Passkey is the modern, hardware-backed authentication standard that replaces passwords with cryptographic key pairs stored on user devices. Implements FIDO2 / WebAuthn at the standards level. On iPhone, Passkeys sync via iCloud Keychain. On Android, via Google Password Manager. On macOS, via the system keychain. Coinbase, Kraken, Gemini, Binance.US, GitHub, Apple ID, Google Account, and most major US online services support Passkey login as of 2026.
What makes Passkey different from a password
Two security properties matter:
First, the secret never leaves the device. Where a password gets typed on a phishing site and stolen, a Passkey is bound to the domain that issued it. The phishing site cannot ask the Passkey to authenticate; the browser refuses because the domain doesn't match. This is the same domain-binding property that hardware security keys (YubiKey, Solo Key) have always offered, now extended to the consumer mainstream.
Second, the secret is unphishable in the social-engineering sense. A user cannot read their Passkey aloud to a "support agent." A user cannot accidentally paste it into a Discord DM. The Passkey is invoked only when the device's biometric (Face ID, fingerprint) or PIN unlock authorizes it.
What Passkey replaces in the crypto context
SMS 2FA, TOTP, and even hardware security keys for many use cases. The combined "password + Passkey" login is functionally a hardware-key-backed authentication using the device you already carry, without needing to buy a separate YubiKey. For an exchange account, this collapses the sign-in flow to one step and eliminates SIM-swap risk entirely.
Coinbase enabled Passkey for all user logins in late 2023. Kraken followed in 2024. Binance.US shipped Passkey support across mobile and desktop in 2024. Gemini and Robinhood also support it. As of 2026, any US-regulated exchange that has not shipped Passkey is meaningfully behind on basic account security.
The cross-device sync model
Passkeys created on iPhone sync to iPad, Mac, and other Apple devices via iCloud Keychain. Passkeys created on Android sync to other Android devices via Google Password Manager. Cross-platform sync (iPhone to Android) is technically supported via the WebAuthn standard, but the UX for actually moving Passkeys between ecosystems remains awkward in 2026.
This sync property makes Passkey distinct from a YubiKey: the Passkey is essentially "in your iCloud Keychain" or "in your Google account," secured by the device biometric. The security model now depends on the integrity of your iCloud or Google account — not just on the device itself.
The single-point-of-failure concern
If iCloud is compromised, every Passkey-secured account at that Apple ID is at risk. The mitigation: enable iCloud's "Advanced Data Protection" (end-to-end encryption for iCloud data including Passkeys), set a recovery contact and recovery key, and use Passkey-eligible accounts with critical assets only after these are in place.
The same logic applies to Google: enable Advanced Protection, configure recovery options, and treat Google account compromise as equivalent to compromise of every Passkey-secured downstream account.
When a YubiKey is still preferred over Passkey
For accounts holding seven-figure stakes, a discrete hardware security key (YubiKey 5C NFC, Solo Key) remains the gold standard. The key is physically separate from your phone, has no cloud-sync dependency, and resists the "iCloud account compromise" attack vector that Passkey shares. For a US holder past mid-six-figures in total crypto exposure, the standard layout: Passkey for normal logins, YubiKey backup for high-value accounts, both registered.
Further reading: YubiKey, 2FA, The 2FA truth.