Proving you’re a real person online shouldn’t be a test of your memory. The constant cycle of passwords has created a system that is both insecure and deeply impersonal, eroding the trust between users and the platforms they rely on. Every forgotten password is a moment of frustration that weakens that relationship. Passkeys help restore a more human-centric approach to identity by using familiar, natural actions, like a fingerprint or face scan, to grant access. Implementing passkey authentication for web applications is about more than just technology; it’s about building a more trustworthy and seamless digital environment for your community.
Key Takeaways
- Passkeys strengthen security by design, not by effort: They replace vulnerable passwords with phishing-resistant cryptography, which means you protect user accounts without asking people to remember complex credentials.
- A thoughtful rollout is key to user adoption: Encourage users to make the switch by offering passkeys as an optional upgrade, providing clear account recovery plans, and designing an intuitive login flow that feels familiar.
- You don’t have to build from scratch: A wealth of developer resources, including the standardized WebAuthn API and open-source libraries, can simplify the technical implementation and help you follow best practices.
What Are Passkeys and How Do They Work?
If you’ve ever felt the frustration of a forgotten password, you’ll appreciate the simplicity of passkeys. They represent a major shift in how we prove our identity online, moving away from vulnerable, text-based passwords toward a more secure and user-friendly method. Instead of typing something you know (a password), you use something you have (your device) and something you are (your fingerprint or face) to log in. This approach not only makes signing in faster but also builds a stronger defense against common online threats, creating a more trustworthy environment for your users and your platform.
Understanding the Technology
At its core, a passkey is a digital credential that replaces your password. Think about how you unlock your phone; you probably use your fingerprint, face, or a simple PIN. Passkeys apply that same seamless experience to logging into websites and apps. When a user creates an account, their device generates a unique passkey for that specific service. This means there are no more passwords to remember, reuse, or have stolen. The entire process is managed by the device’s operating system, making it a standardized and reliable method of passwordless authentication that works across different platforms.
A Quick Look at Public-Key Cryptography
Passkeys are built on a proven security method called public-key cryptography. It sounds complex, but the concept is straightforward. For every passkey, a matched pair of digital keys is created: a private key and a public key. The private key is stored securely on your personal device, like your phone or laptop, and never leaves it. The public key is stored on the website or app’s server. These two keys are mathematically linked. The public key can verify signals sent by the private key, but it can’t be used to figure out what the private key is. This one-way relationship is the secret to its strength.
How Your Device Authenticates You
When you want to log in, the website’s server sends a challenge to your device. Your device uses its securely stored private key to sign this challenge and send it back as proof of identity. The server then uses your public key to verify the signature. If it matches, you’re in. The private key itself is never shared, so it can’t be intercepted or stolen in a data breach. This process happens in seconds. Modern browsers can even find and suggest the right passkey automatically, making the login experience feel almost invisible to the user while providing a powerful layer of web security.
Why Passkeys Are Better Than Passwords
For years, we’ve been told to create complex passwords, change them often, and never reuse them. It’s a constant headache for users and a massive security liability for businesses. Passwords are the weak link in online security, responsible for countless data breaches. They are easily stolen, guessed, or phished, leaving both customer accounts and company systems vulnerable. This constant threat forces businesses to add more layers of security, like multi-factor authentication, which can add friction and frustrate users who just want to get things done.
Passkeys offer a fundamentally different approach, one that’s not just a minor improvement but a complete evolution. They replace the vulnerable, forgettable password with a secure, effortless way to sign in, benefiting both your users and your platform’s integrity. Instead of relying on something a user knows (and can forget or have stolen), passkeys rely on cryptographic proof from a device they own, like their phone or laptop. By moving beyond passwords, you can eliminate a major source of friction and fraud, creating a more trustworthy online environment from the ground up. It’s a win-win: users get a simpler experience, and you get stronger protection against account takeovers and other threats.
Stronger Security Than Passwords
The biggest advantage of passkeys is their incredible resistance to common online attacks. They are specifically designed to stop phishing, where attackers trick users into revealing their credentials on a fake website. With a passkey, there is no password to steal or give away. The cryptographic signature is unique to your device and the legitimate website, so a phishing site simply can’t request a valid login. This technology also solves the problem of weak or reused passwords. Since users don’t create or remember their passkeys, they can’t fall into the trap of choosing “Password123.” The FIDO Alliance has championed this standard to create a safer web where your login information can’t be easily compromised.
