Passkeys and password managers: A practical guide to logging in safely in 2026
Why your passwords are failing you (and what to do about it)
Your passwords are under attack, and they are losing. Every day, criminals steal millions of credentials through data breaches, phishing emails, and brute-force attacks. Even strong passwords can be compromised when a company's database is hacked or when you accidentally enter your credentials on a fake website. Two-factor authentication helps, but text messages can be intercepted and authentication codes can be phished.
The solution is not to create even more complex passwords. It is to move beyond passwords entirely, using passkeys where possible and password managers for everything else. This guide will show you how to set up a secure, practical system that protects you from the most common attacks whilst remaining usable in everyday life.
The recommended default approach for most people: Use a password manager (such as Bitwarden, 1Password, or your device's built-in option) to generate and store unique passwords for every account. Enable passkeys on any service that offers them (Google, Microsoft, PayPal, and many others now support passkeys). Keep your password manager's master password written down in a secure physical location, and ensure you have a recovery method configured.
This combination gives you strong protection against phishing, eliminates password reuse, and provides a practical path forward as more services adopt passkey technology.
Do This First: Your Security Setup Checklist
Before diving into the details, complete these essential steps. They take approximately one hour and will immediately improve your security.
Step 1: Choose and install a password manager (15 minutes)
Select a reputable password manager. Good options include:
• Bitwarden (open source, free tier available)
• 1Password (paid, excellent family sharing)
• Apple Passwords (built into Apple devices, free)
• Google Password Manager (built into Chrome and Android, free)
• Microsoft Authenticator (integrates with Microsoft accounts, free)
Download the application to your phone and computer. Install the browser extension if using a third-party manager.
Warning: Avoid lesser-known password managers or those with poor security track records. Research any option before trusting it with your credentials.
Step 2: Create a strong master password (5 minutes)
Your master password is the single password that unlocks your password manager. It must be both strong and memorable.
Use a passphrase: four or more random words strung together, such as 'correct horse battery staple' or 'purple elephant dancing moonlight'. Avoid common phrases, song lyrics, or anything easily guessable.
Critical warning: If you forget your master password and have not set up recovery options, you will lose access to all your stored passwords permanently. Most password managers cannot recover your master password due to their encryption design.
Step 3: Write down your master password (5 minutes)
Yes, write it down physically. Store it in a secure location: a locked drawer, a home safe, or with important documents. This is your backup if you forget it.
For families, ensure a trusted family member knows where this is stored in case of emergency.
Warning: Do not store your master password in an unencrypted digital file, email it to yourself, or leave it on a sticky note on your monitor.
Step 4: Configure recovery options (10 minutes)
Most password managers offer recovery mechanisms. Set these up immediately:
• Recovery codes: Download and print these, store them with your written master password
• Account recovery contacts: Designate a trusted person who can help you regain access
• Biometric unlock: Enable fingerprint or face recognition on your devices (this does not replace your master password but makes daily use easier)
Warning: Recovery options can be a security risk if not properly secured. Anyone with access to your recovery codes can access your password manager. Treat them like you would treat cash or important legal documents.
Step 5: Start adding passwords (20 minutes)
Begin with your most important accounts:
- Email accounts (these are often used for password resets, making them high-value targets)
- Banking and financial services
- Work accounts
- Social media accounts
For each account, let your password manager generate a new, unique, strong password. Update the account with this new password, and save it in your password manager.
Warning: Do not change all your passwords at once if you are new to password managers. Start with a few critical accounts, ensure the system is working properly, and gradually migrate others. Changing everything immediately increases the risk of a lockout if something goes wrong.
Step 6: Enable two-factor authentication (10 minutes)
For critical accounts (email, banking, work), enable two-factor authentication (2FA). Prefer these methods in order of security:
- Passkeys (if available)
- Hardware security keys (such as YubiKey)
- Authenticator apps (such as Microsoft Authenticator, Google Authenticator, or Authy)
- SMS codes (better than nothing, but vulnerable to interception)
Many password managers can store 2FA codes, which is convenient but slightly reduces security (if someone accesses your password manager, they get both factors). For your most sensitive accounts, consider keeping 2FA separate.
