Passkeys Are Replacing Passwords in 2026: A Practical Guide
What passkeys are, why the big platforms pushed them, and how to set them up for your business and your clients
The Delivvo team· June 13, 2026 10 min read
If you run a one-person studio or a small business, here is the short version: a passkey replaces your password with a fingerprint, a face scan, or your device PIN, and it cannot be phished or stolen in a data breach. Apple, Google, and Microsoft have all made passkeys a default sign-in option, which means you can start using them today on most accounts you already have. This guide explains what a passkey actually is, why the big platforms pushed so hard, how to set one up in a few minutes, and what the shift means for the way you and your clients log in.
You do not need to be a security person to follow this. You do need an hour and a willingness to change a habit you have had since the 1990s.
What a passkey actually is
A passkey is a pair of cryptographic keys. One key, the public one, lives on the website's server. The other, the private one, never leaves your phone, laptop, or hardware security key. When you sign in, the site sends a challenge, your device signs it with the private key, and the site checks the signature against the public key. You approve the whole thing with a fingerprint, a face scan, or the PIN you already use to unlock your device.
Two things follow from that design, and both are the entire point.
First, the server never stores anything an attacker can reuse. With a password, the site keeps a hashed copy of your secret, and a breach can expose it. With a passkey, the server only holds the public key, which is useless on its own. In June 2025, researchers at Cybernews reported that 16 billion login credentials had been leaked and compiled into datasets online, pulled from infostealer malware hitting Google, Facebook, Apple, and other platforms (according to CBS News). A passkey would not appear in a dump like that, because there is no shared secret to steal.
Second, a passkey is tied to the exact domain it was created for. Your passkey for your bank works only on your bank's real site. A fake login page on a lookalike domain gets nothing, because the cryptographic challenge will not match. That is why passkeys are called phishing-resistant. The user cannot be tricked into handing over a secret that does not exist in a form anyone can copy.
Keep reading
There is no password to remember, reuse, write on a sticky note, or type into the wrong box.
Why Apple, Google, and Microsoft pushed so hard
The plain reason is that passwords stopped working as a security control years ago, and the platforms were tired of cleaning up the mess. Phishing, credential stuffing, and account takeover became the main way accounts get breached, and the volume kept climbing. The FIDO Alliance, the industry body behind the standard, found that in the past year more than 35% of people had at least one account compromised due to password vulnerabilities (according to the FIDO Alliance).
So the three companies that control the devices most people use agreed on one standard and built it into the operating system. That cooperation is what made passkeys usable. When you create a passkey on an iPhone, it syncs through iCloud Keychain. On Android and Chrome it syncs through Google Password Manager. On Windows it works through Windows Hello. You set it up once and it follows you.
The adoption numbers back that up. Google reported that passkeys have been used to authenticate people more than 1 billion times across over 400 million Google accounts, and that they are 50 percent faster than passwords (according to TechSpot, citing Google). Microsoft says that across its consumer services, including OneDrive, Xbox, and Copilot, hundreds of millions of users sign in with passkeys every day, and that the FIDO Alliance now estimates 5 billion passkeys already in use worldwide (according to the Microsoft Security Blog). On the consumer side, the FIDO Alliance found that 74% of consumers are aware of passkeys and 69% have enabled them on at least one account.
Smartphone showing a face scan unlock with a laptop in the background
When the companies that make your phone, your browser, and your work software all agree, the default quietly shifts under you. New Microsoft accounts now lean passwordless out of the box. The password is becoming the fallback, not the front door.
How to set up a passkey, step by step
The mechanics are short. The exact wording changes a little per service, but the flow is the same everywhere.
On a personal account (Google, Apple, Microsoft)
Go to the account's security settings. For Google that is myaccount.google.com under "How you sign in to Google." For Apple it is in your Apple Account settings. For Microsoft it is the Advanced security options page.
Find the passkey option and choose to create one.
Approve with your fingerprint, face scan, or device PIN. That is the whole creation step.
Sign out and sign back in once to confirm it works. You will be prompted for the biometric instead of a password.
The passkey now syncs to your other devices through that platform's keychain. On a phone you can also use it to log in on a nearby laptop by scanning a QR code, which uses Bluetooth to confirm the two devices are in the same room.
For your business tools
Most of the software a small studio runs on already supports passkeys: your password manager, your email, your accounting tool, your domain registrar, your project platform. Do the high-value accounts first. Your email is the master key to everything, because password resets land there, so secure that one before anything else. Then your registrar, your bank or payment dashboard, and your file storage.
