How to Set Up Passkeys in 2026 (Step-by-Step)

TL;DR: To set up passkeys, go into the security settings of each account (Google, Apple, Microsoft, etc.), choose "Create a passkey," and confirm with your device's screen lock — fingerprint, face, or PIN. No password involved, no shared secret to steal. Takes under a minute per account.

If you've been putting off passkeys because it sounds like another security fad, here's the short version: it isn't. A passkey is a cryptographic key pair generated on your device — the private half never leaves it, ever, not even to sync "in the clear." There's nothing sitting on a server for an attacker to phish or steal in a breach, because the server only ever holds a public key that's useless without its private counterpart. I've moved my own Google, Microsoft, and GitHub logins to passkeys over the past year, and the only real friction was the first ten minutes of setup. This guide walks through how to set up passkeys on the accounts that matter most, plus the parts nobody tells you until you've already locked yourself out once.

What Is a Passkey, Actually?

A passkey is a FIDO2/WebAuthn credential: a public-private key pair tied to one specific website or app. When you register, your device generates the pair and hands the site the public key. When you sign in, the site sends a challenge, your device signs it with the private key using your fingerprint, face, or PIN to unlock it, and the site verifies the signature against the public key it already has. Nothing you type or transmit can be replayed on a different site, which is what makes passkeys phishing-resistant in a way that passwords — and even SMS codes — simply aren't.

The private key either stays "device-bound" (locked to one physical device or hardware security key) or gets encrypted and synced through a passkey manager like Apple's iCloud Keychain (now called Passwords), Google Password Manager, Microsoft Password Manager, or a third-party vault like 1Password or Bitwarden. Syncing is what makes passkeys usable day to day — without it, losing your phone means losing every passkey on it.

Passkeys vs. Passwords: What Actually Changes

Factor Password Passkey
Stored on server as Hash (crackable if weak/leaked) Public key only (useless alone)
Phishable Yes — can be typed into a fake site No — bound to the real site's origin
Reusable across sites Often, by mistake Never — unique key pair per site
Vulnerable to credential-stuffing Yes No
Requires memorization Yes No — device unlock replaces it
Works offline for local unlock N/A Yes, unlock is local; the sign-in exchange still needs a network round trip

One thing worth being honest about: passkeys don't remove the account-recovery problem, they relocate it. If someone can unlock your phone, they can use whatever passkeys are on it — so your device's screen lock is now doing double duty as your account security. Treat it accordingly: a real PIN or biometric, not "swipe to unlock."

What You Need Before You Start

  • A device with a screen lock configured — PIN, fingerprint, or face unlock. No screen lock, no passkey.
  • An up-to-date OS and browser. Windows 10 or 11 with Windows Hello set up, iOS 16+/macOS Ventura+ with two-factor authentication turned on for your Apple Account, or a current Android build.
  • A decision on where passkeys will live: your platform's built-in manager (simplest if you're all-in on one ecosystem) or a cross-platform vault like 1Password or Bitwarden (better if you mix an iPhone with a Windows PC, or switch browsers a lot). The cryptography is identical either way — this choice only affects sync, not security.

Quick sanity check before you start: open your browser's dev tools console (F12) on the site you're about to set up and run this. If it comes back true, the browser and device can do passkeys; if false, update your OS/browser first.

if (window.PublicKeyCredential &&
    PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable) {
  PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
    .then(available => console.log('Platform authenticator available:', available));
} else {
  console.log('WebAuthn platform authenticator API not supported here.');
}

How Do I Set Up a Passkey on My Google Account?

  1. Go to myaccount.google.com/security.
  2. Scroll to "How you sign in to Google" and select Passkeys and security keys.
  3. Confirm your identity with your current password if prompted.
  4. Click Create a passkey, then confirm with your device's screen lock.

Two things that trip people up here. First, a newly created passkey can take up to seven days before Google fully trusts it for sign-in on new devices — this is a fraud-prevention delay, not a bug. Second, if you're on a Google Workspace account through school or work, your admin may not allow passkey-only sign-in even after you create one; check the "Skip password when possible" setting to see what your org allows.

How Do I Set Up a Passkey on My Apple ID?

  1. Make sure iCloud Keychain is on: Settings > [your name] > iCloud > Passwords, then toggle Sync this device. Two-factor authentication must already be enabled for your Apple Account — passkeys won't work without it.
  2. To create a passkey for the Apple ID sign-in itself, go to the Apple ID sign-in page, enter your Apple ID, and choose Sign in with Passkey if offered, or manage it from Settings > Passwords on your iPhone or iPad.
  3. For any other website or app, sign in with your existing password, go to account settings, and look for a "save a passkey" or "set up passkey" prompt — confirm with Face ID, Touch ID, or your device passcode.