A Better User Experience
Security improvements often come at the cost of convenience, but passkeys manage to improve both. Instead of typing a complicated password, users can sign in with a simple, familiar action like a fingerprint scan, facial recognition, or a device PIN. This removes the frustration of forgotten passwords and failed login attempts. When platforms design the passkey experience thoughtfully, with clear prompts and native biometric dialogs, user adoption rates climb while support requests plummet. Companies like GitHub have already demonstrated how a user-friendly passkey implementation can make security feel seamless and intuitive, rather than like a chore.
Faster, More Convenient Logins
The speed of passkeys is a game-changer. For users, it means getting into their accounts without delay. For businesses, it means reducing friction at a critical point in the customer journey. Studies and real-world case studies show that passkeys are not just slightly faster, but dramatically so. On average, logins with passkeys are twice as fast as with passwords and have four times the success rate. Some of the world’s biggest platforms have seen incredible results. TikTok users, for example, log in 17 times faster with passkeys. This isn’t just a minor convenience; it’s a significant improvement that keeps users engaged and happy.
How Do Passkeys Improve Web App Security?
Passkeys represent a fundamental shift in digital security, moving away from vulnerable, password-based systems to a more robust cryptographic approach. Instead of relying on a secret that can be stolen, leaked, or forgotten, passkeys use a unique key pair for every account. This design directly addresses some of the most persistent security threats that web applications face today. By eliminating the password, you remove the primary target for phishing, credential stuffing, and large-scale data breaches. This creates a safer environment for both your platform and your users, strengthening the trust that is essential for online interactions.
Protect Your App from Phishing
Phishing attacks are so effective because they prey on human error, tricking users into revealing their passwords on fake websites. Passkeys are designed to make this type of attack obsolete. Because a passkey is cryptographically bound to the specific website or app where it was created, it simply won’t work on a fraudulent site. There is no shared secret for a user to type or paste, so there’s nothing for a phisher to steal. This approach, as outlined by the FIDO Alliance, moves security from a user’s memory to their device, effectively cutting off the main avenue for phishing attacks and protecting your users from credential theft.
Stop Credential Theft and Breaches
Passkeys solve two of the biggest problems inherent in traditional passwords: reuse and weakness. Users often reuse the same password across multiple services, meaning a breach on one site can compromise their accounts everywhere else. This leads to “credential stuffing” attacks, where bots try stolen login combinations across the web. Passkeys are automatically unique for every single website, which completely stops this attack vector. Furthermore, since passkeys are generated by the device, they are always long and complex, eliminating the risk of users choosing weak, easy-to-guess passwords. This strengthens the security of every account on your platform without placing any extra burden on the user.
How Biometrics and Local Storage Add Security
The security of passkeys is anchored in a principle called public-key cryptography. When a user creates a passkey, their device generates two keys: a private key that is securely stored on their device and a public key that is sent to your server. To log in, the server sends a challenge, and the device uses the private key to sign it, proving ownership without ever revealing the key itself. As Google for Developers explains, even if a hacker stole your entire server database, the public keys they’d find would be useless without the corresponding private keys. The user’s biometric data, like a fingerprint or face scan, simply acts as the method to unlock the private key on their device; that sensitive data is never transmitted or stored on a server.
How to Implement Passkeys in Your Web App
Ready to add passkeys to your web application? The process is more straightforward than you might think, thanks to a standardized API that does most of the heavy lifting. Implementing passkeys involves three main steps: using the API to handle the cryptography, setting up a simple registration flow for users to create their passkeys, and then building the login experience. It’s also important to ensure your application gracefully handles different browsers and devices. Let’s walk through what you need to know to get started.
Understanding the WebAuthn API
The magic behind passkeys is the Web Authentication API, or WebAuthn. This is a web standard that allows servers to register and authenticate users with public-key cryptography instead of passwords. When a user creates a passkey, WebAuthn works with the device’s secure hardware to generate a unique key pair. The private key stays locked on the user’s device, while the public key is sent to your server. This process relies on the device’s own security, like a fingerprint scanner or PIN, to confirm the user is present and authenticating the action.
