Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam

Content written for

Individuals & families
Small & medium business

Passkeys are a faster and more secure way to log in to your online accounts than using passwords.

A passkey lets you log in to your online account without having to enter a password for that account. A passkey is like needing a set of two different keys to unlock a door. One key is stored by the provider of your account, while the other is stored either on:

Benefits of passkeys

Passkeys provide multi-factor authentication. This can keep your accounts better protected from cybercriminals.

Using a passkey helps to:

  • reduce the time it takes to log in to your account
  • avoid the need to type in usernames, or one time codes provided via SMS, email or authenticator app
  • prevent cybercriminals from gaining access to your account by guessing your password
  • stop cybercriminals from stealing your account password using scams or tricking you to log in to a fake website.

In most cases, you can use the same passkey to log in to your account from any of your devices.

Setting up passkeys

Firstly, check if the provider of your account supports passkeys as a method to log in.

If you can’t use passkeys, use a different type of phishing-resistant multi-factor authentication. If that involves using a password or passphrase, choose one that is long, complex, and unique for each of your accounts.

Secondly, decide if you want to create and store a passkey on your device or on a FIDO2 security key.

You can create and store passkeys on modern Apple and Android smartphones and tablets. You can also create and store passkeys on devices that run modern versions of Apple macOS, Google ChromeOS, or Microsoft Windows. Also, applications on devices running Linux support the use of passkeys to various degrees. When choosing and configuring a device:

  • use a device that you trust to not have viruses and other malicious software, such as your smartphone
  • use a reputable and trusted password manager to store your passkey – either your device’s inbuilt password manager or a third-party password manager
  • avoid using a device that you share with anyone else
  • avoid using an employer-owned device to store passkeys for your personal online accounts.

You can buy a FIDO2 security key from a reputable store to provide increased protection of your passkeys. This is useful for your most important online accounts. It is recommended to create and store a backup passkey on a second FIDO2 security key. This is in case the first FIDO2 security key becomes lost, stolen or damaged.

To set up your passkey, follow the instructions supplied by the provider of your account. The steps may be different for each of your accounts.

Once your passkey is created, ensure that the ability to log in to your account using a password is disabled. This will prevent a cybercriminal from using a password to access your account.

Using passkeys

To use your passkey to log in to your account, select the passkey option and follow the prompts. The following guidance provides general instructions.

If your passkey is stored on your FIDO2 security key, connect it to your device, typically using USB, near-field communication (NFC) or Bluetooth, and then unlock your passkey.

If your passkey is stored on your device that you use to log in to your account, you typically just need to unlock your passkey.

Methods to unlock your passkey include facial recognition, fingerprint, password, passphrase, passcode, PIN, or swipe pattern.

If your passkey is stored on a different device to the device that you use to log in to your account, you have several options.

One option is to use a passkey stored on your iPhone, iPad or Android device. Choosing this option when you log in to your account will display a QR code for you to scan using the camera on your phone or tablet. This will use Bluetooth to connect your devices, prompting you to unlock your passkey and approve the request to log in to your account.

Another option is to sync your passkey to the device that you use to login. The sync process copies all of your passkeys to that device, typically over the Internet, and keeps that copy updated. Avoid syncing your passkey to untrusted or shared devices. Every device that you sync your passkey to, provides an opportunity for cybercriminals to steal your passkey from that device.

More information

Passphrases

Protect your accounts from cybercriminals with a secure password or passphrase.

Multi-factor authentication

Multi-factor authentication (MFA) is one of the most effective ways to protect your valuable information and accounts against unauthorised access. 

Learn the basics

Interactive tools and advice to boost your cybersecurity when online.

Protect yourself

Advice and information about how to protect yourself online.
Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it