An oversimplified explanation of Passkeys

[+Warwagon MVC]

 

Imagine one of those heart necklaces that breaks into two matching pieces. One person keeps one half, and the other person keeps the other half.

With passkeys, the website has one half, and you have the other half.

If the website gets hacked and someone steals its half, that stolen piece is useless by itself. It cannot unlock your account without your matching half. This particular heart necklace is one of a kind; there is only one in existence.

Another important part is that each website gets its own special necklace.

The heart necklace for your bank is not the same heart necklace used for your email. The heart necklace for your email is not the same heart necklace used for your shopping account.

So if one website gets hacked and someone steals that website’s half of the heart, they cannot take that piece and use it on another website. It would not match anything there.

That is very different from passwords. If you reuse the same password on more than one website, and one of those websites gets hacked, a hacker may try that same password on your email, bank, shopping accounts, and other websites.

With passkeys, each website has its own one-of-a-kind match. Stealing one website’s half does not give the hacker a master key to your other accounts.

Your half of the necklace has to be stored somewhere.

It might be stored on your phone, tablet, computer, or a password manager that can sync it between all your devices. You can also use a security key as a backup.

A security key is a small physical device that you keep with you, kind of like a house key, car key, or flash drive. A recommended security key is listed at the end of the article.

I would not usually recommend a security key as the first option for the average person. For most people, it is easier to use their phone, computer, or a password manager that can sync passkeys between their devices.

A security key is more like a spare key you keep in a safe place, just in case you lose access to your other devices or your password manager.

Some security keys plug into your computer. Some plug into your phone or tablet. Some do not plug in at all and instead get tapped against your device.

The idea is simple: a security key can hold another passkey for the same website.

Think of it like creating a second one-of-a-kind heart necklace for the same account. One necklace could be paired with your password manager, while another necklace could be paired with your security key.

That means the website has more than one matching half on file. One half matches the passkey in your password manager. Another half matches the passkey stored on your security key.

So, if you lose access to your phone, computer, or password manager, you would still be able to log in using the passkey stored on your security key.

A passkey does not automatically exist on every device you own. It lives wherever you save it.

If your half is stored on one device, then that device is the one that has the matching piece.

For example, if you create the passkey on your Windows computer and it is only saved to that computer, your iPhone does not automatically have that same half. If you create it on your iPhone and it only stays on that iPhone, your Android phone does not automatically have it either.

That is where password managers come in.

A password manager can act like a protected jewelry box for your passkeys. Instead of your half of the necklace being locked to only one device, the password manager can securely sync that half to your other approved devices.

For example, Apple Passwords and iCloud Keychain can sync passkeys between your Apple devices. Google Password Manager can sync passkeys with your Google account.

But password managers such as 1Password and Bitwarden can sync passkeys between everything: your phones, tablets, and computers.

Now, you might ask: “What happens if I lose access to the device that has my passkey?”

That depends on where your passkey was saved and what recovery options the website gives you.

If your passkey was synced through a password manager, you may be able to sign in from another device that has access to that same password manager. For example, if your passkey is saved in iCloud Keychain, Google Password Manager, 1Password, or Bitwarden, another approved device may still have access to it.

If your passkey was saved only on one phone, computer, or security key, and you lose that device, then you may not have your half of the necklace anymore.

In that case, you would usually need to use the website’s backup login or account recovery options.

A lot of websites that support passkeys still let you fall back to your regular password. So if you lose access to your passkey, the site may still let you log in with your password, a code sent to your email, a text message, a recovery code, or some other account recovery process.

That is convenient, but it is also important to understand: if the website still allows password login, then your password still matters.

Passkeys are safer than passwords, but if your account still has a password as a backup, you should still use a strong, unique password and turn on two-factor authentication if the website offers it.

This is why it is a good idea to have more than one safe way back into important accounts. For example, you might keep your passkey in a syncing password manager, add a second trusted device, save recovery codes somewhere safe, or set up a backup security key.

