Passkey (FIDO2/WebAuthn)
A password replacement that uses cryptographic key pairs stored on your device, making sign-in both phishing-proof and password-breach-proof.
Also known as: FIDO2 key, WebAuthn credential, passkey login
Last reviewed: 10 June 2026
A passkey is a credential based on the FIDO2/WebAuthn open standard. When you create a passkey, your device generates a public-private key pair. The private key never leaves your device; the website stores only the public key. To sign in, your device uses biometrics or a PIN to unlock the private key and sign a challenge from the website — no password is typed or transmitted.
Because the private key is bound to the legitimate site's origin, a phishing site cannot trigger or steal it. Because no password exists, it cannot be leaked in a data breach or guessed by an attacker. Major operating systems and password managers now support syncing passkeys across trusted devices, making them practical for everyday use.
For consumers concerned about account takeover, passkeys represent the most significant improvement in everyday login security in decades. They also eliminate the need to remember complex passwords, reducing the temptation to reuse them.