Warning: When enabling 2FA, always save the backup codes provided. If you lose your 2FA device without backup codes, you may be permanently locked out of your account.
What Are Passkeys and Why Do They Matter?
Passkeys are a new way to log into websites and apps without passwords. Instead of typing a password that can be stolen, phished, or guessed, you prove your identity using cryptographic keys stored securely on your device.
Here is how they work in practice: When you create a passkey for a website, your device generates two linked keys (a private key and a public key). The private key stays on your device and never leaves it. The public key is sent to the website. When you log in, the website challenges your device to prove it has the private key. Your device responds (after you verify with a fingerprint, face scan, or PIN), and you are logged in.
This system is called public key cryptography, and it has several crucial advantages over passwords:
Phishing resistance: Because the private key never leaves your device and the authentication is tied to the specific website, passkeys cannot be phished. Even if you are tricked into visiting a fake website that looks identical to your bank, the passkey will not work there. The cryptography ensures you are communicating with the legitimate site.
No shared secrets: With passwords, both you and the website know the password. If the website's database is breached, your password can be stolen. With passkeys, the website only has your public key, which is useless without the corresponding private key on your device. Breaching the website's database does not compromise your ability to log in securely.
Simpler for users: No need to remember complex passwords or type them on awkward mobile keyboards. You simply verify with your fingerprint or face, and you are in.
How Passkeys Differ from Passwords
| Aspect | Passwords | Passkeys |
|---|---|---|
| What you need to remember | The password itself | Nothing (device verifies you) |
| Can be phished | Yes | No |
| Can be stolen in data breach | Yes | No (only public key is stored) |
| Reuse across sites | Common (but dangerous) | Impossible (each site gets unique keys) |
| Vulnerable to keyloggers | Yes | No |
| Works offline | Yes | Verification works offline, but initial setup requires connection |
| Recovery if lost | Password reset via email | Depends on sync method (see below) |
Device and Browser Support
As of 2026, passkey support is widespread but not universal. Here is what typically works:
Operating systems with passkey support:
• iOS 16 and later (iPhone 8 and newer)
• iPadOS 16 and later
• macOS Ventura (13) and later
• Android 9 and later
• Windows 10 and later (with Windows Hello)
• ChromeOS 109 and later
Browsers with passkey support:
• Safari 16 and later
• Chrome 108 and later
• Edge 108 and later
• Firefox 122 and later (full support)
Services offering passkey login (partial list):
• Google accounts
• Microsoft accounts
• Apple ID
• PayPal
• Amazon
• GitHub
• Shopify
• WordPress.com
• Many others (adoption is growing rapidly)
Warning: Not all devices and browsers support passkeys yet. Before relying entirely on passkeys for an important account, verify that all devices you use regularly support them. Otherwise, you may find yourself unable to log in from certain devices.
How Passkeys Are Stored and Synced
Passkeys must be stored somewhere secure. There are two main approaches:
Device-bound passkeys: The passkey is stored only on the specific device where you created it (for example, in a hardware security key like a YubiKey). This is the most secure option because the key never leaves the physical device. However, if you lose that device, you lose access unless you have created backup passkeys on other devices.
Synced passkeys: The passkey is stored in a cloud-synced system (such as iCloud Keychain, Google Password Manager, or a third-party password manager). This means the passkey is available on all your devices that use the same account. This is more convenient and provides automatic backup, but it means the passkey is encrypted and stored in the cloud.
Most consumer implementations use synced passkeys for convenience. Apple syncs via iCloud Keychain, Google syncs via Google Password Manager, and third-party password managers like 1Password and Bitwarden are adding passkey sync support.
Warning: If you use synced passkeys and lose access to your cloud account (for example, you forget your Apple ID password and cannot recover it), you will lose access to all synced passkeys. Ensure your cloud account has strong security and recovery options configured.
