Skip to main content
LiMP VPN
All posts

Passkeys: Passwordless Login and Why It Beats Passwords in 2026

Passkeys: Passwordless Login and Why It Beats Passwords in 2026

In short: A passkey is a way to sign in to an account without a password: instead of a secret string, your device stores a cryptographic key and you approve the login with a fingerprint, Face ID or PIN. Such a key cannot be phished on a fake page and cannot be stolen from a leaked database, because there is nothing to type. In 2026 passkeys are already supported by Google, Apple, Microsoft, GitHub, major banks and marketplaces. The key point: a passkey protects the sign-in itself, while a VPN protects the channel that sign-in travels through. One blocks phishing and password theft, the other blocks interception and tracking on someone else network. Below is how it works, where to turn it on and what to watch for.

What a passkey is in plain words

A password is a shared secret: you and the service both know the same string. That is the root of the trouble. A secret can be shoulder-surfed, guessed, phished on a fake site or pulled from a hacked database. Even a strong password stops being secret the moment it leaks — and leaks happen all the time.

A passkey works differently. It is not a string you memorise but a pair of cryptographic keys your device creates. One key (public) goes to the server, the other (private) stays forever in the protected memory of your phone or computer and never leaves it. When you sign in, the device proves it holds the private key without ever sending it. The key is unlocked only by your biometrics or PIN, locally, on the device itself.

Put simply, a passkey is a digital key to one specific lock. You cannot read it out to a fake support line, cannot slot it into someone else lock and cannot copy it from a shop window. The technology is officially called FIDO2 / WebAuthn and is driven by the FIDO Alliance together with Apple, Google and Microsoft.

How passkeys work: a signature instead of a secret

The mechanics are easiest to picture as a challenge and response. When you register a passkey, the device generates the key pair and hands the service the public key, keeping the private one. On every sign-in the server sends a random challenge, the device signs it with the private key, and the server verifies the signature with the public key. Match — access granted.

Three consequences make this strong:

  • There is nothing worth stealing on the server. A public key is useless without the private one, so even a full database leak grants no access to the account.
  • The key is bound to the site address. A passkey only works on the genuine domain it was created for. A look-alike page on a different address simply cannot see your key — phishing breaks mechanically, not thanks to your vigilance.
  • Biometrics never leave the device. Your fingerprint and face scan only unlock the private key locally. They are never sent to the service or stored in the cloud.

This is why passkeys are called phishing-resistant: even if you follow a link from a scammer email and land on a convincing copy of a site, there is nothing to type or sign there.

Why a passkey is safer than a password

An ordinary password is vulnerable at several stages at once: it can be guessed, intercepted, phished or found in a dumped database. A password plus an SMS code closes some gaps, but a one-time code can be talked out of you with the same trick — read me the digits from the message. A passkey removes the target itself: there is no secret left to steal.

ThreatPasswordPassword + SMS codePasskey
Service database leakVulnerablePartly vulnerableProtected
Phishing (fake site)VulnerableVulnerableProtected
Guessing and brute forceVulnerablePartly vulnerableProtected
Code interception / SIM swapVulnerableProtected
Password reuse across sitesVulnerableVulnerableNot applicable

If you still sign in with passwords, do not leave them defenceless: long unique passwords in a manager and two-step verification remain the required minimum. There is a full walkthrough in our guide on how to protect your account from hacking. A passkey is the next step that gradually makes those measures unnecessary.

Where you can already sign in without a password in 2026

Passwordless login is no longer exotic. Large ecosystems not only support passkeys but make them the default for new accounts. Where passkeys already work today:

  • Google account — Gmail, YouTube, Google Drive; a passkey can be the main sign-in method.
  • Apple ID and iCloud — keys are stored in the Keychain and sync across Apple devices.
  • Microsoft — for new accounts passkeys have become the priority method, with the password kept as a fallback.
  • Developer and work tools — GitHub, GitLab and many corporate SSO systems.
  • Finance and shopping — PayPal, major marketplaces and a growing number of banking apps.

A single account can hold both a password and a passkey at the same time: you turn the passkey on while the old method stays as a backup for a while. That is handy during the transition, since not every service supports passkeys yet.

How to set up a passkey on iPhone and Android

The principle is the same everywhere: open the account security settings and add a passkey, confirming it with biometrics. Step by step:

On iPhone (iOS)

  1. Make sure iCloud Keychain is on: Settings → your name → iCloud → Passwords and Keychain.
  2. Open the service site or app and sign in the usual way.
  3. In the account security settings choose Create a passkey.
  4. Confirm with Face ID or Touch ID — the key is saved to the Keychain.
  5. Next time, pick sign in with a passkey and confirm with your face or fingerprint.

