your problem. When a site gets breached, attackers walk away with a pile of public keys — the digital equivalent of a phone book full of padlocks with no keys. Useless. No password to crack, no hash to brute-force, nothing to reuse on your other accounts.
• No reuse, because there's nothing to reuse. Every passkey is unique to one site, generated automatically. You're not tempted to recycle anything because you're not creating or remembering anything in the first place.
• It's faster. This is the petty reason I love it most. Logging in goes from "open manager, search, copy, paste, fail, reset, cry" to a single glance at your phone. After years of password rage, the speed alone feels illegal.

"But what if I lose my phone?" — the question everyone asks

Fair. It was my first question too, usually shouted. The honest answer: passkeys are designed to survive a lost device far better than passwords ever did. On most modern setups, your passkeys sync securely through your device ecosystem — Apple's iCloud Keychain, Google Password Manager, or a dedicated provider — so a new phone restores them the same way it restores your photos. You can also register more than one device, or a physical security key, as backups. Losing your phone becomes an inconvenience, not a lockout.

And let's be real about the alternative: if you lost your phone in the password era, you weren't safe either. Half your accounts were one "Forgot password?" email away from being hijacked by anyone who got into your inbox. Passwords gave you the illusion of a recovery plan. Passkeys just make the plan an actual engineering decision instead of a panic.

Where you can use passkeys right now

The fun part is that this isn't some five-years-away future. Apple, Google, and Microsoft all support passkeys natively, which means your phone and laptop almost certainly already do. Big names — your Google account, Apple ID, Microsoft, Amazon, PayPal, GitHub, and a fast-growing list of others — let you turn passkeys on today. Every month another login screen quietly grows a "Sign in with a passkey" option, and every month I quietly delete another password from my life like I'm decluttering a haunted house.

This is also, full disclosure, why I do what I do. After enough years of watching ordinary people get phished, reused-passworded, and breached through absolutely no fault of their own, I got tired of complaining and started building. Paswad is my attempt to make passwordless, passkey-first identity something any business can hand to its users — and any person can actually understand. This blog is where I'll write about all of it, in plain English, with as little jargon and as much honesty as I can manage. Issue one is this. There will be more.

Frequently asked questions

Is a passkey the same as a password manager?

No, though they're cousins. A password manager stores your (still phishable, still leakable) passwords and types them for you. A passkey removes the password entirely and replaces it with cryptographic keys that can't be phished or reused. A manager organises the problem; a passkey deletes it.

Are passkeys safe if my phone uses Face ID or a fingerprint?

Yes — and importantly, your biometrics never leave your device or get sent to the website. The fingerprint or face scan just unlocks the private key locally. The website only ever sees a signature, never your face, never your thumb, never a secret it could lose.

Can someone steal my passkey from a website I use?

Not in any way that helps them. Websites only store your public key, which is designed to be shared and is useless without the private key locked on your device. That's the entire point — there's no shared secret sitting in a database for an attacker to walk off with.

Do I have to give up my passwords overnight?

No. Most services let passkeys and passwords coexist while the world transitions. My advice from experience: turn on passkeys everywhere they're offered, start with the accounts that would ruin your week if they were hacked (email, bank, primary cloud account), and let the password graveyard grow from there.

The short version

A password is a secret you share, remember, and inevitably leak. A passkey is a secret your device keeps, proves, and never hands over. One was designed for a research lab in the sixties; the other was designed for the internet we actually live on. I spent years as a one-man case study in everything wrong with the first approach — over a hundred passwords, a third of them compromised, a recurring Tuesday ritual of resets and quiet despair. Passkeys ended that, and they can end it for you too.

Welcome to the Paswad blog. Go turn on a passkey somewhere today — your future self, the one who isn't resetting a password in a parking lot, will thank you.

— Muslih Ali