OCXLY Tech · Field Guide

The end of the password: how passkeys work — and why to switch

The password is sixty years old, universally hated, and the single largest cause of breaches on the internet. Its replacement is already on your phone, already backed by Apple, Google and Microsoft, and already used by more than a billion people. Here is what a passkey actually is, and why it can't be phished.

OCXLY Tech Published 13 July 2026 ~9 min read Sources linked throughout

Every security disaster you've read about — the leaked database, the credential-stuffing wave, the executive who clicked a convincing login page — traces back to the same sixty-year-old idea: a shared secret that both you and a server know, that you type into a box. Passwords fail not because people choose bad ones (though they do) but because the design itself is broken: a secret you can type is a secret you can be tricked into typing somewhere else. Passkeys throw the shared secret away entirely. This is a plain-English guide to how they work, why they're phishing-proof by construction, and how to actually start using them.

01Why the password had to die

Start with the scale of the failure. Verizon's Data Breach Investigations Report — the industry's most-cited annual analysis of thousands of real breaches — consistently finds the human element (stolen credentials, phishing, and error) implicated in the majority of them.1 Passwords are the common thread: reused across sites, guessable, harvested in bulk from one breached database and replayed against a hundred others, or simply typed into a fake page by a person who did everything “right” except notice the URL.

Two decades of patches tried to shore this up — complexity rules, rotation policies, SMS codes, authenticator apps. Each helped a little and none fixed the root problem, because each still rested on a secret the user could be induced to hand over. Even one-time codes can be phished in real time by a fake site that relays them. The US cybersecurity agency CISA is blunt about the conclusion: the only widely available phishing-resistant authentication is the FIDO/WebAuthn standard that passkeys are built on.2

02What a passkey actually is

A passkey is not a better password; it's a different kind of thing entirely. When you create one, your device generates a pair of cryptographic keys. The public key is handed to the website and is useless to a thief — it can verify a signature but can't produce one. The private key never leaves your device and is never shared with anyone, ever. This is the FIDO Alliance and W3C WebAuthn standard, the product of years of work by the browser makers, platform vendors and security community.34

Signing in works like this: the site sends your device a random challenge; your device asks you to prove it's really you — a fingerprint, a face scan, or the device PIN — and only then uses the private key to sign the challenge. The site checks the signature against the public key it stored. Notice what never happened: no secret was typed, transmitted, or stored on the server in a form anyone could steal. Your biometric, crucially, never leaves your device either; it only unlocks the local key.5

03Why it can't be phished

Here is the part that makes passkeys categorically safer rather than incrementally safer. A passkey is cryptographically bound to the exact website it was created for. Your browser and operating system enforce this: a passkey for yourbank.com will not present itself to yourbank.evil.com, no matter how perfect the fake looks, because the origin doesn't match. The whole category of attack where a convincing replica harvests what you type simply has nothing to harvest.3

And because there's no shared secret sitting in the site's database, a breach of that site can't leak your passkey — there's nothing there but public keys, which are meant to be public. Google, describing its own rollout, puts the practical upshot plainly: passkeys render password leaks and thefts valueless to an attacker, and are also about 40% faster to use than typing a password.6 Faster and safer is a rare combination in security, where the two usually trade off.

A password is a secret you can be tricked into giving away. A passkey is a secret your device will only ever use on the one site it belongs to.

04They're already here — how to switch

This is not a future technology waiting on standards. In October 2023 Google made passkeys the default for personal accounts, and by 2025 reported over 800 million Google accounts using them; the FIDO Alliance counts more than a billion people who have activated at least one passkey.63 Apple, Google and Microsoft all build passkey support directly into their operating systems and browsers, and your passkeys sync securely across your own devices through your Apple, Google or password-manager account, so losing one phone doesn't lock you out.57

Getting started is a per-site habit, not a big migration. On the accounts that matter most — email first, because it's the reset path for everything else — look in security settings for “passkeys” and follow the prompt to create one; it takes a fingerprint or face scan and a few seconds. Keep the password in place as a fallback while the ecosystem finishes catching up, use a password manager that supports passkeys if you live across Apple and non-Apple devices, and add passkeys to new sites as they offer them. You don't have to convert everything at once; you just have to start with the account whose compromise would hurt most.

05The rough edges (an honest accounting)

Passkeys are the right direction, not a finished one. Account recovery is the genuinely hard part: if you lose access to the device or account your passkeys live in, getting back in has to be both possible for you and impossible for an attacker — a tension every provider is still refining, which is why keeping a recovery method is sensible for now. Cross-ecosystem movement is improving but imperfect: syncing a passkey from an Apple device to a Windows PC still leans on a password manager or a QR-code hand-off rather than being seamless. And adoption, while past a billion people, is uneven — plenty of sites still offer only passwords. None of these are reasons to wait; they're reasons to switch your important accounts now and keep a fallback while the long tail catches up.

06Where OCXLY lands

Two things make us partisan here. First, passkeys are the consumer face of the “trust nothing by default” posture we wrote about in our Cloud 3.0 field guide — the same phishing-resistant, origin-bound identity, handed to individuals instead of IT departments. Second, and less obviously, passkeys are an accessibility win. A password punishes exactly the people OCXLY builds for: a long, case-sensitive, symbol-laden string is a genuine barrier for dyslexic, dyspraxic and memory-impaired users, and typing it correctly under pressure is its own small ordeal. A fingerprint or a glance asks none of that. The most secure option turning out to also be the most humane one is not a coincidence — it's what happens when a design finally respects how people actually are, rather than demanding they behave like a machine that never forgets. Switch your email account this week. It's the rare security upgrade that makes your day easier, not harder.

About this piece. This is an editorial explainer from OCXLY Tech for general readers. It is not a substitute for your provider's own security guidance. Every factual claim links to a primary or reputable source below — the FIDO Alliance and W3C for the standard, CISA and NIST for the security guidance, Verizon for the breach data, and the platform vendors for adoption figures.

References

  1. Verizon — Data Breach Investigations Report (DBIR): the human element (stolen credentials, phishing) in the majority of breaches
  2. CISA — guidance on phishing-resistant MFA (FIDO/WebAuthn as the only widely available phishing-resistant method)
  3. FIDO Alliance — Passkeys: the passwordless, phishing-resistant standard (1 billion+ people have activated a passkey)
  4. W3C — Web Authentication (WebAuthn) Level 2 Recommendation (public-key credential API)
  5. Apple Developer — Passkeys (device-bound private key unlocked by biometrics; iCloud Keychain sync)
  6. Google — "Passkeys are now the default sign-in option for personal Google Accounts" (adoption, ~40% faster than passwords)
  7. Google Account Help — "Sign in with a passkey instead of a password" (how to create and use one)