How to Set Up Passkeys in 2026: A Step-by-Step Guide to Ditching Passwords
Passkeys are phishing-resistant, can't be leaked in breaches, and take seconds to set up. Here's how to switch on each major platform.
Passwords are the weakest link in almost every account you own. They get phished, reused, and dumped into breach databases by the billion. Passkeys fix all three problems at once, and in 2026 they are finally supported widely enough, across Apple, Google, and now Microsoft sync, to be worth switching to today.
Quick answer
A passkey replaces your password with a cryptographic key pair: your device keeps the private key (unlocked by Face ID, a fingerprint, or a PIN) and the website keeps only the public key. To set one up, sign in with your existing method, open the account's security settings, choose Add a passkey, and confirm with your biometric. Turn on your platform's sync first (iCloud Keychain on Apple, Google Password Manager, or the new Microsoft Password Manager), start with your email account, and always keep one backup sign-in method. The whole process takes seconds per account and makes that login impossible to phish or leak in a breach.
Key takeaways
- A passkey is a FIDO2/WebAuthn credential: your device holds a private key that never leaves it, and the site holds only a public key.
- Passkeys are phishing-resistant, have nothing to steal in a breach, and have two factors built in.
- Synced passkeys back up to a cloud manager and follow you across devices; device-bound passkeys stay on one piece of hardware.
- As of 2026, Google, Apple, and Microsoft all offer synced passkeys through their managers, though cross-ecosystem sync still often needs a third-party manager.
- Roll out passkeys email-first, and always keep one backup sign-in method.
What a passkey actually is
A passkey is a login credential built on the FIDO2/WebAuthn standard. Instead of a secret string you type, your device stores a cryptographic key pair. The private key never leaves your phone, laptop, or hardware key, and the public key sits with the website. When you sign in, you unlock the private key the same way you unlock your device: Face ID, a fingerprint, or a PIN.
That design gives passkeys three properties passwords can never have:
- Phishing-resistant. A passkey is cryptographically bound to the real website's domain. A fake login page cannot trigger it, so you cannot be tricked into handing it over. That is why passkeys are a core defense against AI-powered phishing.
- Nothing to steal in a breach. The server only stores a public key. Even if attackers dump the entire database, there is no password to crack or reuse.
- Two factors built in. A passkey combines something you have (the device) with something you are or know (biometric or PIN), so it already meets multi-factor standards.
Note
You do not have to delete your password to start. Most sites let a passkey and a password coexist, so you can add a passkey and keep the old login as a fallback.
Synced vs. device-bound passkeys
There are two flavors, and the difference matters.
Synced passkeys are backed up to a cloud password manager and appear on every device signed into that account. Apple's iCloud Keychain, Google Password Manager, the new Microsoft Password Manager sync, and third-party managers like 1Password and Dashlane all do this with end-to-end encryption. Lose a phone and your passkeys survive on your other devices.
Device-bound passkeys never leave the hardware they were created on. A YubiKey or a Windows Hello credential is device-bound. They are the most resistant to remote attacks but offer no automatic backup, so keep a second key or another login method as a spare.
Here is how the two types compare so you can choose deliberately rather than by accident:
| Synced passkey | Device-bound passkey | |
|---|---|---|
| Backed up to cloud | Yes, end-to-end encrypted | No |
| Survives a lost device | Yes, on your other devices | No, gone with the hardware |
| Examples | iCloud Keychain, Google/Microsoft Password Manager, 1Password | YubiKey, Titan key, Windows Hello |
| Best for | Everyday accounts you use across devices | High-value accounts, maximum attack resistance |
| Backup advice | A second synced device | Register a second hardware key |
Setting up passkeys on each platform
The flow is nearly identical everywhere: sign in with your existing method, open security settings, choose to add a passkey, and confirm with your biometric or PIN.
Apple (iPhone, iPad, Mac)
Apple stores passkeys in the Passwords app, synced through iCloud Keychain. Make sure iCloud Keychain is turned on, then create a passkey when a site offers one:
- Open Settings, tap your name, then iCloud, and confirm Passwords (iCloud Keychain) is on.