Set Up the Registration Process
The first step for your user is creating a passkey for your site. This registration flow is handled by a single JavaScript call. Your web application uses the CredentialsContainer.create() method from the WebAuthn API to prompt the user to create a new passkey. When this function is called, the browser and operating system take over, asking the user to approve the creation using their device’s screen lock method (like Face ID, a fingerprint, or a PIN). Once they approve, the device generates the key pair and sends the public key back to your server for storage.
Implement the Login Flow
Once a user has a passkey registered with your service, the login process becomes incredibly simple and secure. When they want to sign in, your server sends a unique challenge to the browser. The browser then asks the user to verify their identity with their device’s unlock method. After successful verification, the device uses its private key to sign the server’s challenge, creating a cryptographic proof that it’s the right user on the right device. This proof is sent back to your server, which uses the stored public key to validate the signature and grant access. The private key itself never leaves the device.
Check for Browser and Platform Support
Passkeys are widely supported across all major browsers and operating systems, but it’s still a good practice to check for compatibility. Most modern browsers, including Chrome, Safari, Firefox, and Edge, have robust support for the WebAuthn API. A key feature to understand is that passkeys are designed to be “discoverable.” This means the browser can find available passkeys and offer them in autofill prompts, often before the user even types a username. This creates a seamless sign-in experience. You can check the latest browser compatibility to ensure you build a smooth experience for all your users.
What Are the Best Practices for Implementation?
Successfully rolling out passkeys isn’t just about the technology; it’s about creating a secure and seamless experience that your users will actually want to adopt. When you get the implementation right, you reduce friction, minimize support tickets, and build a stronger foundation of trust with your audience. Getting started means focusing on a few core principles that balance robust security with user-friendly design. By thinking through how people will interact with passkeys on your platform, you can make the transition from passwords a smooth and welcome change. Here are the key practices to keep in mind as you build out your authentication flow.
Support Multiple Passkeys for Each User
Think about your own digital life. You probably have a phone, a laptop, and maybe a tablet. Your users are the same. Limiting them to a single passkey for their account creates a major point of failure. If they lose that one device, they’re locked out. A better approach is to allow users to register multiple passkeys for a single account. For example, they could have one passkey on their smartphone for daily use and a second one on a physical security key stored in a safe place as a backup. This flexibility gives users control and peace of mind, ensuring they can always access their account.
Implement an Autofill UI
The best user experience is one that feels invisible. For passkeys, this means integrating them directly into your login flow with an autofill-style interface. Instead of making users click a “Sign in with a passkey” button, the option should appear automatically in the username field, just like a saved password. When passkeys are presented with intuitive, in-flow prompts and native biometric dialogs (like Face ID or a fingerprint scan), passkey adoption rises significantly. This simple change makes logging in faster and more intuitive, which reduces user confusion and the number of support requests you’ll receive.
Store and Manage Keys Securely
One of the biggest security advantages of passkeys is how they handle credentials. Your server only ever stores a user’s public key. The corresponding private key, which is required to sign in, never leaves the user’s device. This is a game-changer for security. If your database is ever compromised, attackers only get the public keys, which are useless without the private ones. This model protects your users’ credentials even in a worst-case scenario, as their private passkey remains safe on their phone or computer. Understanding these core principles of passkey security is essential for building trust.
Choose Your User Verification Methods
Passkeys confirm a user’s identity by asking for something they are (a fingerprint or face scan) or something they know (a device PIN). This step is called user verification, and it acts as a built-in second factor of authentication. You can offer users different options based on what their device supports. While biometrics are incredibly convenient, also supporting a device PIN or password ensures that everyone can use passkeys, even if they aren’t comfortable with biometrics or if a scan fails. This flexibility makes your login process more resilient and accessible while maintaining a high level of security for every account.
What Challenges Will You Face When Adopting Passkeys?
Switching to any new technology can feel like a huge undertaking, and passkeys are no exception. While the benefits are clear, it’s smart to anticipate the hurdles you might encounter along the way. Thinking through these challenges ahead of time will help you create a smoother, more successful rollout for your team and your users. From technical puzzles to user education, let’s walk through the most common obstacles and how you can plan for them.
Clearing Up Misconceptions About Cost and Complexity
One of the first questions that comes up is about the cost and effort involved. It’s true that implementing passkeys is more complex than a simple password field. As some experts note, developers often need more tools and resources to get started. However, it’s a mistake to think the switch is too costly for the value it delivers. The long-term savings from reduced fraud, fewer support tickets for password resets, and stronger customer trust often outweigh the initial investment. The key is to see it not as a cost, but as an upgrade to your entire security infrastructure.