What Happens When Things Go Wrong: Recovery and Lockout Scenarios
The shift to password managers and passkeys introduces new risks, particularly around account recovery and device loss. Understanding these scenarios helps you prepare.
Scenario 1: You Forget Your Master Password
What happens: You cannot access your password manager. All passwords stored in it are encrypted and inaccessible.
Prevention:
• Write down your master password and store it securely
• Set up account recovery contacts if your password manager supports them
• Save recovery codes in a secure physical location
Recovery options:
• If you wrote down your master password, retrieve it from secure storage
• If you configured account recovery, use that process (varies by password manager)
• If you have no recovery option, you will need to reset your password manager, losing all stored passwords, and manually reset passwords for each account using email-based password reset
Warning: Some password managers (particularly those with zero-knowledge encryption like Bitwarden) cannot recover your master password. This is a security feature, not a flaw, but it means you must take recovery seriously.
Scenario 2: Your Phone Is Lost or Stolen
What happens: If your passkeys and password manager are on your phone, you have lost access to them.
Prevention:
• Use synced passkeys and password managers that work across multiple devices
• Keep a backup device (tablet, computer) logged into your password manager
• Have recovery codes stored separately from your phone
Recovery options:
• If using synced passkeys (iCloud, Google), log into your account on another device and your passkeys will sync
• If using a synced password manager, install it on another device and log in
• If using device-bound passkeys only, you will need to use account recovery options for each service (typically email-based password reset)
Immediate actions after phone loss:
• Remotely wipe your phone if possible (Find My iPhone, Google Find My Device)
• Change your password manager's master password from another device
• Review account activity for any services you access via that phone
Warning: If your phone is not protected by a strong PIN or biometric lock, someone who finds it may be able to access your accounts before you can remotely wipe it. Always use device lock screens.
Scenario 3: Your Password Manager Account Is Compromised
What happens: An attacker gains access to your password manager, potentially accessing all stored passwords.
Prevention:
• Use a very strong, unique master password
• Enable two-factor authentication on your password manager account
• Use biometric unlock on devices to reduce how often you type your master password (reducing keylogger risk)
• Keep your devices free of malware
Recovery options:
• Immediately change your master password from a secure device
• Review password manager access logs for unauthorised activity
• Change passwords for sensitive accounts (banking, email, work)
• Consider whether you need to report the breach to affected services
Warning: If an attacker has accessed your password manager, assume they have accessed everything in it. Changing your master password locks them out going forward but does not undo any access they already had.
Scenario 4: A Service Does Not Support Passkeys and You Have Forgotten the Password
What happens: You need to log into a service that only supports passwords, but you have forgotten the password and it is not in your password manager.
Prevention:
• Ensure every account's password is saved in your password manager before you forget it
• When creating new accounts, immediately save the password in your password manager
Recovery options:
• Use the service's password reset function (typically email-based)
• Once reset, save the new password in your password manager immediately
Scenario 5: You Need to Log in from a Device You Do Not Control
What happens: You are at a friend's house, an internet café, or using a work computer where you cannot or should not install your password manager.
Prevention:
• Avoid logging into sensitive accounts from untrusted devices
• If necessary, use your phone to access the password manager and manually type the password (tedious but safer than saving it on the untrusted device)
Warning: Untrusted devices may have keyloggers or malware. If you must log in from such a device, change your password afterwards from a trusted device.
Migration Checklist: Moving to Passkeys and Password Managers
Whether you are an individual or a small business, migrating to a secure authentication system requires planning. Here is a structured approach.
For Individuals
Week 1: Setup and critical accounts
• Choose and install a password manager
• Create a strong master password and write it down securely
• Configure recovery options
• Migrate your five most critical accounts (email, banking, primary social media)
• Enable two-factor authentication on these accounts
Week 2: Everyday accounts
• Migrate frequently used accounts (shopping, streaming services, utilities)
• Enable passkeys on any services that support them
• Test logging in from different devices to ensure sync is working
Week 3: Remaining accounts
• Use a password audit feature (most password managers have this) to find reused or weak passwords
• Update these accounts with unique, strong passwords
• Consider closing accounts you no longer use (reduces attack surface)
Week 4: Review and backup
• Verify all important accounts are in your password manager
• Ensure recovery codes and backup methods are documented and stored securely
• Test your recovery process (for example, try logging into your password manager from a new device)
For Small Businesses
Planning phase (before implementation):
• Choose a business password manager with team features (1Password Teams, Bitwarden Business, Keeper Business)
• Decide on policies: Will employees use company password manager for personal accounts? How will departing employees be handled?
