A passkey is a cryptographic login method that replaces a typed password with a key pair. The user’s device or authenticator keeps the private key, while the service stores only the public key. During login, the service challenges the device, which proves possession of the private key without revealing a reusable secret.
Passkeys matter because they reduce the value of common attacks such as phishing, credential stuffing, and password reuse. An attacker who steals a passkey login record cannot simply replay it on another site. In real defenses, passkeys are paired with standards such as WebAuthn and FIDO to support phishing-resistant authentication. However, security still depends on enrollment, device protection, and recovery flows. If account recovery is weak or a device is compromised, attackers may bypass the stronger login method. Passkeys improve authentication, but they do not eliminate the need for endpoint security and careful identity management.