If you're tired of struggling with passwords, passkeys are a godsend: they're modern credentials that let you log in with biometrics or a PIN without having to memorize anything. The idea is to say goodbye to traditional passwords and gain in both safety and comfort.
In this guide you will understand what they are, why they are more secure, how to activate and manage them in the main systems and services, and what to do if something goes wrong. We integrate approaches from Google, Apple, Microsoft, practical guides, and real-world scenarios. (including its application in organizations like Soyio or in environments with restricted Bluetooth) so that you go out with everything you need.
What are passkeys and how do they work?
A passkey is a digital credential based on public-key cryptography that replaces the typical password. Your device generates a different key pair for each serviceThe private key remains safely stored on your computer, and the public key is registered on the site's server.
When you authenticate, the service sends you a challenge and your device signs it with the private key after verifying you locally with Face ID, Touch ID, Windows Hello or a PIN. The private key never leaves the deviceAnd validation only occurs on the legitimate domain of the service thanks to WebAuthn, which blocks phishing by design.
Passkeys can reside in several places: in the iCloud Keychain, in the Google password manager, in the local Windows Hello store or even on a FIDO2 security key. Depending on where they are stored, they can be synchronized between devices. (Apple and Google) or remain tied to a single device (Windows Hello, in many cases).
Why they are more secure than passwords
With passwords, the server stores reusable secrets and you have to remember complex strings; with passkeys, the server only stores the public key and your device protects the private one. This reduces the impact of leaks and eliminates brute-force attacks and data reuse..
Furthermore, they are resistant to phishing: A passkey only works in the domain for which it was created.If an attacker tries to trick you with a fake website, authentication simply won't complete. And by not typing passwords, keyloggers focused on capturing what you type and threats like [the following] disappear. theft of verification codes.
The experience is also improved: you can access it with a touch, your face, fingerprint or PIN, without resetting passwords or waiting for SMS messages. Authentication is faster and happens locallywhich also helps in scenarios with limited connectivity.
Platform compatibility and requirements
On iOS and iPadOS from version 16 onwards, and on macOS, passkey support is integrated with iCloud Keychain. You just need to have Face ID or Touch ID set up. and enable autocomplete so that the system suggests creating and using passkeys when sites allow it.
On Android, starting with Android 9 with updated Google Play Services and Chrome 108 or higher, you can create and use passkeys with Google Password Manager. Enable Google Autocomplete and configure the screen lock (PIN/biometrics) so that everything runs smoothly.
In Windows 10 (1903) and Windows 11, the key is to have Windows Hello operational (PIN, fingerprint or face). Supported browsers include Chrome, Edge, and Firefox (starting with certain recent versions). Windows also offers an interface for managing saved passkeys from Windows 11 22H2 with specific cumulative updates.
Regarding licenses and editions, passkey support is available in Windows Pro, Enterprise, Pro Education/SE, and Education. Usage rights are covered by licenses such as Enterprise E3/E5 and Education A3/A5Therefore, its deployment in corporate environments is fully viable.
Activate your passkey in Google
Google allows you to create a passkey associated with your account to log in without a password. The shortcut is to log into your Google account and open Security., locate Access Keys and choose Create access key.
The process will ask you to verify your identity and, if you are on a mobile device, it will use biometrics. If you use the browser on your computer, you can link a mobile phone by scanning a QR code. to confirm that you are who your browser says you are, using your phone as an authenticator.
Once created, Google Password Manager syncs the passkey with your devices where you have logged in to your account. You won't have to remember anything or configure the same thing on each device.: you will only need to authenticate locally on the device you are using.
Creating and using passkeys in practice
To create your first passkey, visit a supported site (Google, GitHub, Microsoft, or test sites like passkeys.io) and look for the option to create a passkey in their security settings. Follow the system's instructions and authenticate with Face ID, Touch ID, Windows Hello or your PIN.
When logging in, the sequence is usually: enter username if necessary, choose Use passkey and confirm with your local method. Some browsers display account suggestions using a conditional interface.so you'll barely have to touch a suggestion to complete the whole process.
If the passkey option does not appear, it may be that the site does not yet support it, or that you need to configure biometrics/PIN or update your browser. With the latest versions of iOS, Android, and Windows, and up-to-date browsersThe experience is usually immediate.
Where they are stored and how they are synchronized
Apple syncs passkeys with iCloud Keychain between iPhone, iPad, and Mac, and even allows you to use the keychain on Windows with iCloud for Windows and the corresponding extension. This makes it easier to use your keys across the entire Apple ecosystem. frictionless.
Google stores and syncs passkeys with your account through the Password Manager built into Android and Chrome. On iOS, you can also use Chrome as an autofill provider. to access Google passkeys on iPhone and iPad.
Windows Hello typically stores passkeys locally on the device. This means that this passkey does not travel between Windows computers by default.However, you can log in on a PC using your mobile passkey by scanning a QR code when the site allows it.
You can also opt for FIDO2 security keys to carry your credentials on dedicated hardware. They are useful in high-security environments or when you prefer a portable physical factor that is disconnected from the system.
A practical note: some managers and ecosystems encourage blocking on their platform. To avoid relying on just one provider, you can register multiple passkeys. for the same service in different warehouses when the service allows it.
Passkeys in Windows: creation, use and management
When creating a passkey in Windows, the system will offer you the option to save it locally (protected with Windows Hello), use a nearby mobile device (iPhone, iPad or Android) as an authenticator, or register it to a FIDO2 key. If you choose mobile, you will usually need to scan a QR code. and have Bluetooth enabled for authentication between devices.