- On a website or app, choose to sign in with a passkey and tap Create.
- Confirm with Face ID or Touch ID.
It instantly appears on every Apple device using the same Apple Account.
Google / Android / Chrome
Google syncs passkeys through Google Password Manager. As of 2026, those passkeys sync across Chrome on Windows, macOS, Android, iOS, and iPadOS, so a passkey you create on your Pixel works in Chrome on your work laptop. Visit your account's security page at myaccount.google.com/signinoptions/passkeys, find the passkeys section, and follow the prompt to create one.
Microsoft and Windows
This is the part that changed in 2026. Microsoft Password Manager now saves and syncs passkeys across devices signed in with the same Microsoft account, with iOS and Android support rolling out through Microsoft Edge. That is a major shift from the old situation.
Note the distinction: passkeys created directly with Windows Hello (and Entra device-bound passkeys on Windows) remain device-bound and do not sync, each device needs its own registration. If you want your Microsoft passkeys to follow you, create and store them in Microsoft Password Manager (or a cross-platform manager), not as a raw Windows Hello credential.
Hardware security keys
A FIDO2 key like a YubiKey or Titan key is the gold standard for high-value accounts. Register it the same way: choose "security key" when adding a passkey, insert or tap the key, and set its PIN. Buy two and register both, so a lost key never locks you out.
A sensible rollout plan
Do not try to convert everything in one afternoon. Start where the damage would be worst.
- Your email account. Email resets every other password, so protect it first.
- Password manager and cloud storage. These hold the keys to everything else.
- Banking and financial accounts.
- Social media and shopping, which attackers love for fraud and resale.
Tip
Always keep one backup sign-in method when you add a passkey, whether a second hardware key, a recovery code printed and stored offline, or a synced passkey on another device. Recovery is the one place passwordless setups go wrong.
If you are migrating a pile of saved passwords on Android, the new Credential Exchange standard makes it smoother, see our guide to transferring passwords to passkeys on Android.
The honest limitations
Passkeys are excellent, but adoption is uneven. Many smaller retailers, government portals, and legacy enterprise tools still do not offer them. Until they do, you will keep some passwords around, so a good password manager remains essential. And while each big ecosystem now syncs within itself, native sync still does not flow between Apple and Google ecosystems, moving passkeys across them generally needs a third-party manager such as 1Password or Dashlane to bridge the gap.
None of that is a reason to wait. Every account you move to a passkey is one that can no longer be phished or dumped in the next breach, and breaches keep coming, as the KDDI ISP incident showed. Start with your email today, and work down the list from there. If you want to compare how the major managers handle passkey features, our 1Password vs Bitwarden passkey comparison breaks it down.
What to do right now
You can protect your most important account in the next five minutes:
- Turn on your platform's passkey sync first: iCloud Keychain (Apple), Google Password Manager, or Microsoft Password Manager.
- Add a passkey to your primary email account, the master key that resets everything else.
- Keep the existing password as a fallback until you have confirmed recovery works.
- Set up at least one backup method: a synced passkey on a second device, or a printed recovery code stored offline.
- If you hold high-value accounts, buy two hardware keys (YubiKey or Titan) and register both.
- Then work down: password manager, cloud storage, banking, then social and shopping.
Frequently asked questions
What happens if I lose my phone?
If your passkeys are synced (iCloud Keychain, Google Password Manager, Microsoft Password Manager, or a third-party manager), they are safe on your other signed-in devices and restore to a new phone. Device-bound passkeys do not, which is why you keep a backup key or recovery method.
Can passkeys be stolen by malware?
The private key is protected by your device's secure hardware and never leaves it, so it cannot be copied off the way a password file can. Malware can still try to abuse an unlocked session, so keep your OS patched and your device locked.
Do passkeys work across Apple and Google devices?
Within each ecosystem, yes. Between them, native sync still does not flow directly, use a cross-platform password manager (1Password, Dashlane, and others) if you live in both worlds and want one set of passkeys everywhere.
Should I delete my password after adding a passkey?
Not immediately. Keep the password as a fallback until you are confident in recovery, then remove it where the site allows, so there is no weaker credential left to phish or leak.