On Android

  1. Check that Google Password Manager is set up and the screen lock uses biometrics.
  2. Sign in to the service account and open the security section.
  3. Tap Create a passkey and confirm with a fingerprint or PIN.
  4. The key is stored in your Google account and available across your Android devices.

To sign in on a device that does not have your passkey — a borrowed laptop, say — the service shows a QR code. Scan it with the phone that holds the key and confirm with biometrics: the login is approved over a secure Bluetooth link, and the key itself stays on your phone.

Weak spots and caveats

Passkeys are a big step forward, not magic. Honestly, here is what to keep in mind:

  • Ecosystem lock-in. Keys in the Apple Keychain and in Google Password Manager live in their own clouds. Moving a passkey between ecosystems directly is still awkward, so on a mixed set of devices you may need to create a key separately.
  • Losing the device. If a passkey does not sync to the cloud and the phone is lost, access can be lost with it. Syncing and a second trusted device are the safety net.
  • Recovery. The backup channel is often email or phone — which makes them the weakest link. Keep your mailbox well protected; how to do that is covered in our guide on how to protect your email.
  • Not supported everywhere. Some sites still lack passkeys, so you cannot throw the password away as a fallback just yet.

The takeaway is simple: turn passkeys on wherever they exist, but do not disable backup methods all at once until you are sure sign-in works reliably across all your devices.

Passkeys and VPN: two layers, not a replacement

Passkeys and VPNs are often confused, though they cover different risks. A passkey answers who is signing in — it confirms it is really you and stops a fake page from being slipped to you. A VPN answers how the traffic travels — it encrypts the connection and hides your IP so the owner of a public network, your provider or a laptop at the next table cannot see what you send and where. For the limits of that protection, see our breakdown of what a VPN protects against.

In practice the layers complement each other. On open airport Wi-Fi a passkey stops your login being lifted through a fake authorisation page, while LiMP VPN secures the channel itself so no one on the network can snoop on the rest of your traffic or push a malicious page. Passwordless login and an encrypted connection together give what specialists call defence in depth: even if one line of defence fails, a second stands behind it.

Checklist: moving to passwordless login

  • Turn on passkeys for your main accounts: Google, Apple ID, Microsoft, bank, email.
  • Make sure keys sync to the cloud (iCloud Keychain or Google Password Manager).
  • Set up a passkey on at least two of your devices so losing one does not lock you out.
  • Put a strong screen lock and biometrics on your phone — that protects the key itself.
  • Harden your backup email and phone: they are the usual recovery path.
  • Where passkeys do not exist yet, keep a long unique password in a manager plus two-step verification.
  • On public networks turn on a VPN — the passkey secures the login, the VPN secures the channel.
  • Every couple of months review the list of registered keys and remove any you do not need.

Frequently asked questions

Can I sign in with a passkey on someone else computer?

Yes. The service shows a QR code, you scan it with the phone that holds the key and confirm with biometrics. The link runs over short-range Bluetooth, so the other computer must be nearby, and the key is not saved on it.

What happens if I lose the phone with my passkeys?

If the passkeys synced to your ecosystem cloud, they are available on your other devices and restore on a new phone after you sign in. If there was no sync, a key tied only to the lost device has to be recreated through a backup sign-in method.

Does a passkey store my fingerprint on the server?

No. Biometrics are used only locally to unlock the private key on your device. Neither the fingerprint nor the face scan is sent to the service or kept in the cloud — the server only ever sees a mathematical signature.

Does a passkey replace two-factor authentication?

A passkey is essentially multi-factor already: it combines something you have (the device with the key) with something you are (biometrics) or know (a PIN). A separate SMS code on top is usually unnecessary, which is a plus — there is nothing to intercept.

Do I still need a VPN if I use passkeys everywhere?

Yes, they do different jobs. A passkey protects the sign-in but does not encrypt the rest of your traffic or hide your IP from a foreign network or provider. On open Wi-Fi and for privacy a VPN is still needed.

What are FIDO2 and WebAuthn?

They are the open standards passkeys are built on. FIDO2 describes how the device and keys work, WebAuthn describes how the browser and site exchange sign-in requests. Shared standards let one key work across different browsers and services.

Can I use one passkey between Apple and Android?

Moving a key directly between ecosystems is still awkward: Apple and Google keep them in their own clouds. But you can sign in from an iPhone to an Android device and back through the QR-code flow — temporarily, for a specific login.

Passkeys: Passwordless Login and Why It Beats Passwords in 2026 | LiMP VPN