A practical tip: keep one strong fallback. Add a passkey, but do not delete every other recovery method on day one. Save your account recovery codes somewhere offline. Passkeys are excellent, and you still want a way back in if you lose every device at once.
What about a password manager
If you use 1Password, Bitwarden, or Dashlane, you can store passkeys inside the manager itself rather than tying them to one platform's keychain. That keeps them portable across an iPhone and a Windows laptop without living inside either Apple's or Google's walled garden. For a business that mixes devices, that portability is worth the small extra setup.
What this means for your clients and their logins
Here is where it gets practical for a service business. The same logic that makes passkeys good for you applies to anything you ask a client to log into. Every login you put in front of a client is friction, and friction costs you. A client who cannot remember a password, or who never finishes the sign-up, is a client who emails you the file request instead of using the tool you set up.
The benefit shows up in completion rates, not only in security. Passkeys are quick. Microsoft found that sign-in success rates run far higher with passkeys than passwords, and Google measured them at 50 percent faster. When the login itself is a one-tap biometric instead of a typed string, fewer people bounce at the door.
There is a nuance for client-facing work, though. A passkey assumes the person already has an account and a device set up for it. For a brand new client who just needs to see one proposal or upload one file, even a passkey enrollment can be one step too many. The pattern that wins for one-off client access is the magic link or the one-time code: the client clicks a link or enters a six-digit code sent to their email, and they are in. There is no password to create and nothing to leak. It is the same security idea as a passkey, the absence of a reusable shared secret, applied to a person you may only work with for one project.
Passkeys are not magic, and a guide that pretends otherwise is not worth reading.
The recovery story is still the weak spot. If your private key lives only on one device and that device is gone, you need a clean way back in. The platforms handle this with cloud sync, so a passkey on your iPhone is recoverable through your iCloud account. That just moves the trust to your iCloud or Google account, which then has to be locked down hard, ideally with its own passkey and recovery codes.
Cross-ecosystem use is improving but still clunky. Using a passkey created on an iPhone to log in on a Windows machine works through a QR-code-and-Bluetooth handoff, and it is fine, but it takes more steps than a synced setup. This is the main reason a third-party password manager that stores passkeys can be the better choice for a mixed-device business.
And attackers adapt. The threat moves toward the recovery flow and toward social engineering, because the front door got harder. The Microsoft Security Blog noted that AI-powered phishing campaigns now drive click-through rates as high as 54% (according to the Microsoft Security Blog). Passkeys defang the click itself, since there is no password to phish, but the broader lesson holds: lock down recovery, not just the login.
This is the same low-friction-but-secure idea Delivvo is built on. Your clients log in to their portal with a one-time code sent to their email, so there is no password for them to create, forget, or leak, and you still control proposals, contracts, file delivery, approvals, and invoices in one place. Payments run straight through your own gateway, with Delivvo taking 0%. See how it works
Frequently asked questions
Should a small business switch to passkeys in 2026?
Yes, starting with your highest-value accounts. Set up a passkey on your email first, because that account controls every password reset you have. Then do your domain registrar, your payment or banking dashboard, and your file storage. Keep recovery codes saved offline and leave one backup sign-in method in place until you trust the new flow. You do not have to convert everything in one afternoon.
What happens to my passkey if I lose my phone?
You do not lose access, as long as you used a synced passkey. On an iPhone the passkey is backed up through iCloud Keychain, and on Android and Chrome it syncs through Google Password Manager, so it reappears when you sign in on a new device. This is exactly why your underlying platform account needs strong protection of its own. If you stored passkeys in a password manager like 1Password or Bitwarden instead, they restore when you log back into the manager.
Are passkeys safer than a password plus two-factor codes?
In most cases, yes. A password with an SMS or app code is still phishable, because a convincing fake page can capture both at once. A passkey cannot be entered on the wrong site, because it is bound to the real domain, and there is no shared secret stored on the server to steal in a breach. That removes the two attacks, phishing and credential leaks, that cause most account takeovers.
Do my clients need a passkey to use a tool I set up?
No. A passkey suits accounts a person uses often and keeps long term. For a client who needs quick, occasional access, a one-time email code or magic link gives the same no-shared-secret safety with zero setup. Match the method to the relationship: passkeys for your own daily logins, one-time codes for one-off client access.
The short version
Passkeys replace a secret you can lose with a key that never leaves your device, and the three biggest platforms have already made them a default. For your own accounts, the move is straightforward and worth doing this year, email first. For your clients, the principle matters more than the exact tool: the fewer passwords you ask anyone to create, the fewer ways things break. Start with your email login this week, and let the rest follow.
