Every couple of months a new article appears claiming "the end of passwords." Most of them are nonsense. Passkeys are the rare case where the claim is roughly true. Major sites — Google, Apple, Microsoft, Amazon, GitHub, several Pakistani banks — already support them. If you have a smartphone made in the last four years and have not yet set up a passkey for your main email, you are leaving the easiest security upgrade of the decade on the table.

What a passkey actually is

A passkey is a cryptographic key stored on your phone or laptop. When you log in, the website asks your device to prove it has the key. Your device uses your fingerprint or face to unlock the key, performs the proof, and you are signed in. No password is typed; no password exists to be stolen.

The mathematics behind it is the same public-key cryptography that secures HTTPS and SSH. You do not need to understand the math. You just need to understand the consequences.

Three things passkeys fix that passwords cannot

Phishing. A passkey only works on the website it was created for. If a scammer sends you "yourbank-login.com" instead of "yourbank.com," your passkey simply refuses to fire. There is no way to be tricked into giving it up — the device handles the verification, not you.

Database leaks. When a website is hacked, the attacker steals hashed passwords. With passkeys, the website only stores a public key — useless to an attacker. The private key never leaves your device.

Weak/reused passwords. No password to weaken or reuse. Every site gets a unique cryptographic key, automatically.

What a passkey does not fix

Passkeys do not protect against:

  • Someone who steals your phone and knows your phone unlock code/PIN. (Use a long PIN.)
  • You being convinced to send money manually to a scammer. (Social engineering still works.)
  • Lost devices with no backup. (Set up at least two devices, or a hardware key, or write down a recovery code.)

How to set up your first passkey

The fastest first passkey to create is your Google account. Open g.co/passkeys on the phone you use most, sign in, and tap Create a passkey. Approve with fingerprint. Done. From now on, signing in to Gmail on any device just asks your phone to confirm — no password needed.

Repeat the same process for Apple (appleid.apple.com), Microsoft (login.live.com), and GitHub (github.com/settings/security). Each takes under sixty seconds. After this, your three most important accounts are dramatically harder to break into.

Where passkeys live

On iPhone, passkeys sync via iCloud Keychain across all your Apple devices. On Android, they sync via Google Password Manager. On Windows or Mac, you can also store them in 1Password, Bitwarden, or Dashlane for cross-platform access. Pick one and stick with it.

The recovery question nobody answers honestly

"What happens if I lose every device with passkeys on it?" Honest answer: if you have not set up recovery, you can be locked out. So set up recovery now:

  • Print the recovery codes that Google, Apple, and GitHub give you when you enable passkeys. Put them in a safe place — not your wallet, not a Google Doc.
  • Add a second device. If your phone breaks, your laptop still has your passkey.
  • Optional but recommended: buy a hardware key like a YubiKey (~PKR 5,000) for your most important account.

Banks in Pakistan

HBL, Meezan, and UBL all have biometric login in their apps — that is a form of passkey, just one that lives inside their app and does not sync. Use it. Most of these banks now also support FIDO2 hardware keys for online banking; if you do any large transfers, the PKR 5,000 spent on a YubiKey is genuinely the best security investment available to a normal person.

Should you delete your password after creating a passkey?

Not yet. Most sites still keep the password as a fallback for now. Over the next two years, expect a "passkey only" option to appear. For 2026, the right configuration is: passkey for fast login, strong password (stored in a password manager) as backup, two-factor authentication as second backup.