Passkeys Explained: What Is a Passkey and How Do Passkeys Work?

Passwordless authentication is becoming mainstream as more people and platforms recognize how it improves security over traditional passwords. Big-name players like Microsoft, Google, and Apple are among those leading the charge.

Bringing them all together is the FIDO Alliance, an organization that works on passwordless technology and establishes standards for organizations to follow. 

There are billions of usernames and passwords on the dark web. This treasure trove of logins puts a lot of consumers at risk, especially considering how many people reuse their passwords. When your passwords end up on the dark web, cybercriminals can use them to get into your accounts and steal your personal or professional data.

That’s why passkey-based authentication is here to stay.

As simple as they are to use, passkeys can be difficult to understand. We’re breaking it down at different levels so you can leave this blog post knowing what a passkey is and how it’s different from a password.

Passwords are a common way to log in to accounts, but if they get stolen (which they often do), anyone can use them to gain access.

Passkeys are a way to log in without a password. They use your phone or another supported device to prove that you are who you say you are before letting you into your account. A lot of security happens behind the scenes, but the main benefit of passkeys is that they can’t be stolen like passwords.

Plus, there’s nothing to remember, so you’ll never forget them!

A passkey is a passwordless login, which is a password replacement that’s more secure and easier to use. Passkeys are better than passwords because passkeys can't be phished or stolen. They’re easy to set up and use, and you don’t need to memorize them.

Instead of having to create a password for your account, you enable an “authenticator” to generate a passkey. The authenticator can be your smartphone, another device, or a password manager that supports passkeys. 

The authenticator still requires some form of user verification. This could be through entering a password or PIN or using biometrics (such as Face ID or Touch ID), which adds both security and convenience.

Your passkeys are stored securely in a vault, such as your device’s keychain or your password manager. Since passkeys can sync across devices, they’re seamless and convenient to use.

Passkey: A multi-device, phishing-resistant FIDO credential that uses public key cryptography to authenticate you to a website without a password. Passkeys sync across your devices using an authenticator such as Dashlane.

WebAuthn: The W3C web standard (Web Authentication API) that browsers and operating systems use to create and use passkeys. Passkeys are created using the WebAuthn API.

CTAP2: Client to Authenticator Protocol 2, the FIDO specification that defines how browsers communicate with external authenticators (hardware security keys, phones) during passkey operations.

Authenticator: The software or hardware that stores your private key and performs user verification. Platform authenticators are built into your device (Apple Face ID, Windows Hello). Roaming authenticators are external devices (YubiKey, Titan Security Key). Password manager authenticators (like Dashlane) can serve as cross-platform options.

Device-bound passkey: A passkey that’s locked to a single hardware authenticator and can’t be synced. It’s common with hardware security keys such as a YubiKey.

Synced passkey: A passkey that’s encrypted and backed up through a credential manager (your OS keychain or a password manager) so it’s available on all your devices.

Attestation: A cryptographic proof returned during passkey registration that can be used to confirm the passkey was genuinely created by a legitimate authenticator and not a spoofed one.

Origin binding: A core security property of passkeys. A passkey for dashlane.com will not respond to a request from da5hlane.com or any other domain, which is what makes passkeys phishing-resistant.

There are several reasons why passkeys are better than passwords. Passwords are a shared secret: The value is sent over the network to the server to be evaluated, meaning the server needs to store information about the password that could be valuable to an attacker.

Passkeys, on the other hand, are based on public key cryptography, which ensures that the secret element of the credential isn’t shared with the website and that no secrets are transferred between the user’s device and the server.

In order for passkeys to work, an authenticator, such as a mobile device OS or password manager that supports passkeys, generates two cryptographic keys for each account you create. One key is public and stored on the site where you create the account, and the other is private and stored in your authenticator.

When you sign in to your passkey-enabled account, your authenticator and the website communicate to authenticate your login without exchanging any actual secrets that a hacker could exploit.

Passkeys are created using the WebAuthn API that’s widely implemented in all modern browsers and operating systems. Most of the complexity is hidden in the software. The user only needs to approve the creation or use of the passkey. User approval can take the form of 1) an on-device biometric check using a fingerprint sensor or facial recognition or 2) a local device password or PIN.

Passkeys can be either device-bound or synced between devices. Device-bound passkeys are typically ones that are created on a hardware key, such as a YubiKey or a Titan Security Key.

Synced passkeys are typically managed by a password manager—either one that’s built into your device’s operating system or a standalone password manager such as Dashlane. Synced passkeys have the advantage of being available on any of your devices where the password manager is available.

One of the biggest benefits to the user is also one of the simplest: Passkeys, unlike passwords, don’t need to be remembered each time you want to access your account.

