The 90-second passkey explanation

A passkey is a cryptographic credential that replaces your password. Your device (phone, laptop, hardware token) generates a unique key pair when you create the passkey: the private half stays on the device, the public half is registered with the service. To log in, you tap or look at the device — the device proves it holds the private key without transmitting the key itself.

That is the entire concept. No password to remember, no password to phish, no password to leak in a breach.

Why passkeys defeat phishing

The private key is bound to the exact domain you registered it with. If you visit binance-login.com instead of binance.com, the passkey on your device will simply not work — there is no fallback that says "well, the domain is close enough." The browser, the operating system, and the passkey itself all refuse to send anything to the wrong domain. Phishing as we know it dies the moment passkeys are universal.

Where passkeys work in 2026

  • Google, Apple, Microsoft, Meta accounts. All four support passkeys for primary sign-in.
  • Coinbase, Kraken, Binance.US. All three support passkeys as the primary or 2FA method.
  • 1Password, Bitwarden, Dashlane. Password managers themselves use passkeys for vault access.
  • Major banks: Chase, Bank of America, Wells Fargo. Started passkey rollouts in 2024–2025.

The three practical rules

  • Sync passkeys across your devices through Apple iCloud Keychain, Google Password Manager, or 1Password. A passkey only on one device is a single-device dependency. If you lose the phone, you cannot log in until you restore from the sync.
  • Keep one hardware security key (YubiKey, Titan) as a backup for the highest-value accounts. The hardware key is the fallback that does not depend on any cloud provider.
  • Do not delete the password when you add the passkey. Yet. Run passkey + strong password + 2FA for 3–6 months before removing the password. Some services still have edge cases where the password is needed for account recovery.

What passkeys are not

Passkeys are not a magic solution to custody. They protect your account access; they do not protect your wallet's seed phrase. A passkey on your Coinbase account means a phisher cannot log in as you — but it does nothing if you separately type your hardware wallet's seed into a malicious site. Two different defenses, two different attack surfaces.