Passkeys are replacing passwords—here’s the shift

switch to – As phishing and AI-powered attacks raise the stakes for employee logins, passkeys are gaining ground. The FIDO Alliance says billions are already in use globally, and experts argue switching from passwords to passkeys—when available—can cut a major risk withou

The first thing many people do when they’re rushed online is type a password—often more quickly than they read the screen.

But the problem with passwords isn’t just that they can be guessed or reused. It’s that criminals can trick people into handing them over. And lately. that trickery has gotten more aggressive. with phishing and more sophisticated AI-powered hacks making protection feel less like an IT project and more like an everyday necessity.

That’s where passkeys are moving in.

After becoming more widely available in 2022. passkeys have surged in popularity. driven by ease of use and increased security over the traditional password. In a 2026 survey. the FIDO Alliance—credited with driving the development and adoption of passkeys—said some five billion passkeys are now in use globally. and about 90 percent of people are aware of them. The first Thursday in May, once known as World Password Day, has also rebranded to World Passkey Day.

The momentum matters because phishing attacks are still aimed directly at login credentials, including employee login credentials. Experts say switching from passwords to passkeys whenever possible is one way to reduce the risk of remote phishing attacks.

Eric Sachs. corporate vice president of identity and network access at Microsoft. puts it plainly: “The passkey is a key element—not a magic solution—to eliminating that risk.” He adds. “You’ll still have other cybersecurity problems now with AI. but if you can get rid of the number one risk. you can turn your attention somewhere else.”.

Passkeys work much like passwords in one basic sense: they are a mechanism for logging into a website. But instead of being a string of numbers. letters. and symbols created by a person or a password manager to access multiple sites. passkeys are random bytes of data that provide access to only one specific website.

They come with two parts. First is verification from a device (or password manager) that the person attempting to log in is exactly who they say they are. Second is the transmission of the actual passkey to a specific website. Gary Orenstein. chief customer officer at password manager Bitwarden. describes it as a “dedicated handshake between the provider and the user.”.

“Part of the passkey protocol is to authenticate that it is you accessing the passkey,” Orenstein adds. “The other part is the exchange with the website. A website that is looking for a passkey will issue what’s called a passkey challenge, and only your passkey is going to solve that.”

How does the login happen in practice? According to Sachs, passkeys rely on proximity to a user’s device. That proximity can be confirmed through biometric data—such as a fingerprint or face scan—or through a complicated pin, or even Bluetooth.

“Either they are on their phone and then they have to press their finger, or use their camera. There’s a version of passkey that works over Bluetooth,” he says. “Both of them make sure that the person logging in is physically near. and as long as you have that ‘proximity signal. ’ then you don’t worry about remote attackers.”.

Sachs also says that when users choose biometric verification, that information is stored locally on a device and never leaves it. On privacy, he notes: “there isn’t an explicit need for your passkey provider to remember what sites you’ve been into.”

What problem are passkeys designed to solve? Phishing.

Phishing involves impersonating legitimate people or organizations to pressure victims into supplying credentials. Cybercriminals often spoof websites, creating lookalikes meant to trick victims into entering credentials that criminals then use to steal money or data, or extort organizations.

But according to Jacob Hoffman-Andrews, senior staff technologist and leader of the Let’s Encrypt project at digital privacy nonprofit Electronic Frontier Foundation, a critical shift happens because it’s harder to fool a device or browser than to fool a stressed human.

“It’s a way for your browser to know which credential goes with which website and never send it to the wrong website. ” Hoffman-Andrews says. “It’s easy for people who are stressed or in a hurry to type their password into the wrong website. But browsers don’t get stressed. and they don’t get hurried. and they byte-for-byte know exactly which website they are on at all times.”.

Passkeys also tackle another weak point: the common habit of reusing the same password across multiple websites.

“Orenstein says that people’s tendency to use the same password for numerous websites also exacerbates the damage of phishing attacks—and passkeys solve for that. too. ” the article notes. He adds: “One of the best parts about passkeys is that they are specific to an individual user and an individual website.”.

The danger with password reuse is clear in the way it lets one stolen login ripple outward: Orenstein describes how many scams begin with phishing for a Google or Apple or Netflix password, and then victims reuse that Netflix password for their bank too.

Passkeys, however, are not presented as a perfect shield. Orenstein says cybercriminals don’t target them as often because the payoff is more minimal than it can be with passwords. Sachs. meanwhile. compares website login credentials to the “front door” of a home: even if passkeys substantially help secure the front door. a platform with other weaknesses won’t be impervious to a cyberattack.

The takeaway is less about understanding every technical detail and more about acting when the option appears. “Passkeys may seem complicated, but the takeaway is simple: If you are given the option to set one up, you should probably take it. Your data and your privacy will thank you.”

passkeys passwords phishing cybersecurity FIDO Alliance Microsoft Bitwarden identity employee logins AI-powered hacks World Passkey Day