Passwords are a disaster. Always have been. We all know it, we’ve all lived it — reused credentials, sticky notes on monitors, “forgot password” links clicked so many times the button should have your fingerprints on it. The security community has been screaming about this for two decades. And now, finally, the fix is going mainstream. Passkeys are here, they’re being deployed at scale, and they’re genuinely as good as the hype suggests.
This isn’t vaporware. Google, Apple, Microsoft, and a growing list of UK services have already rolled out passkey support. As of 2026, FIDO2-based authentication is being baked into everything from banking apps to government portals. If you haven’t dug into how this works yet, now’s the time. It’s elegant technology, and understanding it makes you appreciate just how broken the old system was.
What Are Passkeys and How Do They Actually Work?
At their core, passkeys are a FIDO2/WebAuthn implementation. That mouthful means: they use asymmetric cryptography instead of shared secrets. When you register a passkey with a service, your device generates a public/private key pair. The service stores the public key. Your device keeps the private key locked inside a secure enclave — on a modern iPhone that’s the Secure Element, on Android it’s similar, on a laptop it often lives in the TPM chip.
When you log in, the server sends a cryptographic challenge. Your device signs it with the private key. The server verifies the signature using the public key it already has. Done. No password ever travels across the network. No shared secret to breach, leak, or phish. The private key never leaves your device, full stop.
The unlock mechanism — face ID, fingerprint, PIN — is local authentication only. It proves to your device that you’re the one authorising the sign-in. That’s a crucial distinction. Your biometrics don’t go anywhere near the server.
Why Passkeys Are a Hacker’s Worst Nightmare
Think about the attack surface that disappears. Password spraying? Useless. Credential stuffing from a leaked database? The credentials don’t exist to leak. Phishing pages that harvest your login details? The cryptographic challenge is bound to the legitimate origin domain, so a fake site can’t intercept anything useful. Real-time man-in-the-middle attacks? Also neutralised by the origin binding.
I’ve spent time looking at breach data from services like Have I Been Pwned, and the volume of exposed credentials is genuinely staggering. The UK’s National Cyber Security Centre has long recommended unique, strong passwords for every account, which is sound advice nobody actually follows. Passkeys sidestep the human problem entirely. There’s no password to be weak, reused, or socially engineered out of someone.
The Sync Question: Convenience vs Control
One thing that trips people up is how passkey syncing works, because it varies by platform and that has real security implications.
Apple syncs passkeys across your devices via iCloud Keychain, end-to-end encrypted. Google does the same with Google Password Manager. This is brilliant for usability but does mean you’re trusting those ecosystems. If your Apple ID or Google account is compromised, an attacker could potentially access your synced passkeys. That’s the trade-off.
The more security-conscious among us might prefer a hardware security key approach using something like a YubiKey, which keeps a passkey entirely offline and physically in your possession. No sync, no cloud dependency. The downside is obvious: lose the key and you’re locked out unless you’ve planned recovery properly. There’s no one-size-fits-all answer here. It depends on your threat model.
For most people, synced platform passkeys are a massive upgrade over password+SMS-based two-factor authentication. For higher-risk individuals, journalists, activists, anyone a digital agency or corporate security team might be protecting, hardware-bound passkeys with proper recovery planning are worth the extra friction.
What’s Actually Being Deployed in the UK Right Now?
This isn’t just big tech. HSBC rolled out passkey support for its mobile app. Several UK government services are actively piloting FIDO2 authentication through the GOV.UK One Login programme. Major UK retailers including ASOS and John Lewis have either deployed or announced passkey support in their account systems.
The pace has accelerated sharply. For a long time, passkeys felt like something on a roadmap nobody was rushing to ship. That changed. Browser support is now solid across Chrome, Safari, Firefox, and Edge. Operating system-level support is mature. The infrastructure is there; it’s just a matter of adoption rolling out through the services layer.
Password managers like 1Password and Bitwarden have also stepped in as cross-platform passkey vaults, which solves the ecosystem lock-in problem to some extent. If you’re the type who won’t surrender your credentials to Apple or Google, third-party passkey storage is a viable path.
What About Backwards Compatibility and Transition?
This is where things get messy in practice. Most services are running passkeys alongside passwords during a transition period rather than ripping out the old system entirely. That means the password fallback still exists, and a determined attacker can potentially force a downgrade to password authentication if the service allows it.
Ideally, once a user has registered a passkey, services should allow them to delete stored passwords and enforce passkey-only login. Not many do this cleanly yet. It’s a product decision as much as a technical one, and it matters. A system is only as strong as its weakest login path.
Account recovery is the other elephant in the room. If your device is lost and you haven’t set up sync or backup, how do you get back in? Services handle this inconsistently. Some fall back to email. Some use recovery codes. A few just tell you to contact support. None of these alternatives are as secure as the passkey itself, which is an irony worth sitting with.
Should You Switch Everything to Passkeys Now?
Honestly? Yes, where the option exists. For high-value accounts especially: email, banking, work systems, anything touching cryptocurrency or sensitive data. The threat reduction is real and immediate.
Set up passkeys on your most critical accounts first. Make sure you have a recovery path you’ve actually tested, not just one you vaguely think might work. If you’re on iOS, check your iCloud Keychain is properly secured. On Android, audit your Google Account security. If you’re using a hardware key, buy two and register both as fallback.
The password era isn’t quite over yet. But it’s ending. The architecture replacing it is genuinely better, and for once the security community isn’t just pointing at the problem. Passkeys are the answer we’ve been waiting for, and in 2026 there’s very little reason to wait any longer.
Frequently Asked Questions
What is a passkey and how is it different from a password?
A passkey is a cryptographic credential stored on your device that uses public/private key pairs instead of a shared secret like a password. Nothing is transmitted to the server during login except a signed cryptographic challenge, so there’s no password to steal or phish.
Are passkeys safe if your phone gets stolen?
Yes, because the passkey is protected by your device’s local authentication, whether that’s a fingerprint, face scan, or PIN. An attacker would need both the physical device and the ability to bypass its lock screen to use it.
Can passkeys be used across different devices?
Yes. Platform passkeys sync via iCloud Keychain on Apple devices or Google Password Manager on Android, both of which are end-to-end encrypted. Third-party managers like 1Password and Bitwarden also offer cross-platform passkey storage.
Which UK services support passkeys in 2026?
HSBC, several GOV.UK One Login services, ASOS, and John Lewis are among UK services that have deployed or are actively trialling passkey support. Major browsers and operating systems all support the underlying WebAuthn standard natively.
What happens if I lose my device and I've set up a passkey?
If you’ve enabled cloud sync, your passkeys transfer to a new device when you sign into your Apple ID or Google Account. If you used a hardware key without sync, you’ll need to have registered a backup device or recovery code in advance, so always plan this before you need it.
Leave a Reply