The fundamental weakness of passwords is that they rely on a “shared secret” – something the user knows and the website also stores – making them permanently vulnerable to cybercriminals who can steal that data from a hacked server. Passkeys, by contrast, are unphishable. The UK’s National Cyber Security Centre (NCSC) has formally recommended them as the default login method, advising consumers to choose passkeys wherever they are supported, and the UK government is rolling them out across services from VAT returns to NHS health records. But the shift has left many readers confused, especially about what happens if their phone is stolen or lost. Below, we explain the technology and the safeguards.
How passkeys work – and why they are safer
Passkeys are built on public-key cryptography, the same mathematical foundation that secures online banking and encrypted messaging. For every account, a unique pair of cryptographic keys is generated: a private key that stays permanently on the user’s device (phone, laptop, or password manager) and a public key that is handed to the website. When you log in, your device performs a mathematical calculation using the private key and sends only the result – never the key itself – to the site. The website then uses the public key to verify that the result came from the correct private key. Because the private key never leaves your device and is never stored on the company’s server, it cannot be stolen in a data breach. Even if a hacker compromises the entire database, they find only public keys, which are useless for logging in.
This architecture eliminates the “shared secret” weakness that has plagued passwords for decades. Every password must be shared with the website to be verified; if that server is hacked, your password can be lifted and reused anywhere. A passkey, by contrast, is cryptographically bound to the specific site or app it was created for – a passkey made for your bank simply will not work on a fake lookalike site, making it resistant to phishing attacks. The NCSC, the FIDO Alliance (which developed the underlying standards), and the US National Institute of Standards and Technology (NIST) all endorse passkeys as a form of phishing-resistant multi-factor authentication. NIST’s latest guidelines, finalised in July 2025, now prioritise passkey-based methods and have moved away from enforcing arbitrary password complexity rules, instead recommending longer passwords as a fallback.
Using a passkey is also far quicker. Because it is unlocked by a biometric scan (fingerprint or facial recognition) or a simple device PIN, a login can take less than a second – some data suggest passkey logins are up to eight times faster than typing a password plus a two-factor code. The private key is stored securely on the device’s dedicated security chip, out of reach of most malware. The NCSC has described passkeys as a “good step up” in security, and the UK now leads global adoption: more than 50% of active Google users in Britain have registered a passkey, according to Google’s own figures. Major platforms including Apple, Google, X, eBay, and PayPal already support them.
What happens when your phone is stolen or lost?
The most common reader concern is: if someone steals your phone and guesses your PIN, can they access all your accounts? The answer is no – but with important caveats. A passkey on your phone is locked behind the device’s biometric or PIN screen. A determined thief would need to bypass that first. Even if they succeeded, the passkey itself is not a simple text string; it is a cryptographic key that would be useless to anyone trying to log into a different device. Moreover, you are likely to notice a stolen phone quickly and can immediately revoke the passkey for each account – exactly as you would cancel a lost credit card. With a password, by contrast, a hacker can steal it from any server anywhere in the world, and you may not discover the breach for months. No security system is perfect, but passkeys dramatically shrink the attack surface to physical theft rather than global remote hacking.
For extra protection, both iPhone and Android offer specialised security modes. Apple’s “Stolen Device Protection” and “Lockdown Mode” can be enabled, and Android provides “Identity Check” and “Advanced Protection Mode”. These features require additional authentication before allowing changes to security settings, even if someone has your PIN.
But what if you lose access to all your devices – your phone, laptop, and tablet simultaneously? That is a legitimate worry, and the answer lies in account recovery options. Services that support passkeys typically provide backup methods, such as recovery codes that you can print out and keep in a safe place. Password managers like 1Password generate an “emergency kit” during initial setup – a PDF containing the long, random recovery codes needed to regain access to the password manager itself. You physically print this document and store it securely. An executor or family member can use that emergency kit to re-establish access after your death, solving the inheritance problem raised by several readers. The NCSC advises using a password manager as a “root of trust” when passkeys are not yet universally supported, and recommends continuing to use two-step verification (MFA) on any service that still relies on passwords.
Another widespread concern is the vulnerability of synced passkeys – the convenience option that copies keys across your devices via a cloud account. While synced passkeys are far more secure than passwords, researchers have shown that compromising the cloud account itself (for example, the Apple iCloud or Google account used for sync) could allow an attacker to steal the passkeys. This is why securing that central cloud account with a strong, phishing-resistant authentication method – ideally a device-bound passkey that does not sync – is critical. NIST’s updated guidance allows synced passkeys to meet Authentication Assurance Level 2 (AAL2) requirements, provided the user protects the cloud account adequately.
For those who prefer not to rely on the cloud, passkeys can be stored locally on a single device, with cross-device authentication available via QR codes and proximity checks – so you can log into a public computer by scanning a code with your phone. The transition to a fully passwordless future will take years, and the NCSC acknowledges that a hybrid model (passkeys plus traditional passwords and MFA) will persist. But the direction is clear: passwords, with their inherent dependence on shared secrets, are the weakest link, and passkeys remove that link entirely.
