If this helped, forward it to one person who’d benefit.

Passwords are a mess.

They are hard to remember, easy to reuse, annoying to type, and constantly being stolen in data breaches.

For years, the advice has been:

That is still good advice.

But there is now a newer option that may eventually replace passwords for many accounts.

It is called a passkey.

And the best part is this: you may already know how to use one.

If you can unlock your phone with Face ID, Touch ID, your fingerprint, or your screen passcode, you can use a passkey.

A passkey is a safer way to sign in to a website or app without typing a password.

Instead of entering a password, you prove it is really you by unlocking your device.

That might mean:

Google describes passkeys as a way to sign in with a fingerprint, face scan, or screen lock instead of a traditional password. Apple says passkeys can replace passwords for supported websites and apps on iPhone.

So instead of this:

It becomes more like this:

That is the idea.

Simple for you.

Much harder for scammers.

Passwords have one big weakness:

They are secrets you type into websites.

That means they can be stolen, guessed, reused, leaked, phished, copied, or accidentally given away.

Passkeys work differently.

A passkey is created for a specific website or app. It is not something you memorize. It is not something you type. And it is not something you can accidentally paste into a fake login page.

The FIDO Alliance, the industry group behind passkey standards, describes passkeys as cryptographic credentials tied to your account on a website or application. Microsoft explains that passkeys are phishing-resistant because they are associated with a specific website or app domain. A passkey created for one real site cannot simply be handed to a fake lookalike site.

That is a big deal.

Because most account theft starts with one of three things:

Passkeys help with all three.

Let’s say a scammer sends you an email that looks like it came from your bank.

The email says:

“Urgent: Your account has been locked. Click here to verify.”

You click.

The fake site looks real.

If you use a password, you might accidentally type it in.

Now the scammer has it.

But with a passkey, your device checks whether the website is the real one. If the fake website is not the correct domain, your device should not offer the real passkey for that account. That is why passkeys are considered resistant to phishing.

That does not mean you should click suspicious links.

But it gives you a much stronger safety net.

Sometimes, yes.

Sometimes, no.

It depends on the website or app.

Some services let a passkey replace both the password and the second factor. Others use passkeys as one part of the login process. Microsoft notes that passkeys can serve as a multifactor authentication method when combined with device biometrics or a PIN.

Here is the plain-English version:

A passkey is usually better than a password.

A passkey plus good account recovery settings is even better.

And for now, you should still keep your password manager.

We are in the transition period. Some sites support passkeys. Some do not. Some support them well. Some still make the experience confusing.

That is normal.

You do not need to switch everything today.

Start with your most important accounts.

Your email account.

Your Apple, Google, or Microsoft account.

Your password manager account, if supported.

Your financial accounts, if supported.

Your social media accounts, if supported.

Why email first?

Because your email account is the reset button for your life.

If a scammer gets into your email, they can often reset passwords for your bank, shopping, social media, cloud storage, and other accounts.

So if your email provider offers passkeys, that is a smart place to start.

Start with Google, Apple, Microsoft, or another account you use every day.

Do not try to fix your entire digital life at once.

Just set up one.

Passkeys are growing, but passwords are not gone yet.

You still need strong, unique passwords for accounts that do not support passkeys.

Your passkey depends on your device being secure.

Use Face ID, Touch ID, fingerprint, or a strong screen passcode.

Do not use an easy PIN like 0000, 1111, 1234, or your birth year.

Before removing a password or old 2FA method, make sure you know how account recovery works.

Ask yourself:

This is boring, but important.

🔑 Passkeys are a safer way to sign in. You use your device lock instead of typing a password.

🎣 They help protect against phishing. A fake website should not be able to use the passkey for the real website.

🔁 They reduce password reuse risk. There is no password for you to reuse across five different sites.

📱 Your phone or computer becomes part of the login. That is why your device lock matters.

🧰 Keep your password manager for now. Passkeys are growing, but passwords are not gone yet.

Passwords are not disappearing overnight.

But the direction is clear.

Passkeys are easier for normal people and harder for scammers.

You do not need to become a security expert. You do not need to memorize anything new. You do not need to understand the technical details.

Start with one important account.

Set up a passkey.

Get comfortable with it.

That is how password safety gets easier.

Until next time — stay private, stay safe.

— Peter Oram
Chief Cyber Safety Evangelist

P.S.: I’m working on a practical iPhone safety guide for parents.
Reach out if you’re interested in early access.

Join the Community! A Facebook group where you can ask your questions, get tips, and help others.

Want more practical tips like this?
👉 Subscribe or read past issues at newsletter.cybersafety.group

Have a topic you’d like covered?
📬 Email me directly: [email protected]

FOLLOW US ON SOCIAL MEDIA