Sure, password managers have removed some of that mental load, but creating, storing, and inputting passwords still takes some level of effort—and opens the door for potential vulnerability. With passkeys, logging in is effortless, and it’s also much more secure.

The extra security comes in the form of phishing resistance. To understand why, let’s look at how a phishing attack works. The attacker sends the victim a message that prompts them to visit a website with the hope that they will enter their login information. The website that the user will be prompted to visit isn’t legitimate, but it will likely appear legitimate to the user. Users who try to sign in to the phishing site will give away their username and password, allowing the attacker to access their account.

This simply can’t happen with passkeys. Passkeys eliminate the need for users to enter their passwords, and they can’t be used on malicious websites because they’re technically bound to the original website for which they were created.

Even if a user visits a phishing site, their passkey won’t be prompted and won’t try to sign the user in. Therefore, the attacker can’t steal their passkey like they can steal their password.

Similar to passwords, certain 2-factor authentication (2FA) credentials are also vulnerable to phishing attacks, which means even a password with a 2FA credential isn’t as secure as a passkey. 

While no authentication method is completely foolproof, passkeys are better all around: They’re easy to use, phishing-resistant, and can’t be guessed or forgotten.

In short, yes—eventually. Passkeys are simply a better option, and we’re already seeing more widespread adoption and advancements.

Device-bound

Synced (multi-device)

Passkeys

Passwords

OTP/2FA (SMS or app-based)

Cross-platform access: Dashlane stores private keys using confidential computing in a secured server environment, and you can access them through the Dashlane extension or app on any device. For example, you can create a passkey for GitHub on your Windows laptop and sign in to GitHub from your iPhone using the same passkey.

Not locked to Apple or Microsoft: Unlike passkeys saved natively on a device, Dashlane passkeys are not tied to iCloud Keychain or Windows Hello. For example, if you switch from Android to iPhone, your Dashlane passkeys remain with you.

Device loss recovery: If you lose a device, you don’t lose your passkeys. Log in to Dashlane on a new device and your passkeys are there. For example, if your phone is stolen, you can recover your passkeys by logging in to Dashlane on a replacement phone.

Zero-knowledge vault: Dashlane’s patented zero-knowledge architecture means the passkey is generated in a secure cloud environment using confidential computing. The private key is encrypted remotely, and the encryption key remains in your vault.

Passkeys and passwords side by side: If a site has both, Dashlane keeps both in your vault. For example, if you create a passkey for Amazon but still have your Amazon password saved, Dashlane lets you choose which one to use at sign-in.

No prompt appears when I try to create a passkey: Check that your browser extension is installed and enabled for the site. Try refreshing the page or switching browsers. If you’re using a mobile device or the native Mac app, make sure Dashlane is set as your default passkey provider in your device settings.

Cross-device sign-in fails: If you’re signing in on a device that doesn’t have Dashlane installed, use the QR code option in your browser to authenticate from your phone. Make sure Bluetooth is on for proximity-based cross-device flows.

USB security key not detected: Check that your browser supports CTAP2 and that your key is plugged in directly (avoid hubs if possible). Try a different USB port. Update your browser and security key firmware.

Passkey saved to the wrong place: If your passkey was saved to iCloud Keychain or Google Password Manager instead of Dashlane, go to that service, delete the passkey, then re-register on the site with Dashlane selected as the save destination.

Site says passkeys are not supported: Check that the site supports passkeys. Some sites only support passkeys on their app, not their website.

No. Passkeys are origin-bound, meaning they’re tied to the exact domain they were created for and won’t respond to requests from any other site, including convincing lookalike phishing pages.

No, but most platforms default to it for convenience. You can use a device PIN or password for user verification instead. Biometrics never leave your device and aren’t sent to the website.

If your passkeys are stored in Dashlane, log in to Dashlane on a new device to recover them. If they were saved only to a platform keychain (iCloud or Google), you recover them by signing in to your Apple or Google account on a new device.

That depends on which authenticator you choose when you create the passkey. If you select Dashlane, the private key goes into your Dashlane vault, where Dashlane stores it in a secure cloud environment. If you select your device default, it goes to iCloud Keychain (Apple) or Google Password Manager (Android). Choosing Dashlane means your passkeys are portable across all platforms, not just one ecosystem.

Passkeys are designed for individual authentication and aren’t meant to be shared directly because the private key is tied to a specific device or vault.

If your passkeys are in Dashlane, they’re already portable across iOS, Android, Windows, and macOS. And, if your passkeys are saved on a mobile OS, they can be used across other platforms using the QR code flow.

#2: Passkeys Explained: How to Manage Passkeys

#3: Passkeys Explained: How Passkeys Impact 2FA and MFA

#4: Passkeys Explained: 7 Passkey Myths Busted by Dashlane’s Head of Innovation

#5: Passkeys Explained: How to Create Passkeys for Google, Amazon, and More