Now taking new projects, limited availability each month.

What Is a Passkey? The New Way to Log In to Websites Explained

Passkeys are replacing passwords across the internet — and you may already have used one without realising it. Google, Apple, Amazon, and hundreds of other services now offer them as the default way to log in. They are faster, safer, and you never need to remember or type anything. Here is what passkeys actually are, why they are better than passwords, and what it means for small business owners.

A passkey is a way to log in to a website or app using your fingerprint, face scan, or device PIN instead of a password. Your phone or computer generates a unique digital key and stores it securely — the website never sees it. This makes passkeys impossible to phish or steal through data breaches. Major platforms including Google, Apple, Microsoft, Amazon, PayPal, and eBay already support them. For small business owners, passkeys are most relevant when choosing login options for a customer portal or membership area on your website, and as a way to secure your own business accounts more reliably than a password alone.

You have probably seen a prompt recently asking whether you want to save a passkey for a website. Or your phone may have suggested using your fingerprint to log in somewhere instead of typing a password. That is passkeys in action — and in 2026, they are rapidly becoming the standard way to log in across the web.

The concept sounds technical, but the experience is simple. Instead of typing a password, you press your thumb to your phone screen or glance at your laptop camera and you are in. No typing, no password to forget, no reset emails.

How Do Passkeys Actually Work?

When you create a passkey for a website, your device generates two linked pieces of data called a key pair. One half — called the public key — is stored on the website's servers. The other half — your private key — is stored only on your device, locked behind your biometric (fingerprint or face) or your device PIN.

When you log in, the website sends a challenge to your device. Your device uses the private key to sign it and sends back the answer. The website checks the answer using the public key it already has. If they match, you are logged in.

The important part is that your private key never leaves your device. Even if the website is hacked, the attackers cannot get your key — they only ever had the public half, which is useless on its own. This is fundamentally different from passwords, which are often stored (sometimes poorly) on the server side and can be stolen.

Why Are Passkeys Safer Than Passwords?

Passwords have three big weaknesses that passkeys eliminate entirely:

  • Phishing attacks. A phishing attack tricks you into typing your password into a fake website designed to look like the real one. Passkeys cannot be phished — your device will only release the private key to the exact website it was created for. A fake login page gets nothing.
  • Data breaches. When a company suffers a data breach, the attackers often walk away with a database of usernames and hashed passwords. With passkeys, there is no password stored on the server — nothing to steal.
  • Weak and reused passwords. Research consistently shows that most people reuse the same few passwords across many sites. If one site is breached, attackers try those credentials everywhere else. Passkeys cannot be reused — each one is unique to a specific website.

What Happens If You Lose Your Phone?

This is the question most people ask first, and it is a fair one. Passkeys are synced across your devices through your Apple iCloud Keychain, Google Password Manager, or Microsoft account — the same places your browser currently saves passwords. If you lose your phone, your passkeys are still available on your laptop, tablet, or a replacement phone once you sign into your account.

Websites that support passkeys also keep fallback options, typically a one-time code sent by email or text message, for situations where you genuinely cannot access any of your devices. You are no more locked out than you would be with a password.

Which Websites Already Support Passkeys?

Adoption has accelerated rapidly. As of mid-2026, passkeys are supported by Google, Apple ID, Microsoft, Amazon, PayPal, eBay, GitHub, Dropbox, WhatsApp, X (formerly Twitter), LinkedIn, and thousands of others. The passkeys.directory website maintains a searchable list if you want to check a specific service.

Where passkeys are available, they are typically offered as an option alongside existing password login rather than as a forced replacement — although some platforms are beginning to make them the default for new accounts.

What Does This Mean for Your Small Business Website?

If your website is a simple brochure site with no login area, passkeys do not directly affect your site at all. The most relevant scenarios for small businesses are:

  • Securing your own accounts. Any business account — your website hosting control panel, domain registrar, Google Workspace, social media accounts — that offers passkeys is worth enabling. It is stronger protection than a password and faster to use.
  • Customer login areas. If your website includes a membership area, a client portal, or a booking account, your platform may support or be adding passkey login. Wix, Shopify, and WordPress plugins are all introducing passkey support. Offering it improves security for your customers without adding any friction — it is faster for them to log in.
  • Choosing a platform. If you are building a new website that will include customer accounts, passkey support is a useful factor to check when comparing platforms. It is increasingly standard rather than cutting-edge.

Do You Need to Do Anything Right Now?

For most small business owners, the immediate action is simple: when a service you already use offers to set up a passkey for your account, accept it. It takes about thirty seconds and makes your account significantly harder to compromise. Start with the accounts that matter most — your hosting, your domain registrar, your email, your Google account.

For your website visitors, passkey support will increasingly arrive through platform updates rather than anything you need to implement yourself. If you are building a new site from scratch with a customer login area, ask your developer or platform about passkey support — it is worth having from day one.

Frequently asked

Do I need a smartphone to use passkeys?
No. Passkeys can be stored on any modern device — a laptop, a desktop computer with Windows Hello, or a phone. On a laptop you might use your fingerprint reader or a PIN instead of face recognition. The key point is that your device needs some kind of local verification method. If you are logging into a website on a shared or unfamiliar computer, you can also use your phone to authenticate — a QR code appears on screen, you scan it with your phone, and the passkey on your phone completes the login on the computer. You never need to type the private key.
Are passkeys the same as two-factor authentication?
No — but they replace it for many purposes. Two-factor authentication (2FA) adds a second step to a password login, typically a code texted to your phone. Passkeys replace the password entirely rather than adding a step on top of it. Because the passkey is stored on your device and requires your biometric or PIN to use, it effectively combines "something you have" (your device) with "something you are" (your fingerprint or face) in a single fast step. The result is more secure than a password plus SMS code, and faster to complete.
Can I still use a password if I prefer?
Yes. Passkeys are an option, not a forced replacement — at least for now. Every website that supports passkeys also keeps traditional password login as a fallback. You can ignore passkeys entirely and nothing will stop working. That said, if you have a choice, passkeys are genuinely the better option: they are faster to use and significantly harder for attackers to compromise. The transition is happening gradually, and older devices or accounts that rarely log in anywhere new may never need to change anything.
Will passkeys work across different devices and browsers?
Yes, with minor caveats. Passkeys synced through Apple iCloud Keychain are available across all your Apple devices — iPhone, iPad, Mac. Google Password Manager syncs passkeys across Android and Chrome on any platform. Microsoft syncs through Windows Hello. The passkey itself is tied to the platform you created it on, so an Apple passkey is not automatically available in Chrome on Windows. If you regularly switch between ecosystems, the workaround is to create a passkey on each platform, or to use a password manager like 1Password or Bitwarden that stores passkeys independently and makes them available everywhere.