• Identify critical shared accounts (social media, domain registrar, hosting, banking)
• Plan for recovery: Who are the recovery administrators? Where are recovery codes stored?
Week 1: Administrator setup
• Business owner or IT lead sets up the business password manager account
• Configure team structure and access policies
• Set up recovery administrators (at least two people)
• Document the master password and recovery process in a secure location (physical safe, solicitor's office)
Week 2: Shared account migration
• Migrate critical shared accounts to the business password manager
• Ensure appropriate team members have access to relevant vaults
• Change passwords for these accounts to unique, strong passwords
• Enable two-factor authentication where possible
Week 3: Employee onboarding
• Provide training on using the password manager
• Have each employee set up their individual vault
• Migrate employee work accounts to the password manager
• Ensure employees understand recovery procedures
Week 4: Ongoing accounts and review
• Migrate remaining accounts
• Enable passkeys for business accounts where supported
• Conduct a security review: Are any accounts still using weak or shared passwords?
• Schedule regular reviews (quarterly) to audit access and update passwords
Offboarding process (critical for businesses):
When an employee leaves:
• Immediately revoke their access to the business password manager
• Change passwords for any shared accounts they had access to
• Review access logs for any suspicious activity before departure
• Update recovery contacts if the departing employee was a recovery administrator
Warning: Failing to revoke access and change shared passwords when employees leave is a major security risk. Disgruntled or careless former employees can cause significant damage.
Troubleshooting Common Problems
Problem: Password manager will not unlock with master password
Possible causes:
• Typing error (check caps lock, keyboard layout)
• Biometric unlock is enabled but not working
• Account has been locked due to too many failed attempts
Solutions:
• Carefully retype your master password, checking each character
• Try typing it in a text editor first (where you can see it) then copy-paste (but delete it from the text editor immediately after)
• Wait if account is temporarily locked (usually 15-30 minutes)
• Use recovery options if you genuinely cannot remember the password
Problem: Passkey does not work on a particular website
Possible causes:
• Browser or device does not support passkeys
• Website's passkey implementation has a bug
• You are on a phishing site (passkeys will not work on fake sites)
Solutions:
• Verify you are on the legitimate website (check the URL carefully)
• Try a different browser or device
• Use password login as fallback if available
• Contact the website's support if the problem persists
Problem: Cannot log in after getting a new phone
Possible causes:
• Passkeys or password manager have not synced to new device
• Two-factor authentication is still tied to old phone
Solutions:
• Log into your cloud account (iCloud, Google) on the new phone to trigger sync
• Install your password manager app and log in to sync passwords
• Use backup 2FA codes if you cannot receive codes on your old phone
• Contact service support for account recovery if necessary
Prevention: Before wiping or disposing of an old phone, ensure your new phone is set up and you can access critical accounts from it.
Problem: Password manager sync is not working
Possible causes:
• Not connected to internet
• Cloud account is not logged in
• Sync is disabled in settings
• Service outage
Solutions:
• Check internet connection
• Verify you are logged into your cloud account on all devices
• Check password manager settings to ensure sync is enabled
• Check the password manager's status page for outages
• Force a manual sync if the option is available
Problem: Locked out of email account (cannot receive password reset emails)
Possible causes:
• Email password is forgotten and not in password manager
• Email account has been compromised and password changed
• Two-factor authentication is preventing access
Solutions:
• Use email provider's account recovery process (usually involves answering security questions or verifying identity)
• Check if you have access to a recovery email or phone number on file
• Contact email provider's support (be prepared to verify your identity)
Prevention: Your email account is critical for password resets. Ensure its password is securely stored, 2FA is enabled with backup codes saved, and recovery options are configured.
