Amar Bhattarai: Passkeys: How to Finally Stop Using Passwords (and SMS Codes)

Back in 2022 I wrote about why SMS-based two-factor authentication needed to die: SIM swapping, SS7 interception, and plain old phishing all defeat it. The replacement I hoped for has since arrived and matured — passkeys — and every major platform now supports them. This is what they are, why they're genuinely better rather than just newer, and how to set them up today.

01 — What a Passkey Actually Is

A passkey is a cryptographic key pair based on the FIDO2/WebAuthn standards. When you create a passkey for a website, your device generates two mathematically linked keys: a public key that the website stores, and a private key that never leaves your device's secure hardware (the TPM on a Windows PC, the Secure Enclave on Apple devices).

When you sign in, the site sends a challenge, your device signs it with the private key after you unlock it with your fingerprint, face, or PIN, and the site verifies the signature with the public key. No shared secret ever travels over the network.

💡 Plain English: a password is a secret you tell the website every time you log in — and anyone who overhears or tricks you gets in too. A passkey is more like a signature ring: the website only ever holds a way to check your signature, never the ring itself.

02 — Why This Beats Everything You're Using Now

Phishing-resistant by design. A passkey is cryptographically bound to the real website's domain. A fake login page at rnicrosoft-login.com can't request the passkey for microsoft.com — the browser simply won't offer it. This kills the attack that defeats passwords, SMS codes, and even authenticator-app codes, because users can be tricked into typing those onto a fake page; there is nothing to type with a passkey.
Nothing useful to steal in a breach. When a website is breached, attackers get your public key — which is useless without the private half sitting in your device's secure chip.
No SIM to swap. Your phone number is no longer part of your security at all.
Faster. A fingerprint tap is quicker than typing a password and then a six-digit code.

03 — Where Your Passkeys Live

Passkeys sync inside an ecosystem so a lost phone doesn't lock you out:

Google Password Manager — syncs across Android devices and Chrome.
Apple iCloud Keychain — syncs across iPhone, iPad, and Mac, end-to-end encrypted.
Windows Hello — stores passkeys on the PC, protected by the TPM; Windows 11 can also sync them through your Microsoft account.
Password managers — Bitwarden, 1Password, Dashlane and others store passkeys and sync them across every platform, which is the practical choice if you live in more than one ecosystem.
Hardware security keys (YubiKey and similar) — the passkey lives on the physical key. Maximum security, no cloud sync; best for your most critical accounts.

Cross-device sign-in is handled neatly: signing in on a borrowed or new computer pops up a QR code, you scan it with your phone, and the phone approves the login over Bluetooth proximity — your passkey never transfers to the strange machine.

04 — Set Up Passkeys on Your Big Three Accounts

Google account

Go to myaccount.google.com → Security → How you sign in to Google → Passkeys.
Click Create a passkey and approve with your device's unlock method. Android phones signed into your account may already have one.
While you're there: scroll to your recovery options and remove your phone number as a sign-in/2FA method once the passkey works.

Microsoft account

Go to account.microsoft.com → Security → Advanced security options (or Manage how I sign in).
Choose Add a new way to sign in → Use your face, fingerprint, PIN, or security key and follow the prompts — on a Windows 11 PC this registers a Windows Hello passkey.
Microsoft also lets you go fully passwordless: under Additional security, you can remove the password from the account entirely. With no password, there is nothing to phish or stuff.

Apple ID

On iOS/macOS, Apple creates passkey-based sign-in for your Apple ID automatically on modern versions. For other sites, Safari offers to save a passkey when a site supports it; they live in Settings → Passwords (iCloud Keychain).

Beyond the big three, check the security settings of anything important to you — banking apps, Amazon, PayPal, GitHub, social platforms. Passkey support has spread to most major services; the setting is usually called "Passkeys" or "Security keys" under account security.

05 — The Honest Limitations

I won't pretend the transition is frictionless. Know these going in:

Most sites keep your password active after you add a passkey, as a fallback. That means your account is only as phishing-proof as its weakest sign-in method. Where the option exists (Microsoft, notably), remove the password; where it doesn't, keep a long random password in a manager and treat the passkey as your daily driver.
Ecosystem lock-in is real. Passkeys saved to iCloud Keychain don't natively move to Google's manager. If you switch platforms regularly, store passkeys in a cross-platform password manager from day one.
Account recovery still matters — maybe more. If you lose every device holding your passkeys, recovery falls back to whatever options the account has. Set up recovery codes where offered, print them, and store them somewhere physical. For critical accounts, register a second passkey on a hardware key kept in a drawer.
Shared and corporate machines are clunkier — the QR-code flow works but adds a step. In managed environments, FIDO2 hardware keys are usually the cleaner deployment.

06 — Your Migration Plan

Step 1: Add passkeys to your email accounts first — email is the recovery hub for everything else.
Step 2: Add passkeys to financial accounts and your password manager itself (if it supports passkey unlock).
Step 3: Remove SMS as a 2FA/recovery method everywhere a passkey or authenticator app now exists.
Step 4: Generate and physically store recovery codes for the accounts in steps 1–2.
Step 5: Adopt passkeys opportunistically — whenever a site offers to create one at login, say yes.

🔒 Bottom line: passkeys are the first authentication upgrade that is simultaneously more secure and more convenient than what it replaces. The attack that compromises most accounts — tricking a human into typing a secret on the wrong page — simply doesn't apply. Start with your email account tonight; it takes two minutes.