Overcoming User Resistance with Education
Your users are accustomed to passwords, so you can expect some hesitation when introducing a new way to log in. The best way to handle this is with clear communication and a great user experience. You don’t have to flip a switch overnight. Instead, you can introduce passkeys as an option and make incremental changes to the login flow. When the process is intuitive, using things like in-flow prompts and native biometrics, user adoption tends to rise quickly. Explaining the security and convenience benefits helps people feel confident and in control, making them much more likely to embrace the change.
Solving Technical Integration Challenges
Getting into the technical weeds can be intimidating. Passkeys are built on the WebAuthn standard, which uses public key cryptography to create a secure connection between the user’s device and your service. While your development team doesn’t need to be cryptography experts, they will need to understand how to implement the WebAuthn API for registration and authentication. Luckily, you don’t have to start from scratch. There are many developer documents and libraries available to guide your team through the process and handle much of the heavy lifting.
Dealing with Legacy System Compatibility
What if your application relies on older systems that were built for passwords? This is a common scenario, but it doesn’t have to stop you from adopting passkeys. Passkeys can often be implemented as a parallel authentication system, allowing you to gradually phase out passwords without a massive, disruptive overhaul. Think of it as adding a new, more secure entry point to your existing house. Since passkeys and other forms of digital identity can operate on different layers, you can integrate this modern solution while still supporting your legacy infrastructure where needed.
How to Address User Concerns About Switching to Passkeys
Switching to a new authentication method can make users feel a little uneasy, and that’s completely normal. As a developer or product manager, your job is to anticipate their questions and build a transition plan that inspires confidence, not confusion. Most concerns boil down to a few key questions: What happens if I lose my phone? Is my biometric data being stored on a server somewhere? How can I log in on my other devices? Getting ahead of these worries with clear communication and thoughtful design is the key to a successful rollout.
A smooth transition from passwords to passkeys isn’t just about the technology; it’s about the user experience. You need to show your users that this change makes their lives easier and their accounts safer. By planning for common issues like device loss, being transparent about privacy, highlighting the convenience of cross-device syncing, and allowing people to adopt passkeys at their own pace, you can turn potential resistance into enthusiastic adoption. Let’s walk through how to handle each of these points so your users feel secure and supported every step of the way.
Plan for Lost Devices and Account Recovery
The first question most users ask is, “What happens if I lose my phone?” It’s a valid concern, and you need a solid answer. Reassure them that losing a device with a passkey doesn’t mean they’re locked out of their account forever. The best approach is to have a robust account recovery process in place. This means users should still be able to sign in with their old password as a fallback, at least during the transition period.
Encourage users to set up recovery options, like a verified email address and phone number, before they ever need them. This isn’t a new requirement for passkeys; it’s a fundamental security practice that gives them a safe way to regain access. Frame it as a safety net that keeps their account secure, no matter what happens to their hardware.
Address Privacy and Biometric Data Concerns
Privacy is a major concern for users, especially when biometrics are involved. Many people worry that their fingerprint or face scan is being uploaded to a server, but you can confidently tell them that’s not how passkeys work. According to security experts, biometric information never leaves the user’s device. It’s only used locally to verify the user’s identity and unlock the private key stored securely on their phone or computer.
Be transparent in your user-facing communication. Explain that no personal data is shared during the authentication process. The server only receives a cryptographic signature that proves the user has their device, not their actual biometric data. This design makes passkeys an incredibly private and secure way to log in.
Offer Cross-Device Sync and Backup
Users expect a seamless experience, and they won’t want to create a new passkey for every single device they own. Fortunately, they don’t have to. Modern passkey providers, like Google Password Manager and Apple’s iCloud Keychain, are designed to securely sync passkeys across a user’s devices. When someone creates a passkey on their iPhone, it automatically becomes available on their iPad and Mac, as long as they’re signed into the same account.
This feature is a huge selling point. It removes friction and makes logging in from any device incredibly simple. The FIDO Alliance highlights this cross-device capability as a core benefit of the technology. Make sure to explain this convenience to your users, as it turns a potential hassle into a powerful reason to make the switch.
