Kaspersky’s FAQ on using and managing passkeys | Kaspersky official blog

Kaspersky’s FAQ on using and managing passkeys | Kaspersky official blog

/in

Imagine ditching passwords and SMS verification codes, and instead signing in to apps and websites with a simple fingerprint scan or even a smile at your camera. That’s the promise of passkeys. What’s more, unlike passwords, passkeys are resistant to theft. This means you could read news about data breaches — like the recent one affecting 16 billion accounts — without your heart sinking.

Under various names, this sign-in method is strongly recommended by WhatsApp, Xbox, Microsoft 365, YouTube, and dozens of other popular online services. But what does using passkeys look like in practice? We’ve covered this in detail for Google accounts, and today, we’ll explore how other online services and platforms support passkeys. In this first post, we’ll cover the basics of using passkeys on one or multiple devices. In our next post, we’ll dive into more complex scenarios, such as signing in to your account on a public computer, using Linux, or storing your passkeys on a dongle.

What’s a passkey?

A passkey is a unique digital login key created for a specific website or app. It’s securely stored on your device: your smartphone, computer, or a dedicated USB dongle such as a YubiKey or Google Titan Security Key. When you sign in, your device uses biometrics or a PIN to verify it’s really you. After verification, your device sends a secure response, generated from that unique passkey, to the website. This mechanism offers strong protection against account theft, which is possible with traditional passwords — be that through phishing attacks or website breaches. Passkeys are supported across Apple, Google, and Microsoft devices, and theoretically, with cloud synchronization, they should be accessible across all your devices. For a deeper dive into the internal workings of passkeys, check out our previous article on the subject.

How secure and user-friendly are passkeys?

Before you fully commit to using passkeys, it’s worth considering how convenient they’d be for your specific setup. While the technology is becoming widely adoption, each website and platform implements it differently, using varying terminology for the same features. Additionally, transferring or syncing passkeys can present challenges.

If your smartphone is your only gadget, you are all-in on Apple devices, or you have a couple of recent Android or ChromeOS devices, passkeys will likely save you time when signing in to websites and apps, with minimal hassle.

However, if you use multiple platforms and own many devices, we strongly recommend a third-party password and passkey manager, such as Kaspersky Password Manager, for a smoother experience. Even then, you might still encounter occasional incompatibilities or quirky interfaces on some sites and apps.

For those using less common browsers, Linux-based operating systems, or older computers and smartphones, switching to passkeys might be entirely impracticable, or come with significant limitations.

Keep in mind that very few, if any, services deactivate password-based sign-in when you enable a passkey. This means that, in reality, the enhanced protection against account compromise isn’t as strong as advertised — unless you proactively disable password sign-in yourself. On the flip side, having a password as a backup sign-in method minimizes instances where you might lose access to your account due to passkey issues — but we’ll get into more detail about that later.

Where passkeys are supported in 2025?

Passkeys can be used across major operating systems and browsers, and you don’t necessarily need the absolute latest versions.

  • Windows 11: supported from version 22H2 onward, though also partially usable on Windows 10 with updates.
  • macOS: supported from Ventura onward.
  • iOS/iPadOS: supported from version 16 onward.
  • Android: passkeys are usable from version 9, but crucial additional settings — including integration with external password managers and passkey providers — only became available in version 14.
  • Linux: most major distributions lack native passkey support; however, you can still use the technology by leveraging Chrome, Edge, or Firefox browsers in conjunction with an external password manager or a USB token. We’ll dive deeper into how to use passkeys on Linux in our second post on the topic.
  • Chrome/Edge/Opera: basic passkey capabilities have been around since Chromium version 108, but some conveniences and important features only appeared starting with version 128.
  • Firefox: supported from version 122 onward. Despite the browser support, passkeys often don’t work on many websites specifically with Firefox.
  • Safari: supported from version 16 onward, with certain features only available in version 18 or later.

For you to use a passkey, the website or application you’re signing in to must also support the technology. Hundreds already do, so we’ll just mention some of the major players.

  • Microsoft: passkeys are supported for all personal Microsoft and Xbox accounts. Starting in spring 2025, when creating a new account, the primary option offered is to create a passkey rather than setting a password.
  • iCloud: passkey sign-in is supported for iCloud, but the passkey itself must be stored on an Apple device.
  • Google: passkeys are supported for all personal Google accounts, including YouTube.
  • Meta: supports passkeys for signing in to Facebook and WhatsApp.
  • You can also ditch passwords in favor of passkeys on X/Twitter, LinkedIn, Amazon, PayPal, TikTok, Yahoo, Discord, Adobe Creative Cloud, GitHub, and more.

Popular services that don’t currently support passkeys notably include ChatGPT, Claude, DeepSeek, Reddit, Spotify, Instagram, AliExpress, Temu, and Shein.

What are the downsides of passkeys?

When considering the switch to passkeys and deciding how to store them, there are a few important drawbacks to keep in mind. The first two are unlikely to ever be fully resolved, while others may become less significant over time.