Scams and Threats: What to Watch For
Even with passkeys and password managers, you remain a target for scams. Here are the most common threats and how to recognise them.
Fake Technical Support
The scam: You receive a phone call, email, or pop-up message claiming to be from Microsoft, Apple, Google, your bank, or your password manager company. They claim there is a security problem and they need your password, master password, or remote access to your computer to fix it.
The reality: Legitimate companies never call you unsolicited to ask for passwords or remote access. This is always a scam.
What to do:
• Hang up immediately if it is a phone call
• Do not click links in unsolicited emails
• Do not call phone numbers displayed in pop-up messages
• If concerned, contact the company directly using a phone number or website you find independently (not from the suspicious message)
Warning: Scammers are convincing. They may have some of your personal information (from previous breaches) to make the call seem legitimate. Never give your master password to anyone, ever, for any reason.
Credential Harvesting (Phishing)
The scam: You receive an email or text message that appears to be from a legitimate service (bank, email provider, shopping site) with a link to log in. The link goes to a fake website designed to look identical to the real one. When you enter your password, the criminals capture it.
The reality: These fake sites can be extremely convincing, with correct logos, layouts, and even security indicators.
Protection:
• Passkeys are immune to this attack (they will not work on fake sites)
• Password managers often will not autofill on fake sites (because the URL does not match)
• Always check the URL carefully before entering credentials
• Be suspicious of urgent messages demanding immediate action
• When in doubt, go to the website directly (type the URL yourself) rather than clicking email links
Warning signs:
• Urgent language ("Your account will be closed unless you act now")
• Spelling or grammar errors
• Sender email address does not match the company (for example, from gmail.com instead of company domain)
• URL is slightly wrong (for example, paypa1.com instead of paypal.com, using number 1 instead of letter l)
Password Manager Phishing
The scam: A fake website or app pretends to be your password manager, asking you to enter your master password. Once entered, the criminals have access to your entire password vault.
Protection:
• Only access your password manager through the official app or browser extension you installed
• Never enter your master password on a website (legitimate password managers do not work this way)
• Verify you downloaded the password manager from the official source (App Store, Google Play, official website)
SIM Swapping
The scam: Criminals convince your mobile phone provider to transfer your phone number to a SIM card they control. They then receive your SMS-based two-factor authentication codes and password reset messages.
The reality: This attack has been used to compromise high-value accounts, including cryptocurrency wallets and business email.
Protection:
• Do not use SMS for two-factor authentication on critical accounts (use authenticator apps or passkeys instead)
• Contact your mobile provider to add extra security to your account (PIN required for changes)
• Monitor your phone service (if it suddenly stops working, contact your provider immediately)
Warning: If your phone suddenly has no service and you did not make changes, this could indicate a SIM swap attack. Contact your provider immediately and check your critical accounts for unauthorised access.
Malware and Keyloggers
The threat: Malicious software on your device records everything you type (including passwords and master passwords) or takes screenshots.
Protection:
• Keep your operating system and applications updated (security patches fix vulnerabilities)
• Use reputable antivirus software
• Do not download software from untrusted sources
• Be cautious with email attachments and links
• Use biometric unlock for your password manager when possible (reduces typing of master password)
Warning: If you suspect your device has malware, change your master password and critical account passwords from a clean device, then thoroughly clean or reinstall the operating system on the infected device.
Fake Password Manager Apps
The scam: Criminals create fake password manager apps with names similar to legitimate ones and publish them in app stores. Users download the fake app and enter their credentials, which are stolen.
Protection:
• Only download password managers from official sources
• Check the developer name carefully (not just the app name)
• Read reviews (fake apps often have few reviews or suspicious patterns)
• Verify the app is the official one by checking the password manager company's website for the correct app store link
Choosing the Right Password Manager: What to Consider
Not all password managers are equal. Here is what to evaluate:
Security model:
• Zero-knowledge encryption (the company cannot access your passwords) is preferable
• Open source code (can be audited by security researchers) adds trust
• Track record (has the company had security breaches? How did they respond?)