Create a Gradual Migration Strategy
Forcing users to change their habits overnight is a recipe for frustration. Instead, implement a gradual migration strategy that lets people adopt passkeys at their own pace. A great way to do this is to prompt users to create a passkey after they’ve already signed in with their existing password. You can frame it as a simple, one-click “upgrade” to a more secure login method.
This approach feels like an invitation rather than a demand. By allowing users to keep their passwords as a fallback option for a while, you give them time to get comfortable with the new system. This user-centric method, recommended by developer resources like MDN Web Docs, respects their autonomy and makes them active participants in improving their own account security.
How Do Passkeys Compare to Other Authentication Methods?
Passkeys don’t exist in a vacuum. They represent a significant step forward in digital identity, but they also need to fit into the security frameworks your organization already uses. Understanding how passkeys interact with methods like multi-factor authentication (MFA) and single sign-on (SSO) is key to planning a smooth and effective implementation. Let’s look at how they stack up against these familiar technologies.
Integrating with Multi-Factor Authentication (MFA)
You can think of passkeys as a built-in, streamlined form of MFA. Traditional MFA requires users to provide multiple pieces of evidence to prove their identity, often in separate steps, like entering a password and then a one-time code from an app. Passkeys simplify this by combining two factors into a single, quick action.
Because they use “something you have” (your phone or computer) and “something you are” (your fingerprint or face) or “something you know” (your device PIN), passkeys are considered a strong form of multi-factor authentication. This approach satisfies robust security requirements without adding the friction that often comes with conventional MFA, making for a much smoother user experience.
How Passkeys Work with Single Sign-On (SSO)
Passkeys and single sign-on (SSO) are a powerful combination for enterprise security and convenience. SSO allows users to access multiple applications with a single set of credentials, and passkeys can make that initial login both easier and more secure. Instead of typing a password to access their SSO dashboard, a user can simply authenticate with a passkey.
This synergy is enhanced by the ability to sync passkeys across a user’s devices through a provider like Google or Apple. When a user logs into their SSO provider on a new device, their passkey is already there waiting for them. This eliminates the need for complex password resets or re-enrollment processes, creating a seamless and secure experience across the entire application ecosystem.
Passkeys as an Alternative to Hardware Tokens
Hardware security keys are a gold standard for authentication, but they can be inconvenient. Users can lose them, forget to bring them, or lack the right ports to use them. Passkeys offer the same phishing-resistant, cryptographic security as physical tokens but with far greater convenience because they live on the devices people use every day.
By storing cryptographic keys directly on a phone or laptop, passkeys provide the same robust protection as physical security keys without the extra hardware. Plus, since users don’t create or remember the passkeys themselves, they can’t be tricked into giving them away or choosing weak credentials. This design directly addresses the human element that so often undermines password-based security.
Developer Resources and Tools for Implementation
Getting started with passkeys doesn’t mean you have to build everything from the ground up. A strong community of developers has already created a wealth of tools, libraries, and documentation to make the implementation process much smoother. Knowing where to find these resources can save you time and help you avoid common pitfalls.
Find the Right Libraries and Frameworks
You can significantly speed up your development by using existing libraries and frameworks designed for WebAuthn and passkeys. Instead of writing complex cryptographic functions yourself, you can rely on these pre-built solutions. For a great collection of code samples and tools, check out the developer documents on Passkey Central. It’s an invaluable resource for streamlining your integration.
If you’re looking for something specific to your tech stack, a curated GitHub list of awesome WebAuthn resources is another fantastic place to start. It includes libraries for popular languages like .NET, Java, PHP, and Node.js, giving you a solid foundation for incorporating FIDO2 authentication into your application.
Tools for Debugging and Testing
Implementing a new authentication method can be tricky, and passkeys are no exception. Having the right debugging and testing tools is essential for a smooth rollout. As passkey adoption grows, so does the availability of developer tools designed to simplify the process. These tools can help you inspect authentication flows, troubleshoot errors, and ensure your implementation works correctly across different browsers and devices.
These resources are crucial for identifying issues that might not be obvious, like problems with user verification or credential storage. Keeping an eye on new developer tools can help you stay ahead of potential challenges and make the entire development cycle more efficient. They provide the insights you need to build a reliable and user-friendly passkey experience.