When a site or app supports passkeys and you have one saved locally in Windows, the login will automatically invoke Windows Hello. If you prefer to use a passkey that's on your phone or a FIDO2 keySelect that option in the dialog and complete the authentication.
Starting with Windows 11 22H2 with certain updates, Settings includes a section to view and delete saved access keys. You can filter by name and delete the ones you don't need.This simplifies credential hygiene on shared or older equipment.
Use in environments with restricted Bluetooth
In corporate settings where Bluetooth is limited or disabled, authentication between devices (e.g., using your mobile phone to log into your PC) may be affected. Organizations can enable very specific use cases by only enabling FIDO2 authenticators over Bluetooth and blocking the rest.
This can be achieved with Bluetooth and device installation policies, restricting unwanted services and devices and allowing only those necessary for passkeys. It is even possible to apply these policies via MDM and automate them with scripts., after testing them in elevated sessions with remote administration tools.
Passkeys with Microsoft Authenticator on mobile
For accounts managed with Microsoft (such as in university or business environments), Microsoft Authenticator can act as a passkey provider on the mobile device. Android 14 or iOS 17 is recommended and have the app installed and updated.
The typical flow: You open Authenticator, add your work or school account, pass the initial MFA verification, and choose Passkeys as your method. Authorize Authenticator to manage passkeys on your device and complete the guided setup in the app.
You can then use that passkey to log in from your mobile phone or to confirm access on other nearby devices via Bluetooth. If you lose your phone, these passkeys are linked to the device and will not sync. via the cloud in this case, so it's advisable to register more than one device.
If you change your mobile phone, you can delete old passkeys by going to your Microsoft account security information page (mysignins.microsoft.com/security-info). There you will see what type of device each passkey resides on and you will be able to revoke it. to keep everything under control.
Passkeys in Soyio: verified identity, consents and signatures
In the Soyio ecosystem, passkeys are integrated into the identity and consent modules. During the Disclosure process, you first verify your identity By providing a document and selfie, you grant consent and your verified identity is created.
At that point you can register a passkey on your device using Face ID, Touch ID, Windows Hello, or PIN, depending on the platform. From there, the passkey is used to authorize sensitive actions without relying on passwords, reducing friction and strengthening security.
In modules like AuthRequest, you will be asked for the passkey for critical operations; in Signature, you confirm the signing of documents; and in Consent, you validate changes to privacy preferences. The passkey ensures that only you can perform those actions., in a fast and verifiable way.
Practical demonstration with Chrome and a test website
If you want to try it risk-free, sites like passkeys.io allow you to register and use passkeys with a test email. Log in with Chrome, start a dummy registration and choose to create a passkey for that domain.
Chrome will show you options such as saving the passkey in Google Password Manager or associating it with Windows Hello if you are on Windows. You can register multiple passkeys for the same account and test both local login and the use of an additional device.
Then, by clicking Sign in with passkey on that same site, select the credential and authenticate with your biometrics or PIN to enter. In Windows, you'll find a section in Settings to review and remove access keys. Local. In some Google flows, visible management may vary depending on the version and environment.
Troubleshooting common problems
If you don't see the passkey option, it could be because the site hasn't activated it yet, your browser is outdated, or you need to configure Face ID, Touch ID, Windows Hello, or a PIN. Updating your browser and enabling local authentication usually resolves the issue..
If you are unable to sign in, confirm that your local method (biometrics/PIN) is working and that syncing is enabled in iCloud Keychain or Google Password Manager. Try using the same account on another device to see if you have synchronized passkeys. and use backup methods as a last resort.
If you lost or Your device was stolen where you stored passkeys, use another synchronized device or the service recovery codes, if available. Contacting support may be necessary to regain access when no other method is available.
Do they work without internet? Local authentication does, because the challenge is signed on the device; but creating new passkeys or synchronizing them between devices requires connectivity. Keep this in mind if you're going to be working remotely or with poor network coverage..
Good practices and precautions
Activate recovery methods and save codes when the service offers them. Keep your devices and browsers up to date to enjoy the best compatibility and security patches.
Don't rely on a single device for everything. Register the passkey on more than one device or combine mobile, PC and a FIDO2 key If your environment allows it, you won't be left stranded in the face of losses or breakdowns.
Check that the services you use most often support passkeys and where you store each passkey. If you work with critical data, consider using FIDO2 hardware. and restrictive policies in corporate environments to minimize the attack surface.
Passkeys, 2FA and MFA: how they fit together
Even if you don't enter a second-factor code, passkeys implicitly implement multiple factors: something you have (your device/private key) and something you are or know (biometrics or PIN). That's why they can replace traditional passwords and 2FA. offering less friction and more safety.
If a service does not yet allow you to completely replace your password, the passkey can act as a strong second factor. It's a significant improvement over SMS or TOTP codes, which are more vulnerable to phishing or SIM theft.
Operational and product notes
In certain work environments, space owners may not be able to activate passkeys for all users at this time. If you need this feature globally, please send your feedback to the provider. to prioritize its implementation.
In the Windows ecosystem, remember where your passkeys reside: local with Windows Hello, synced with Google if you created them with Chrome, or in iCloud if you're coming from Apple. For cross-platform use, a compatible password manager or a FIDO2 key It can serve as a bridge.
If your organization restricts Bluetooth, coordinate with IT to implement policies and allowlists for FIDO2 authenticators. This enables authentication between devices without opening the door to other unwanted Bluetooth profiles..
Passkeys represent a new era in authentication: more convenient, more secure, and with widespread support across major platforms. Start by creating your keychain on the mobile phone or browser you use daily, and register a second method. and try a real login to your usual services to internalize the flow and gain confidence. Share this tutorial so more users can learn how to manage their security with Passkeys features.