← All articles

Passkeys in 2026: can we really retire the password?

17 June 20262 min read

Synced across devices, pushed by Apple, Google and Microsoft. Are passkeys ready for serious login? What we learned shipping them.

Passkeys are the promise of a password-free web: no credentials to remember, no phishing, no hash databases to protect. By mid-2026 the push from Apple, Google and Microsoft made them mainstream. But "mainstream" and "ready for your product" aren't the same thing. Here's what we learned actually shipping them.

What changed versus two years ago

The turning point was sync. Early passkeys were bound to a single device: lose the phone, lose access. Today passkeys sync into the OS keychain (iCloud Keychain, Google Password Manager, Windows Hello) and propagate across a user's devices. That's what made them usable by the general public.

Technically not much changed: still WebAuthn, still a public/private key pair, the private key never leaves the device or the encrypted keychain. What matured is the user experience and platform coverage.

Why they beat passwords

  • Phishing-immune: the key is bound to the site's origin. A lookalike domain can't use it. That alone kills the web's most profitable attack class.
  • No shared secrets to steal: the server stores only the public key. A data breach exposes no reusable credentials.
  • No credential stuffing: with no reused passwords, the attack that hits thousands of accounts with stolen lists simply doesn't work.

Where it still hurts

Account recovery

This is the unsolved problem. If the user loses access to the whole ecosystem (platform switch, compromised cloud account), you need a recovery path. And every recovery path is, by definition, the weak link: often a password or an email magic link. The chain is only as strong as recovery.

Users on shared or corporate devices

On the shared office PC, or in environments where the keychain doesn't sync, passkeys get awkward. The "use your phone to sign in on desktop" QR flow works but adds friction.

The comprehension gap

Many users have no mental model of passkeys. "Where's my password?" is still a support ticket. Login UX has to explain, not assume.

How we adopt them in projects

Not "passkeys or nothing". We offer them as the primary method, with a robust fallback. New B2C projects: passkeys as a front-and-center option, email + magic link for recovery. B2B projects with SSO: passkeys sit well alongside the corporate flow, but the IdP stays the source of truth. In no case do we remove passwords entirely until recovery is distracted-user-proof.

Verdict

In 2026 passkeys are ready to be the primary login method, not yet the only one. They dramatically cut phishing and credential stuffing, and the experience is finally good. But account recovery isn't solved: whoever adopts them well treats them as the main path while keeping a fallback designed with the same care. The password isn't dead, it's been demoted to plan B.