Where to Find Documentation and Learning Resources
Solid documentation is your best friend when implementing passkeys. The WebAuthn specification has many details, and clear guides can help you understand every step of the process. Passkey Central offers a great selection of guides that cover everything from the basics to platform-specific instructions for Chrome, Apple, and Android. This is a perfect starting point for getting your bearings.
For a more in-depth look at the “why” behind passkeys and how to configure them, Auth0 provides a detailed guide on authentication with passkeys. It explains the advantages over traditional passwords and walks you through the integration process. Using these resources will help you build a secure and robust implementation while understanding the core concepts that make passkeys so powerful.
Plan Your Passkey Deployment Strategy
Switching to passkeys is more than a technical update; it’s a strategic move that affects your users and your security. A solid deployment plan is your key to a smooth transition that encourages adoption and minimizes friction. By mapping out your technical migration, focusing on user experience, and setting up clear metrics for success, you can ensure your passkey implementation delivers on its promise of simpler, stronger security.
Plan Your Technical Migration
Your first step is to create a clear technical roadmap. The good news is you don’t have to build everything from scratch. Major platforms like Apple, Google, and Microsoft already support passkeys, and a growing ecosystem of developer services and toolkits can simplify implementation. Your team should lean on established standards to guide your work. For instance, the FIDO Alliance UX guidelines offer a fantastic resource for designing authentication flows that are both secure and intuitive. Using these frameworks helps you accelerate development and align with industry best practices from day one.
Optimize for Performance
A seamless user experience is the most important factor for driving passkey adoption. When the process is fast and intuitive, users are far more likely to make the switch. The data backs this up: companies have found that passkeys can lead to login success rates that are four times higher and twice as fast as passwords. To achieve these results, focus on designing a frictionless flow. Use in-flow prompts that appear at the right moment and integrate native biometric dialogs that feel familiar. When you build around intuitive UX, you’ll see adoption rates climb while support requests decline.
Set Up Monitoring and Analytics
Once passkeys are live, you need a system to monitor performance and track user behavior. Start by defining your key metrics. Are you aiming to reduce login-related support tickets? Or is your goal to get a certain percentage of users to adopt passkeys within six months? For example, the financial platform Branch saw a significant reduction in support tickets after its rollout, which proved the project’s value. By setting up analytics, you can measure adoption rates, identify friction points, and gather feedback to make continuous improvements. This data is essential for making secure, passwordless sign-ins the default experience for everyone.
Related Articles
- What Are Passkeys? A Simple Guide to Passwordless Logins
- Passwordless Authentication: The Ultimate 2026 Guide
Frequently Asked Questions
What happens if a user loses the device with their passkey? This is the most common question, and the answer is reassuring: losing a device doesn’t mean losing access to an account. The best practice is to allow users to register multiple passkeys across different devices, like their phone and laptop. That way, if one is lost, they can still log in with another. It’s also essential to have a reliable account recovery process in place, using a verified email or phone number, which gives users a secure way to regain access and set up a new passkey.
Are passkeys just another form of multi-factor authentication (MFA)? You can think of passkeys as a more advanced and user-friendly form of MFA. Traditional MFA often requires separate steps, like entering a password and then a code from an app. A passkey combines these factors into a single, seamless action. It uses something you have (your device) and something you are (your fingerprint or face) to verify your identity all at once, providing strong, multi-factor security without the extra steps or friction.
Is my biometric data, like my fingerprint, being stored on your servers? Absolutely not. This is a critical point about passkey privacy. Your biometric information never leaves your personal device. It is only used locally on your phone or computer to unlock the securely stored private key. The server never sees or stores your fingerprint or face scan; it only receives a cryptographic signature that proves you are the one who authorized the login.
Do we have to force all our users to switch to passkeys at once? A gradual rollout is almost always the best strategy. Instead of a hard cutover, you can introduce passkeys as an optional upgrade. A great way to do this is to prompt users to create a passkey right after they successfully log in with their password. This frames the change as a convenient security improvement rather than a requirement, allowing people to adopt the new method at their own pace while keeping their old password as a fallback.
How do passkeys work if a user wants to log in on a new or different device? This is where the convenience of passkeys really shines. Major providers like Apple and Google have built-in syncing capabilities. When a user creates a passkey on their iPhone, for example, it can be securely synced via their iCloud Keychain to their Mac and iPad. This means their passkey is automatically available on their other trusted devices, so they don’t have to create a new one for every login.