- A passkey is a cryptographic key pair tied to your device. You sign in with biometrics or a PIN.
- Nothing transferable is ever sent to the website, which is why passkeys cannot be phished.
- By 2025 about 48% of the top 100 websites supported passkeys. Adoption is accelerating.
- You do not have to choose. You can keep your password manager and add passkeys where supported.
Passwords have run their course. They have been the standard for sixty years, and they are responsible for most of the security breaches you read about. The replacement is real, it is here, and Apple, Google, and Microsoft have all bet the farm on it.
It is called a passkey. Here is what it is, how it works, and why it matters for the next decade of online life.
What a passkey actually is
A passkey is a pair of cryptographic keys generated by your device when you create an account. The public key goes to the website. The private key never leaves your phone, laptop, or hardware key.
When you sign in, the website sends a challenge. Your device signs the challenge with the private key, which only it has, and sends the signature back. The site verifies it against the public key. You are in.
From your perspective, the whole thing looks like Face ID or your fingerprint. Behind the scenes it is public key cryptography, the same kind that secures HTTPS, except now applied to logging in.
Why passkeys cannot be phished
A password is a transferable secret. You type it, send it to the site, and it goes wherever the form points. A fake site that looks like your bank can collect your password and use it on the real bank. This is phishing, and it is responsible for an enormous share of account takeovers.
A passkey is not transferable. Your device only signs challenges from the exact domain the passkey was registered with. If you visit a phishing page that imitates your bank, your device will not recognize the domain and will not sign anything. The attack fails before it starts.
This is the single biggest security advantage of passkeys, and it is why every major standards body, including the FIDO Alliance, now recommends them as the future of authentication.
The site asks: prove you are who you say. Your device proves it without ever revealing the secret. The proof only works for the specific site that issued the challenge. No phishing page can replay it.
The state of adoption in 2025
Two years ago, passkeys were a curiosity. Today they are mainstream. According to the FIDO Alliance's 2025 World Passkey Day report:
- About 75% of consumers globally now know what passkeys are.
- 69% of users have at least one passkey set up.
- 48% of the world's top 100 websites support passkeys, up from 22% in 2022.
- Passkeys achieve a 93% login success rate compared to 63% for passwords.
Apple, Google, Microsoft, Amazon, eBay, PayPal, GitHub, Adobe, Best Buy, and Shopify all support passkey login. Most major banks are rolling out support over 2025 and 2026. Your favourite Canadian banks may already offer it; check your account security settings.
Where passkeys live
This is the part that confuses people. A passkey has to live somewhere. The options:
Synced passkeys
Most consumer passkeys today sync through a cloud provider: Apple's iCloud Keychain, Google Password Manager, Microsoft Authenticator, or third party password managers like 1Password and Bitwarden. The passkey is end to end encrypted in transit and storage.
This is convenient. You set up a passkey on your phone and use it on your laptop without doing anything extra. The trade off: you trust the sync provider's security and you depend on their continued service.
Device bound passkeys
Some hardware security keys, like a YubiKey 5 series, store passkeys directly on the key itself. They never leave. This is the strongest option for high value accounts but means you carry the key and need a backup.
Hybrid (cross device)
Sometimes you sign in on a new device that does not have your passkey. The standard supports a flow where you use your phone, with the passkey on it, to authenticate on the new device via Bluetooth or QR code. The passkey itself never moves; only the proof does.
What passkeys do not solve
Passkeys are excellent against phishing and credential stuffing. They do not solve every problem.
- Account recovery. If you lose your phone and your sync account, you may be locked out. This is why backup methods matter.
- Device theft. A passkey is only as secure as the lock screen on the device holding it. Use a strong device PIN and biometrics.
- Server side breaches. Passkeys protect login. They do not protect data the site has already collected from you.
You still need everything else. Strong device passcodes, encrypted backups, account recovery codes saved somewhere safe. Passkeys reduce the password problem; they do not eliminate the need for security awareness.
Should you switch?
The answer is mostly yes, gradually, where it is offered. Some practical guidance:
- Add a passkey, do not delete the password. Most sites let you have both for a transition period. Keep the password as a backup until passkey login feels reliable.
- Start with your most important accounts. Email, password manager, financial. These benefit most from phishing resistance.
- Make sure recovery is set up. Have at least two ways to get into each account: passkey on a phone, passkey on a laptop, recovery codes in your manager.
- Keep your password manager. Even with passkeys, you will have password only sites for years. The manager handles both.
Passkeys are spreading, but most accounts still need a password. Generate a strong unique one for everything that has not gone passwordless yet.
The Canadian context
Canadian financial regulators and the Canadian Centre for Cyber Security have endorsed FIDO standards as part of strong authentication frameworks. The Government of Canada's Digital Standards point in the same direction. Banks like RBC, TD, and BMO now offer passkey login on their apps. The federal Sign In Canada platform is piloting passkey support for its identity service.
For the next several years, passkeys and passwords will coexist. Sites that have rolled out passkeys will keep password fallback for compatibility. Sites that have not yet adopted them will catch up over time. The right move for an individual is to use passkeys where offered, while keeping a strong password manager for everything else. We unpack the manager side in our password manager guide for Canadians.
The takeaway
Passkeys are the first credential since the password that has a real chance of replacing it. They are faster, safer, and immune to the most common attacks. They are not a complete answer, but they are the best partial one we have had in decades.
If you ever wondered when to start using them, the answer is now. Most major services support them. Your phone is ready. Your password manager is ready. Add a passkey, leave the password as a backup, and move on with your day.