Passkeys are the most significant change to online authentication in a decade. They are being rolled out by Google, Apple, Microsoft, and hundreds of major services โ but many people are confused about how they relate to two-factor authentication. Are passkeys a replacement for 2FA, or something different entirely? This guide explains everything.
What Is 2FA?
Two-factor authentication adds a second verification step after your password. The most common forms are TOTP codes from an authenticator app (the 6-digit codes that change every 30 seconds), SMS codes sent to your phone, and hardware security keys. The idea is that even if an attacker steals your password, they still cannot access your account without the second factor.
Standard 2FA has a significant weakness: TOTP codes and SMS codes can be intercepted. A sophisticated attacker can create a fake login page that relays your credentials and your 2FA code to the real service in real time โ before the 30-second window expires. This is called a real-time phishing attack, and it completely bypasses TOTP-based 2FA.
What Are Passkeys?
A passkey is a cryptographic credential that replaces both your password and your 2FA step in a single action. When you create a passkey for a service, your device generates a pair of cryptographic keys: a private key that stays locked on your device, and a public key that is registered with the service. When you sign in, your device signs a challenge from the server using the private key. The server verifies the signature using the stored public key โ no password, no code, nothing to type.
To use the passkey, you authenticate locally on your device โ with Face ID, a fingerprint, Windows Hello, or your device PIN. This local authentication unlocks the private key, which then proves your identity to the server.
Passkeys vs 2FA: Key Differences
Phishing resistance: Passkeys are cryptographically phishing-resistant. TOTP codes are not โ a real-time phishing proxy can steal them. Hardware security keys (FIDO2) share this phishing resistance, but they are a separate device you need to carry.
User experience: Passkeys require a single step โ tap your fingerprint or face, done. Traditional 2FA requires entering a password, then opening your authenticator app, then typing or copying a 6-digit code. Passkeys are both more secure and faster.
No shared secret: With TOTP, both your app and the server share a secret key. If the server is breached and that secret is stolen, an attacker can generate valid codes forever. Passkeys have no shared secret โ only the public key is stored on the server, which is mathematically useless to an attacker on its own.
Account recovery: Losing access to your passkey device is handled differently than losing an authenticator app. Passkeys sync across your devices through Apple iCloud Keychain, Google Password Manager, or a password manager like 1Password. Recovery is generally simpler than recovering from a lost authenticator.
Do Passkeys Replace 2FA?
Yes โ when you sign in with a passkey, you are already satisfying two authentication factors simultaneously. The device itself is the "something you have" factor, and your biometric or PIN is the "something you are or know" factor. Services that adopt passkeys no longer require a separate 2FA step.
However, passkeys are not yet available everywhere. As of 2026, many services still rely on passwords plus 2FA. For those services, using an authenticator app remains the right approach โ it is still far better than a password alone.
Should You Switch to Passkeys?
Yes, wherever available. Passkeys are more secure than passwords plus TOTP, easier to use, and immune to phishing. The services most important to protect โ Google, Apple, Microsoft, GitHub โ all support passkeys now. Enable passkeys on these accounts as a priority.
Keep your authenticator app for services that have not yet adopted passkeys. The transition will take a few more years to complete across the entire web, but the direction is clear: passkeys are the future of authentication, and 2FA as a separate step is gradually being phased out.
How to Set Up a Passkey
The process varies by service but is generally the same: go to your account's security settings, look for "Passkeys" or "Sign-in options", and click "Create a passkey" or "Add a passkey". Your browser or device will prompt you to authenticate with your biometric or PIN, and the passkey is created. Next time you sign in, you simply authenticate locally instead of entering a password.
Passkeys created on your phone sync to other devices through your platform's credential manager (iCloud Keychain for Apple devices, Google Password Manager for Android/Chrome, or a third-party manager like 1Password or Bitwarden). You do not need to create a separate passkey on each device.