Passkeys Explained: Safer Than Passwords and SMS Codes
The best password is often one you never type. Passkeys cut phishing risk because there's no classic, copyable password to steal.
Table of contents
The best password is often one you never type. That is the idea behind passkeys: a modern way to sign in that replaces the password entirely. Because there's no classic, copyable password to steal, passkeys cut phishing risk dramatically. CISA describes the standard behind them — FIDO/WebAuthn — as the only widely available phishing-resistant authentication.
If you've ever fumbled a texted code or worried about a fake login page, this guide is for you. We'll keep it simple: what a passkey is, where it lives, how it works on your devices, and what happens if you lose your phone.
What a passkey actually is
A passkey is a pair of cryptographic keys created for one specific website or app. One key — the public key — is stored by the website. The other — the private key — never leaves your device. When you sign in, your device proves it holds the private key without ever sending it anywhere.
The practical effect: there is no shared secret sitting in a company's database to be leaked, and nothing for you to accidentally hand to a scammer. You approve the login with the same thing you use to unlock your phone — your face, fingerprint, or PIN.
Why it beats passwords and SMS codes
The weakness of passwords and texted codes is that they can be typed — which means they can be tricked out of you. A fake login page can capture a password and even a one-time SMS code as you enter them. NIST's authentication guidance makes the same point in technical terms: manually entered codes, including SMS one-time codes, are not considered resistant to a fake-site (impersonation) attack, because typing a code doesn't bind it to the real site.
NIST also classifies SMS/phone-based codes as RESTRICTED, because phone numbers can be hijacked through SIM-swap and number-porting tricks. CISA echoes this, noting that attackers can exploit weaknesses in phone networks (the SS7 protocol) to intercept codes sent by text.
A passkey sidesteps all of that. Your device checks the website's real identity before it responds, so a fake page gets nothing — there's no code to phish and no password to reuse.
| Login method | Phishing resistance | Convenience | What can go wrong |
|---|---|---|---|
| SMS code | Weakest — code can be phished or intercepted | High; familiar | SIM swap, fake login pages, delayed texts, no signal |
| Authenticator app | Better — code not tied to your phone number | Medium; open app, copy code | Code can still be typed into a fake site; lose phone = lose codes if not backed up |
| Passkey | Strongest — checks the real site, nothing to type | High; face/fingerprint/PIN | Need device or synced account to sign in; recovery setup matters |
CISA ranks MFA methods from strongest to weakest in the same spirit: a physical security key first, then an authenticator app with number matching, then an authenticator one-time code, and SMS or email codes last. Passkeys put that strongest, phishing-resistant tier within reach of ordinary users.
How passkeys work on each device
The steps are nearly identical everywhere: open the account's security settings, choose "create a passkey" (or "set up a passkey"), and confirm with your usual unlock method.
- iPhone / iPad — passkeys are stored in your iCloud Keychain and sync across your Apple devices. You approve each sign-in with Face ID or Touch ID.
- Android — passkeys are saved to Google Password Manager (or another passkey provider you choose) and sync to devices signed in to that account. You confirm with your fingerprint, face, or screen lock.
- Windows — passkeys can live in Windows Hello (tied to your face, fingerprint or PIN) on that PC, or you can use a passkey from your phone by scanning a prompt.
- Mac — same iCloud Keychain as iPhone, approved with Touch ID, so your passkeys follow you across Apple devices.
A handy detail: even when a passkey lives on your phone, you can often use it to sign in on a nearby laptop. The site shows a QR-style prompt, you scan it with your phone, approve with your face or fingerprint, and you're in — the private key still never leaves your phone.
What happens if you lose your device
This is the question that stops people from trying passkeys, and the answer is reassuring.
- If your passkeys sync (iCloud Keychain or Google Password Manager), they aren't trapped on the lost phone. Sign in to a replacement device with the same Apple or Google account, and your passkeys come back.
- Set up a backup method now. Add a passkey on a second device, register a physical security key, or keep your account's printed recovery codes somewhere safe (offline). That way a lost phone is an inconvenience, not a lockout.
- A lost phone with a screen lock is not an open door. Whoever finds it still needs your face, fingerprint or PIN to use a passkey — the passkey is useless without you.
Add a security key or a second device as backup before you need it. Recovery is easy when you plan it and stressful when you don't.
Where a VPN fits in
Lead with trust here, not tools. Passkeys protect the login; a VPN protects your traffic on untrusted networks like café or hotel Wi-Fi. They solve different problems. A VPN cannot stop phishing, malware, or account takeover, and it is not a substitute for passkeys, MFA, a password manager or software updates. Think of a VPN as a useful privacy layer for travel and public Wi-Fi — a sidekick to passkeys, never a replacement.
See how modern AI scams try to trick you
Bottom line
- A passkey replaces your password with a key your device holds and never shares — so there's nothing for a fake site to phish or steal.
- Passkeys beat SMS codes and even authenticator apps because they check the real site for you, and SMS is the weakest, most hijack-prone option.
- Turn on passkeys where offered, set up a backup (second device, security key, or recovery codes), and you'll log in faster and safer.
Which do you need first: VPN, antivirus or a password manager?
