No technical background required. By the end of this guide you will understand exactly what a passkey is, how it compares to your current passwords, and what to do about it today.
If you have been seeing the word "passkey" pop up when you log into Google, Apple, your bank, or your accounting software — this guide is for you. No technical background required.
A passkey is a login credential that replaces your password entirely. Instead of typing a secret string of characters, your device generates a unique cryptographic key pair when you create a passkey for a site.
Sent to and stored by the website. It is useless on its own — it can verify your identity but cannot be used to impersonate you.
Stays on your device — your phone, laptop, or tablet — and never leaves it. Ever. The website never sees it.
When you log in, the website sends your device a challenge. Your device signs that challenge using your private key, but only after you confirm your identity locally — with your fingerprint, face, or device PIN. The website checks the signature using the public key it already has. If it matches, you are in.
Your private key never travels over the internet. The website never sees it. There is nothing to intercept in transit and nothing stored on a server that could unlock your account if stolen.
The underlying technology is called FIDO2/WebAuthn, developed by an industry alliance whose explicit goal was to replace the password as a concept — not improve it, but replace it.
The three most common ways personal accounts get compromised are phishing (you type your password on a fake site), credential stuffing (attackers use passwords stolen from one site on others), and database breaches (a site you use gets hacked and your password is exposed). Passkeys neutralize all three. You cannot be phished out of a credential you never type. A database breach exposes only the public key, which is mathematically useless without your device.
For small business owners — and especially those whose work involves access to client financial data, payroll systems, and banking integrations — this matters more than average. Your QuickBooks Online login, your Microsoft 365 account, your bank portal: these are high-value targets. A staff member with a passkey-protected account cannot have their credentials stolen by a phishing email, cannot accidentally reuse a compromised password, and cannot be fooled by a convincing fake login page.
The core security shift: Passwords are shared secrets — both you and the website know the secret, which means either end can be compromised. Passkeys eliminate the shared secret entirely. Only your device can prove ownership, and only after you authenticate locally. The attack surface shrinks dramatically.
A strong password — long, unique, randomly generated — is still vastly better than a weak one. But a strong password is still a shared secret. It exists as data somewhere: on the website's server, in your password manager, and in transit when you type it. A passkey changes the architecture entirely.
| Factor | Strong Password | Passkey |
|---|---|---|
| Phishing risk | High — can be stolen on a fake site | None — nothing to type or intercept |
| Breach risk | Medium — hash may be crackable | None — public key alone is useless |
| Brute force risk | Exists for weak passwords | None — no string to guess |
| Memorization needed | Yes | No |
| MFA built in | No — requires separate MFA step | Yes — device + biometric combined |
| Device required | No | Yes |
| Hardware protection | No — exists as exportable data | Yes — secure enclave, cannot export |
Using a password manager like 1Password or Bitwarden to generate and store strong unique passwords is an excellent practice. You should keep doing it. Here is how passkeys fit into that picture:
1Password now supports passkeys. You can store and sync passkeys through 1Password, which means your workflow does not change dramatically. Passkeys appear in your vault alongside passwords and autofill the same way.
The meaningful security difference: A password stored in 1Password exists as encrypted data. If your vault were somehow compromised, that data could theoretically be decrypted and used. A passkey's private key is stored in your device's secure enclave — a dedicated hardware chip designed so the key can be used for signing but cannot be exported. Not by 1Password, not by your operating system, not by anyone.
In practice: Use passkeys on every site that supports them, stored in 1Password so they are available across your devices. Use strong generated passwords (still in 1Password) for everything else. You are not choosing between them — you are layering the best of both.
Yes — for now. Passkey support is still maturing. Not every site supports them. If you lose your device, are traveling, or need to log in from an unfamiliar computer, your password remains your fallback.
The right setup today:
Passkey is your front door. Strong password is the spare key stored safely in the drawer. As support matures and recovery flows improve, the backup password will eventually become unnecessary — but we are not quite there yet.
| ✓ Advantages | ✗ Considerations |
|---|---|
| Phishing-proof — nothing to steal on a fake site | Device-dependent — lost device complicates access |
| Breach-resistant — public key alone is useless | Uneven platform support — not all sites offer passkeys yet |
| No memorization or typing required | Credential sharing is harder — no simple copy/paste |
| MFA built in — device + biometric combined | Recovery flows still maturing across platforms |
| Private key lives in secure hardware enclave | Business/shared accounts require individual passkeys per user |
| Faster login — tap or glance replaces typing | Older devices may not support secure enclave features |
Your email, accounting software, bank, and any account connected to client or financial data. These are the ones that matter most if compromised.
Google, Apple, Microsoft, GitHub, and PayPal already support passkeys fully. The option is usually found under Security or Sign-in settings.
1Password supports passkeys natively. This ensures you can use them across all your devices without being locked to one phone or laptop.
Do not delete them. Keep them current in your password manager and treat them as your recovery fallback.
For each passkey-protected account, know how you would get back in if you lost your device. Backup codes saved securely, or a fallback password in your vault.
If you have staff accessing business systems, walk them through passkey setup. The concept is unfamiliar but the process is simple. A few minutes of explanation will pay for itself many times over.
No — not directly. A passkey is tied to the specific device or password manager that created it. There are two clean solutions: register a separate passkey per person (most sites allow multiple passkeys per account), or use a shared vault in a password manager that supports passkeys so both people can access the same credential through the vault.
Never share a device PIN or biometric bypass as a workaround. That defeats the security model entirely.
Yes — but only if the passkey was stored in a synced manager rather than locked to a single device. Where it ends up depends on where you chose to save it when you created it:
| Saved to... | Available on... |
|---|---|
| Password manager (e.g. 1Password) | Any device where you are signed into that password manager |
| Google Password Manager | Any device signed into the same Google account — Android, Windows/Chrome, Chromebook |
| Apple iCloud Keychain | Apple devices only (iPhone, iPad, Mac) on the same Apple ID |
| Windows Hello (device-only) | That Windows PC only — does not sync anywhere. Avoid for any account you access from more than one place. |
Yes — and this is one of the smoothest passkey setups available today. Google Password Manager syncs passkeys automatically across every device signed into your Google account. Create a passkey on Windows in Chrome, and it will be available on your Android phone the next time you open that site. No extra steps required.
When saving a new passkey, always choose your Google account or password manager — not "this device only." That one choice determines whether your passkey is available everywhere or stuck on one machine.
It depends on where your passkeys were stored. If stored in Google Password Manager or 1Password, sign into your account on the new device and all passkeys restore automatically — exactly like your saved passwords. If stored in Apple iCloud Keychain, sign into your Apple ID during setup and they restore as part of iCloud. If stored with Windows Hello on a specific PC only, those passkeys do not transfer and the device being gone means the passkeys are gone — use your fallback password to get back in and register a new passkey.
Passkeys handle this better than most people expect. Most modern browsers support a cross-device authentication flow: on the unfamiliar computer, choose the passkey login option and select "use a different device." The computer displays a QR code. Scan it with your phone, confirm with your fingerprint or PIN, and the computer receives the authentication signal. Nothing about your passkey is transferred to that machine.
If that feels too cumbersome in the moment, use your password as the fallback. That is exactly what it is there for.
Passkeys are the most meaningful security improvement available to ordinary users right now — and one of the rare cases where better security also means a faster, easier experience. Enable them where you can, keep your password manager running alongside them, and plan for device recovery. You do not have to do everything at once. Start with your most important accounts and work outward.
Reach out — we're happy to talk through security practices and how we protect your financial information.
Get in Touch · 512.422.4996