A passkey is very secure, but just like a real key, you need a backup plan in case you lose access to it.

Now, you might ask: “What stops a hacker from copying my half of the necklace?”

That’s the important part: your half is protected. It is not something you type in, and it is not something the website gets to keep.

Think of your half as being locked inside a tiny safe on your phone, computer, security key, or password manager. That safe only opens when you approve it with your fingerprint, face, PIN, or device password.

When you log in, the website does not need to see your half. It only needs proof that your half matches its half.

Your actual half is not handed over to the website.

This is different from a password. With a password, you type the secret into the website. If you type it into a fake website, the hacker now has it.

With a passkey, you are not typing your secret into the website. Your device is proving you have the matching half without giving the half away.

This also helps protect you from fake websites, because your device checks that it is talking to the real website before it proves your half matches.

Now, could someone use your passkey if they stole your device, got into your password manager, or somehow unlocked the safe that holds your half? Yes, that is why your device password, PIN, fingerprint, face unlock, and password manager security still matter.

But a hacker cannot just steal your passkey from the website or trick you into typing it into a fake page like they can with a password.

That is why passkeys are safer than passwords. The two matching pieces have to come together, like two lovebirds who were once separated and are finally reunited.

------------------

A popular security key is called a YubiKey. You can purchase them online, including from Amazon. I recently purchased two of them myself.

YubiKeys come in different versions. Some plug into a standard USB-A port, which is the older rectangle-shaped USB port found on many computers. Others plug into USB-C ports, which are found on many newer computers, phones, and tablets.

Some YubiKeys can also work with phones or tablets using NFC, which is where you tap the key against the device instead of plugging it in.

If your computer or phone does not have the right type of port, you may need an adapter, such as a USB-C to USB-A adapter.

Yubikey Regular USB version https://a.co/d/0h7Omhd9
Yubikey USB C version https://a.co/d/03rMnQR3
USB  adapters: https://a.co/d/02adGKWP

[+virtorio MVC]

Well, that answered all the questions I had about passkeys, but never seemed to have time to go look up. Thanks for that.

[Case_f]

(I know it's just an image and also not the point at all, but it really bugs me that the two halves of the necklace don't really fit together... 😅)

[+Warwagon MVC]

On 24/06/2026 at 02:59, Case_f said:

(I know it's just an image and also not the point at all, but it really bugs me that the two halves of the necklace don't really fit together... 😅)

Thank you for the feedback! I updated the image

[DeathLace]

If anyone ever wondered about @Warwagon's MVP status, this is why.

Excellent post!

[tsupersonic]

On 24/06/2026 at 10:44, DeathLace said:

If anyone ever wondered about @Warwagon's MVP status, this is why.

Excellent post!

for AI content? 😶

[+Warwagon MVC]

On 24/06/2026 at 09:48, tsupersonic said:

for AI content? 😶

Regarding the AI photo, I LOVE AI in that regard, you ask it what you want and it gives you a lovey photo in under a minute, that would taken me an hour to make in photoshop and it wouldn't have looked nearly as good.

2 nights ago I spent a couple hours collaborating with AI.  I did not say write me an article. I would write one or 2  paragraphs, then I would ask it to clean it up so it read better but still keeps the information I was trying to convey.  Rinse repeat.

 

[binaryzero]

AKA Public Key Cryptography.

PKI is awesome, and a fun technology to work with.

[+Warwagon MVC]

On 24/06/2026 at 11:14, binaryzero said:

AKA Public Key Cryptography.

PKI is awesome, and a fun technology to work with.

For a while now, I've been looking on YouTube for a video that explained passkeys to the average user, that I could post for my customers on my Facebook page,  but they all go into technical mumbo jumbo.

I found a video titled "Passkeys Explained (so even a kid could understand")

But then he started talking about Cryptography and public and privates keys. The average user doesn't care.

So I came up with an analogy that I think gets the point across without any using technical mumbo jumbo.