Apple, Google and Microsoft push passkeys, but recovery still matters

Passkeys are no longer an experimental extra buried in security settings. Microsoft frames them as the future of signing in, Apple has folded the technology into iPhone and iCloud Keychain, and Google ships passkey support inside Android and Chrome. In practice, that means replacing the password a person forgets, reuses or hands to a phishing site with a credential tied to a device they already unlock with a face, fingerprint or PIN.

The difference is where the secret lives. Instead of typing a reusable string into every app, the user approves sign-in on a trusted device and the service checks a cryptographic key pair behind the scenes. That removes the familiar password-reset churn. Trust shifts instead into the account recovery systems run by the platform companies. That is where the real question sits.

FIDO Alliance said in its 2026 consumer and workforce survey that 5 billion passkeys are now in active use. Ninety per cent of consumers are familiar with them and 75 per cent have enabled passkeys on at least some accounts. In a separate World Passkey Day release, Andrew Shikiar said the format is moving mainstream because it delivers the mix of convenience and phishing resistance the industry has chased for decades.

Why the platform operators are pushing

For platform vendors, the arithmetic is straightforward: passwords are expensive, weak and recoverable by attackers. Microsoft calls passkeys “simple, secure, and stress-free.” Apple says users can create and save them to replace the passwords used for supported websites and apps. Google’s developer guidance describes them as phishing-resistant credentials that work across devices when the surrounding account systems are set up correctly. Users no longer need to remember unique passwords for every service, and attackers cannot trick them into typing a secret into a fake login page.

Passkeys work best when the user stays inside a single vendor’s stack with a recent phone, biometric unlock enabled and a cloud account that still has a trusted recovery channel. People who live inside Apple’s iCloud Keychain, Google’s Password Manager or Microsoft’s Windows Hello get the smoothest experience. Mainstream adoption depends on default tools, not specialist security products. The trade-off is that convenience rises when the platform does more of the account handling on the user’s behalf.

What passkeys actually fix

A passkey stored on a device is not a password that can be replayed elsewhere. The service only ever sees the public half of the key pair. Credential stuffing becomes less relevant and database dumps lose value. It also changes the phishing equation: a fake site can ask for a password and a one-time code, but it cannot impersonate the exact domain and device-bound flow required for a passkey challenge. FIDO’s 2026 report said 68 per cent of organisations are already deploying, piloting or rolling out passkeys, a sign that the format has moved beyond consumer gadget demos.

When it works, the experience is nearly invisible. A person taps sign in, confirms with Face ID, a fingerprint or a device PIN, and moves on. No memorised string, no forced complexity rules, no monthly reset email. Passkeys reuse a habit people already have: unlocking a phone or laptop.

Recovery is the weak link

The passkey itself is phishing-resistant. The account that syncs or restores it is not. Apple’s security documentation confirms passkeys can sync through iCloud Keychain and flags a lockout threshold after 10 failed attempts during keychain recovery. The harder that recovery path is to understand, the more users keep passwords as a safety net.

Cross-platform movement is the second problem. Someone who stores a passkey inside Apple’s stack and later shifts to Android, or the reverse, depends on standards support plus a migration path that still feels technical. Google’s FAQ and Microsoft’s consumer guidance present passkeys as cross-device friendly, and directionally that is correct. In practice, the hand-off can involve QR codes, nearby-device approvals or account-level recovery steps that are less intuitive than typing an old password. For security professionals the friction is tolerable. For mainstream users, it is often the point where the simpler system stops feeling simple.

Passkeys are a major upgrade for the most common consumer sign-in pattern: logging into a familiar service from a trusted device tied to a well-maintained account. They are much less reassuring when the user has weak recovery hygiene, accounts spread across platforms, shared family devices or an old habit of ignoring backup settings until something breaks.

The practical takeaway

Passkeys make the most sense on high-frequency accounts that already sit inside a strong platform account: email, shopping, productivity and mainstream consumer apps. They are especially useful where phishing risk is high and sign-ins are frequent. Enabling a passkey should not mean ignoring the rest of the security chain. The recovery email, phone number, second factor and device passcode behind that passkey still matter, because those systems now decide whether a user can recover access after a lost handset, a damaged laptop or an account lockout.

Passwords are not dying in one clean break. They are being demoted. Apple, Google and Microsoft have spent the past two years turning passkeys from optional security candy into default login plumbing, and FIDO’s numbers show the shift is real. The remaining work sits in the unglamorous part: recovery, portability and clearer user education about what a passkey actually replaces. Get those right and passkeys will stop feeling like a security feature and start feeling like the normal way the web signs people in. Get them wrong and passwords survive as the fallback people never quite trust themselves to delete.