  • Anyone who can unlock your device (by knowing your PIN or looking enough like you to bypass Face ID) can potentially access all your accounts. This is especially critical for shared household computers.
  • If your passkeys are stored on a single device, and that device is damaged or stolen, you could lose access to your accounts. If you haven’t set up alternative sign-in methods, like a password or a backup email or phone number, you’ll have to go through an account recovery process. For some online services, this could take days or even weeks. And if you’ve set up passkey-only sign-in for your primary email, which receives recovery codes for other services, you could potentially lose your accounts forever.
  • Users with multiple devices running various operating systems or using different browsers might encounter difficulties syncing their passkeys. More on this below.
  • If you need to sign in to an account from someone else’s device (like a library or hotel computer), outdated software on that machine might prevent passkey sign-in. So it’s crucial to have a plan B.
  • A less obvious drawback stems from the points above: most online services that offer to switch to passkeys don’t disable other sign-in methods. So, if you protected your account with a weak or reused password before switching to passkeys, attackers could still compromise your account by signing in with the password instead of the passkey.

How to create and use passkeys on a single device?

If you’re rocking just one device that fully supports passkeys (like Apple, Google, or Samsung smartphones released in the last couple of years), making the switch to passkeys is a breeze.

Simply head to the settings of each service you use, find the “Security” section, and look for a “Create a passkey” option.

Here are detailed instructions for Google, Microsoft, Facebook, WhatsApp, TikTok, Discord, Amazon, PayPal, Adobe, Linkedin, and Yahoo.

You won’t find instructions for creating a passkey for your iCloud account here because it happens automatically. Whenever you connect any device running iOS 16 or later, or macOS Ventura or later, to your account, a passkey is created. While you won’t see this in your settings, when you sign in to the iCloud website from an unfamiliar device, you’ll be able to use your passkey instead of a password.

Once created, passkeys are saved locally on your device: on iOS/macOS, they’re in Keychain, and on Android, they can be found in Google Password Manager. Windows is a bit more complex, as passkeys can use either the computer’s built-in storage (accessible via Windows Hello) or other storage options.

Going forward, to sign in to a website or app, just select “Sign in with passkey”, and complete the standard device verification — whether that’s a fingerprint, face scan, or PIN.

The latest versions of Safari on iOS and macOS, as well as Chrome on Windows and macOS (version 136 and later, with Android support “coming soon”), now offer an automatic upgrade option. If your browser has a saved password for a website that now supports passkeys, after you sign in, the browser might automatically create and save a passkey, then prompt you to use it for future passwordless sign-in.

How to use passkeys across multiple devices?

If you’ve got more than one device, you’ll need to figure out how to sync your passkeys across all of them.

If you use only Macs and iPhones, or exclusively Android and ChromeOS devices, you won’t need to go through the hassle of manually setting up passkeys on each gadget. Simply create all your passkeys on one device and ensure that the sync option is enabled in the settings.

For iOS, you can enable this in the iPhone settings under Settings → [your name] → iCloud → Saved to iCloud → Passwords & Keychain → Sync this iPhone (complete guide). On Android, data saved in Google Password Manager automatically syncs with your Google account. Windows and Linux, however, currently lack a built-in passkey sync tool, although Microsoft has said it will develop one soon.

Things get a bit trickier for those who mix and match — especially with popular combinations like Windows + Android or macOS + Android. While you can use passkeys saved on an Android smartphone on your computer, it’s generally limited to Chrome, and only as long as you’re signed in to your Google account in the browser. Given Chrome’s significant drawbacks regarding privacy and user tracking, this solution won’t appeal to everyone. Besides, on a computer, this only allows you to sign in to websites with passkeys; app logins remain exclusive to your Android smartphone.

If you’re an iPhone user with a Windows computer, your iPhone passwords are accessible through the iCloud for Windows app, but it doesn’t support passkeys just yet.

Fortunately, an effective alternative has been available since late 2024. Third-party password managers have gradually added passkey management features across all major platforms. Therefore, the most reliable and universal way to store passkeys, regardless of how many devices you own or what type they are, is to use a robust password manager that supports passkeys and is NOT developed by Apple, Google, or Microsoft. For example, Kaspersky Password Manager already supports passkeys on Windows, with Android support planned for July, and iOS/macOS support for August 2025.

A password manager also solves the backup and recovery problem described above. If your only device with passkeys stored in a third-party password manager is lost or damaged, you can restore your passkeys to a new device from the password manager secure cloud storage.

To use a password manager for passkeys, you’ll need to install it on all your devices and add its browser extension to all browsers on your computer.

How to manage your passkeys?

Managing your saved passkeys is done centrally. If you’re not using a third-party password manager, you can check, delete, or replace outdated passkeys as follows:

  • iOS: for versions through 17, go to Settings → Passwords. Starting with iOS 18, use the dedicated Passwords
  • macOS Sequoia and later: use the Passwords For earlier versions, find Passwords in System Settings.
  • Android: menu structures vary by manufacturer, but look for a setting like Passwords, passkeys, and accounts, or Password Manager. For Samsung devices, open the Samsung Pass
  • Windows: go to settings, then Accounts → Passkeys.
  • If you save your passkeys in Google’s password manager, you can manage them from your computer via google.com.

If you’re using a third-party password manager , all passkey management is handled within that application.

In our next post, we’ll dive into more complex situations when using passkeys, including:

  • How to sign in to your account from a public computer (like at a hotel or library).
  • Whether you can transfer passkeys between iOS and Android.
  • How to store passkeys on hardware security keys (like YubiKey or Google Titan Security Key tokens).
  • Challenges that arise when using passkeys on multilingual international websites.
  • How to protect your account if it also supports password-based sign-in as a backup.

Meanwhile, be sure to subscribe to our Telegram channel to catch the announcement for the next part!…

Kaspersky official blog – ​Read More