Features:
• Password generation and strength checking
• Secure password sharing (for families or teams)
• Two-factor authentication storage
• Passkey support (increasingly important)
• Security audit tools (identify weak or reused passwords)
• Breach monitoring (alerts if your credentials appear in known breaches)
Usability:
• Works on all your devices (phone, computer, tablet)
• Browser extensions for easy autofill
• Biometric unlock support
• User interface is clear and not confusing
Recovery options:
• What happens if you forget your master password?
• Can you designate recovery contacts?
• Are recovery codes provided?
Cost:
• Free tier sufficient for your needs, or is paid version required?
• Family or business plans if needed
• Is the pricing sustainable (very cheap services may not be viable long-term)
Reputable options to consider:
• Bitwarden: Open source, zero-knowledge, excellent free tier, paid plans for advanced features
• 1Password: Long-established, strong security, excellent family and business features, paid only
• Keeper: Strong security, good business features, paid
• Dashlane: User-friendly, includes VPN in paid plans, good breach monitoring
• Built-in options (Apple Passwords, Google Password Manager): Convenient if you are fully in one ecosystem, free, but less feature-rich than dedicated managers
Warning: Avoid password managers with poor security track records, those that are not transparent about their encryption, or those from unknown developers. Your password manager is a single point of failure; choose carefully.
The Future: What Comes Next
Passkeys represent a significant shift in authentication, but the transition will take years. Here is what to expect:
More services will adopt passkeys: As of 2026, adoption is growing rapidly. Expect most major services to support passkeys within the next few years, with passwords becoming a legacy fallback option.
Improved recovery mechanisms: Current passkey recovery relies heavily on cloud sync, which introduces its own risks. Expect better recovery options, possibly including social recovery (trusted contacts can help you regain access) and more sophisticated backup systems.
Hardware security keys will become more common: For high-security applications, hardware keys (such as YubiKey) that store passkeys in tamper-resistant hardware will become more prevalent, particularly in business environments.
Regulatory pressure: Governments and regulators are increasingly concerned about data breaches and credential theft. Expect regulations that encourage or mandate stronger authentication methods for certain industries.
Continued threats: As passkeys become common, criminals will adapt. Expect attacks to focus on device compromise, social engineering to gain access to recovery mechanisms, and exploitation of implementation flaws in passkey systems.
Summary: Your Action Plan
Authentication security is not optional in 2026. The threats are real, widespread, and constantly evolving. Here is what you need to do:
Immediate actions (today):
- Install a reputable password manager
- Create a strong master password and write it down securely
- Set up recovery options
- Migrate your email and banking passwords to the password manager
This week:
- Enable two-factor authentication on critical accounts
- Enable passkeys on services that support them
- Begin migrating other accounts to unique, strong passwords
This month:
- Complete migration of all accounts to your password manager
- Audit for weak or reused passwords and update them
- Ensure family members or business colleagues have appropriate access and training
Ongoing:
- Use passkeys wherever available
- Never reuse passwords across services
- Be vigilant for phishing and scams
- Keep your devices and software updated
- Regularly review your security setup (quarterly)
The shift to passkeys and password managers requires some effort upfront, but the security benefits are substantial. You will be protected against the vast majority of credential theft, phishing, and account compromise attacks. More importantly, you will have a sustainable system that works as authentication technology continues to evolve.
Your accounts, your data, and your identity are worth protecting properly. Start today.
Word count: Approximately 5,500 words
Key sources referenced:
• FIDO Alliance (passkey standards body)
• W3C Web Authentication specification
• Apple Platform Security documentation
• Google Account Security guidance
• Microsoft Security documentation
• UK National Cyber Security Centre guidance
• Password manager security documentation (Bitwarden, 1Password, Keeper)
• NIST Digital Identity Guidelines
• Academic research on authentication security
• Industry security reports on credential theft and phishing