Apple's passkeys live in iCloud Keychain, encrypted end-to-end — Apple itself can't read them. If you ever lose every Apple device, recovery works through a designated Recovery Contact or iCloud Keychain escrow, which asks for your device passcode and an SMS confirmation to a trusted number. Set up a recovery contact now, not after you've dropped your only iPhone in a lake.

How Do I Set Up a Passkey on My Microsoft Account?

The path differs depending on whether it's a personal Microsoft account or a work/school (Entra ID) account — mixing these up is the single most common source of confusion I see.

Personal Microsoft account

  1. Go to account.live.com/proofs/manage (Advanced Security Options).
  2. Select Add a new way to sign in or verify, then choose Passkey.
  3. Pick where to save it — Windows Hello on this PC, a physical security key, or a synced manager like Microsoft Password Manager — then confirm with your unlock method.

Work or school (Microsoft Entra) account

  1. Sign in and go to mysignins.microsoft.com/security-info.
  2. Select Add sign-in method > Passkey, then Add.
  3. Choose Windows Hello, a security key, or an authenticator app, and follow the prompts.
If "Passkey" doesn't show up as an option on a work or school account, that's an org policy setting, not something broken on your end — your IT admin has to enable passkey sign-in in the Entra ID authentication methods policy first. Don't burn an hour troubleshooting a permission you don't control.

One Windows-specific gotcha: if your PC is Entra-joined or Entra-registered, setting up Windows Hello may already register a Windows Hello for Business credential for your account. Try to add a passkey for that same account afterward and you'll get an "already registered" error on retry — that's expected, not a failure on your part.

Should I Use a Third-Party Passkey Manager Instead?

If you're locked into one ecosystem — all Apple, all Google, all Microsoft — the built-in manager is fine and one less app to trust. If you regularly cross ecosystems (iPhone plus a Windows laptop, or you switch browsers depending on task), a cross-platform vault like 1Password or Bitwarden avoids the "my passkey is stuck on my old Android phone" problem. Windows 11 added an API in late 2024 for third-party passkey providers to plug into the native Windows Hello prompt, so 1Password and Bitwarden integrate directly rather than feeling bolted on.

Don't create the same passkey twice through two different managers "just in case" — most credential managers only allow one passkey per site per account anyway, and duplicating across managers just makes troubleshooting sign-in errors harder later.

What Happens If I Lose the Device With My Passkey?

This is the question people skip until it's too late, so plan it before you need it:

  • Synced passkeys (iCloud Keychain, Google Password Manager, Microsoft Password Manager, 1Password, Bitwarden) survive losing one device — sign in to the manager on a new device and the passkey is still there.
  • Device-bound passkeys (stored only in Windows Hello on one PC, or on a single hardware key) die with the device. This is why it's worth registering a second passkey — on your phone, or on a spare hardware key like a YubiKey — for any account where losing access would be a real problem: your primary email, your password manager itself, and your most important financial or work logins.
  • Keep your account's backup codes somewhere durable (printed, in a safe, not a screenshot on the same phone) as a last resort.

Common Setup Problems (and What They Actually Mean)

  • "Passkey option not showing at sign-in" — usually means the device's screen lock is off, or (on Workspace/Entra accounts) an admin policy hasn't enabled passkey-only sign-in yet.
  • "Something went wrong" during creation — most credential managers allow only one passkey per site per account; check whether one already exists before creating a duplicate.
  • QR code for cross-device sign-in never appears — Bluetooth needs to be on for both devices, and both need internet access (they don't need to share a network).
  • "We couldn't use your device to verify your identity" — the passkey is no longer valid on that device, often after a PIN or biometric change. Set up a fresh passkey and delete the stale one.

FAQ

Do I still need a password if I set up a passkey?

Usually yes, at least for a while. Most services keep your password as a fallback unless you explicitly opt into passkey-only sign-in, and some organizational accounts don't allow full password removal at all.

Can someone steal my passkey the way they'd steal a password?

Not remotely. The private key never leaves your device or your synced vault, so there's no server-side database to breach and no string of text to phish. The realistic risk shifts to physical device compromise — if someone unlocks your phone, they can use whatever passkeys live on it.

Do passkeys work without an internet connection?

Unlocking the passkey locally (Face ID, fingerprint, PIN) doesn't need a connection, but completing sign-in does — the site still has to verify the signed challenge over the network.

What if a website doesn't support passkeys yet?

You'll keep using your existing password and MFA there. Passkey support varies by site; there's no way to force it from your end.

Is a passkey the same as a hardware security key?

Related but not identical. A hardware key (like a YubiKey) is one place a passkey can live — the most phishing-resistant option, since the private key never touches your phone or laptop at all. Most people use a synced software passkey instead, which is still far stronger than a password.