Passkeys are an emerging authentication technology based on public key cryptography that aims to replace traditional passwords by eliminating their fundamental vulnerabilities like weak passwords, reuse, and phishing susceptibility.
WebAuthn (Web Authentication) is a passwordless authentication API standard developed by the FIDO Alliance and the World Wide Web Consortium (W3C), and is a core component of the FIDO2 Project. Unlike username-password combinations, WebAuthn relies on public key cryptography, which makes it far more secure. In 2018, WebAuthn was officially recognized as a W3C Recommendation. Passkeys are the user-facing implementation of this technology—'Passkey' is a marketing term popularized by vendors like Google and Apple, and refers to Multi-Device FIDO Credentials implemented with the WebAuthn specification.
The video's claim about cross-device limitations is partially accurate but requires important clarification. There are two types of passkeys: device-bound passkeys and synced passkeys. Device-bound passkeys are bound to the specific device on which they were created, meaning the private key can't leave that device. However, passkeys created on one device can be synced across devices through password managers like Google Password Manager, which synchronizes passkeys between the user's Android devices and Chrome browsers signed into the same Google account. Passkeys sync across a user's devices using iCloud Keychain for Apple users. Synced passkeys can work across different platforms, but their compatibility depends on the cloud ecosystem managing them—Apple, Google, and Microsoft have different implementations of passkey synchronization. Apple and Google do not sync passkeys between their ecosystems, and Windows lacks native passkey synchronization, requiring third-party solutions. For devices that do not automatically sync passkeys, hybrid transport methods are available, including QR code scanning and Bluetooth.
Regarding phishing resistance, the video's claims are strongly supported. Passkeys cannot be phished—when you log in with a passkey, your device signs a challenge from the server using a private key that never leaves your device. According to Verizon's 2024 Data Breach Investigations Report, phishing has been growing, and passkeys are phishing resistant and secure by design, inherently helping reduce attacks from cybercriminals such as phishing, credential stuffing, and other remote attacks. Google reports passkey accounts have a 99.9% lower compromise rate than password accounts. The phishing resistance comes from passkeys being bound to both a user account and a website or application through the Relying Party ID—typically its domain, preventing use on fraudulent sites.
On device loss and recovery, if a passkey device is lost, users can still access their accounts because passkeys are synchronized across the user's ecosystem, such as Apple iCloud Keychain, Google Password Manager, or via third-party password managers like 1Password, Dashlane, or Bitwarden, ensuring passkeys are available on all devices connected to the same account. To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number, then enter their device passcode. If you lose your Android device, you can recover your passkeys on a new one by signing in to your account and giving the security PIN, pattern, or password of your lost device. However, the video correctly identifies that passwords often remain as fallback recovery methods, which means your account is only as secure as your weakest authentication method—if you use super-secure passkeys but your fallback method is a simple email one-time password (OTP), then your overall security is only as strong as that email OTP.
Passkeys use public key cryptography through the WebAuthn standard to eliminate password vulnerabilities like weak credentials, reuse, and phishing attacks.