Passkey vs password: What is the difference?

Every time we log in to an account or unlock a device, we’re required to prove that we’re authorized to access it. Historically, that proof has taken the form of a password: a secret string that we need to memorize, or store in a password manager. 

A passkey differs from a password in that it ties access to something you physically possess — a cryptographic token stored on your phone, laptop, or security key — along with a biometric factor, such as a fingerprint or facial scan.

A common way to describe the difference is:

• Password = something you know
• Passkey = something you have  + who you are

While both methods grant you access, the ways they achieve that goal differ and can significantly impact security and usability.

What is a passkey?

A passkey is like a password that lives on your device and can be checked by the accounts you’re logging in to using cryptography. Passkeys are based on the FIDO2 standard (defined by the FIDO Alliance(nouvelle fenêtre)) and the WebAuthn API.

Here’s how it works:

When a passkey is created, your password manager generates a paired set of cryptographic keys: a public key and a private key.

• The public key is shared with the service you’re registering with.
• The private key remains on your password manager or device and never leaves it.

During a login attempt, the service issues a random challenge. Your device uses the private key on your device to sign that challenge, producing a response that only the matching private key could generate. The service then verifies the signature with the previously stored public key, confirming that you are the legitimate account holder.

Because the private key never leaves your device, a phishing site can’t trick you into handing it over, making passkeys intrinsically phishing‑resistant.

Read more about passkeys

Security comparison: Passkey vs password

Whether you use a password or passkey depends on a variety of factors. Not every website offers passkeys as an option. But for websites that do, there are several reasons to consider switching over.

Passkeys are considered safer than passwords because the secret key never leaves your device. Even if someone tricks you with a fake site, steals network traffic, or attempts a brute-force attack, they can’t get the private key — it’s kept inside your phone, computer, or a security‑key dongle. As long as you protect the device with a PIN, fingerprint, or another form of two-factor authentication (2FA) and have a reliable recovery method, a passkey gives you a stronger, more phishing‑proof security setup than a regular password.

Passkey usability and user experience

Aside from the security advantages of using a passkey, there are other benefits:

• Passkeys make logging in faster because the authentication flow is reduced to a single tap or glance, removing the friction of manually entering passwords or resetting forgotten passwords.

• Many password managers can securely sync passkeys across your devices. As a result, a passkey created on a smartphone can be used on a laptop, tablet, or another phone without requiring a fresh registration. Proton Pass works on any platform or device, so you can use passkeys on any website that supports them.

Passkey drawbacks and edge cases

While passkeys offer strong security and a frictionless login experience, they’re not a silver‑bullet solution. There are still some situations where using a passkey might present challenges. 

Device loss and recovery

If the device your passkey is stored on is lost, stolen, or damaged, you’ll have to rely on backup mechanisms to regain access. Recovering a passkey often requires a secondary device or a recovery phrase, so if you don’t have a well‑designed recovery flow, you risk losing access to your accounts.

Adoption gaps

Some websites and applications haven’t implemented the WebAuthn/FIDO2 standards that power passkeys. Even among those that do, passkey support may be limited to certain ecosystems or operating systems. 

Older hardware limitations

Legacy devices, such as older smartphones, laptops without biometric sensors, or browsers that lack WebAuthn support, cannot generate or store passkeys. 

When do I still need a password?

In addition to having a password set up as a fallback, there are some situations where a traditional password is necessary as your primary access method. 

1. Sites without passkey support

Until passkey adoption is widespread, you may still need to rely on passwords for some sites.  In this case, you can set up 2FA methods such as an OTP to increase security.

2. Public or shared computer scenarios

If you’re not using your own device, entering a password (ideally combined with 2FA) allows temporary access without leaving persistent credentials behind. 

3. Organizational policies and compliance requirements

Company regulations, including government or financial standards, may require multi‑factor setups that still include a password component, or mandate periodic password rotation for audit purposes. Additionally, corporate single sign‑on (SSO) solutions sometimes integrate passkeys only as an optional factor, with passwords remaining the primary credential.

How to adopt passkeys 

Switching to passkeys is relatively simple. 

1. Enable passkey support in your operating system
2. Download a password manager
   • Choose a password manager that supports passkey storage, such as Proton Pass.
3. Add passkeys to your password manager
   • Import existing passkeys or create new ones directly from the app.
4. Register passkeys on supported services
   • When you sign up or log in to a site that offers “Sign in with Passkey,” select that option.
5. Set up a recovery method
   • Enable a secondary device to store a copy of the passkey, and take note of any recovery phrase the service provides.

FAQ 

Can I use a passkey if I don’t have a password manager?

Yes, you can. Most modern operating systems store passkeys locally (iCloud Keychain on Apple devices, Google Password Manager on Android, Windows Hello on Windows). A dedicated password manager can simplify cross‑device syncing and provide an extra backup layer, but it isn’t required to use passkeys.

Can I use passkeys on older devices?

Passkeys require the operating system and browser to support the WebAuthn/FIDO2 standards. Modern platforms (iOS 15+, Android 14+, recent macOS, Windows 10 1903+, and up‑to‑date Chrome/Edge/Firefox/Safari) work out of the box. Older phones, legacy browsers, or pre‑iOS 15/Android 13 devices lack that support, so you wouldn’t be able to use a passkey on those devices.

What’s the difference between a passkey and a physical token?

A passkey is a credential stored on a device or in a password manager and synced securely across your devices. A physical token (for example, a YubiKey) is a standalone hardware key you need to insert into your device. A physical token doesn’t store the private key on the host device, which offers isolation, but requires you to carry the token and manage backups. Both options provide password‑less, phishing‑resistant authentication, but passkeys prioritize convenience and sync, while physical tokens prioritize hardware isolation.

Can I use a passkey on my Windows PC?

Yes, modern Windows 10/11 builds support passkeys via Windows Hello. After enabling “Passwordless sign‑in” in Settings, you can register and authenticate with a fingerprint, facial recognition, or a PIN that unlocks the private key stored in the trusted platform module (TPM). A TPM is a tiny, tamper‑resistant chip built into most modern PCs, laptops, and some tablets. Its purpose is to provide a hardware root of trust for security‑critical operations. 

What happens if I lose my phone?

If your phone holds the only copy of a passkey, you’ll need a pre‑configured backup method to recover access. This is usually another device, a password manager, or a recovery phrase provided by the service. Without a backup, you’ll have to follow the service’s account‑recovery flow.