What are passkeys?
A passkey is a digital credential that replaces passwords. Your device creates and stores it securely, letting you log in or approve actions with Face ID, Touch ID, or a PIN instead of typing a password.
Phishing-resistant
Each passkey is cryptographically bound to a single domain or app.
Seamless UX across flows
Smooth onboarding, quick recovery, effortless step-up auth.
Lower operational costs
Cut SMS spend and reduce support tickets by half.
Future-proof
Built on FIDO2/WebAuthn, aligned with NIST and PSD2 standards.
Backed by the world's biggest platforms
Passkeys are a proven standard, backed by the world's biggest platforms and device makers. Adoption is built into the tools your customers already use.
How passkeys compare to other sign-in methods
See how passkeys stack up against passwords, SMS codes, and other login methods—faster, safer, and built for the future.
| Fallback Method | Use Convenience | Phishing | Credential-Based Attacks | Malware-Based Attacks | SIM Swap and Phone Porting | OTP Bypass Attacks | Data Breach |
|---|---|---|---|---|---|---|---|
| Passkey | |||||||
| Selfie-based identity verification combined with liveness direction | |||||||
| Biometric Authentication | |||||||
| Recovery Codes | |||||||
| Email OTP | N/A | ||||||
| App-based OTP | N/A | ||||||
| SMS OTP | |||||||
| Magic Links | N/A | ||||||
| Security Questions | N/A | N/A | |||||
| Password | N/A | N/A |
Learn how passkeys work
Passkeys change how authentication is built. They replace passwords with cryptographic keys stored on devices.
- How passkeys are generated and stored
- How authentication requests are validated
- How they work across devices and platforms
- Read the Technical Overview
Frequently asked questions
Are passkeys more secure than current methods (password + MFA)?
Yes, passkeys are generally more secure than passwords alone or even password + OTP/MFA, because they remove the shared secret (password) and avoid many common attack vectors (phishing, database breaches, credential reuse).
Will passkeys work across devices / platforms? What happens if a user switches devices or loses a device?
Many platforms support syncing passkeys across devices (via secure cloud backup) so users can keep using their accounts when moving devices.
But support and behaviour vary by platform, and fallback/recovery must be considered (what if device lost, user resets account).
What are the deployment/operational considerations and challenges?
Some of the key considerations include:
- Ensuring the service (your website/app) supports the required standards (e.g., WebAuthn / FIDO Alliance) and that the user device/browser ecosystem supports passkeys.
- Ensuring fallback for users/devices that don’t support passkeys yet.
- Managing recovery/loss of device scenarios, syncing, account migration, and user education.
Are there regulatory, compliance, or standardisation implications?
Yes. Passkeys align with modern authentication standards, including NIST SP 800-63B, by removing shared secrets and providing phishing-resistant authentication (WebAuthn/FIDO2). They also map to global security expectations such as CISA’s guidance on strong, interception-resistant authentication.
What does “synced” vs “device-bound” passkey mean? What are the tradeoffs?
- Device‐bound: The passkey stays only on the device where it was created and does not sync to the cloud. This includes hardware-backed authenticators such as Yubico and Swissbit keys. It maximises isolation but makes device loss or replacement more painful.
- Synced: The passkey is stored (encrypted) in cloud/sync services, allowing easier use across devices. However, security also depends on the sync provider and introduces new risk surfaces.
