As the year winds down, it’s worth taking a bit of time to modernize the way you sign in to the accounts that matter most. Passkeys have been rolling out quietly across banks, tech platforms and everyday apps, and they solve a basic security problem passwords have had for decades. They can’t be guessed, phished or leaked in a breach because they never leave your device in the first place.
Passkeys explained in human language
Passkeys sound like one more tech term you’re supposed to pretend to understand, but the idea is pretty plain once you strip out the jargon. Instead of typing a password in, you have a pair of digital keys that need to match to log in — the service’s public key, and your secret key. Your device — like your phone or laptop — uses a built-in cryptographic key to vouch for you. You unlock it with your face, your fingerprint or a PIN. No more typing or guessing what your password is.
Your private key stays on your device and never gets sent anywhere. The service only stores the public key, which can’t be turned into a login. If a site is breached, attackers walk away with a pile of public keys that don’t open anything. The usual panic over stolen passwords just doesn’t apply here.
Passkeys already work on iOS, Android, Windows, macOS and every major browser. They can also sync through Apple’s Passwords app, Google Password Manager, Microsoft accounts and third-party password managers like 1Password, so you can use them across your devices without any extra setup.
They also stop phishing attempts by design. A passkey only works on the legitimate website or app it was created for. If you land on a fake login page, the device won’t offer the passkey at all.
Start with the logins that guard your money first
Your financial accounts should be the first to get a passkey upgrade before the new year. These logins move money, approve transfers and open the door to accounts you really don’t want someone else to have access to. If you upgrade nothing else before the new year, upgrade these.
A lot of financial institutions are already shifting to passkeys or FIDO-style authentication, even if they don’t really advertise it. Mastercard and BankID-style systems have shown that financial services can shift to stronger, phishing-resistant authentication in the background without requiring users to learn anything new.
Banking and investing apps that support passkeys usually place the option in the security or sign-in settings. Look for items labeled passkey, device-based sign-in, FIDO security key and the like. When the app prompts you to create a passkey, follow the steps and approve it with Face ID, your fingerprint or PIN.
Again, not all provide this service yet. Just most. I use Navy Federal Credit Union, and it unfortunately don’t currently support passkey, just local biometric sign-in. The main difference is that a passkey uses a cryptographic key pair, and biometric data is used for ID verification. You can unlock a passkey using biometric data, though.
Lock down your main identity, email and big platform logins
Your main email and your Apple, Google and Microsoft accounts also deserve attention as soon as possible. Whoever gets into these can reset half your digital life without breaking much of a sweat. If you’re building a first wave of accounts to protect after your financial accounts, these are the ones to start with.
Google already treats passkeys as the standard path for personal accounts. Open your Google Account settings, select Security & sign-in and then select Passkeys and security keys to get set up.
Microsoft is moving in the same direction. The company is phasing out password storage in Authenticator and pushing people toward stronger sign-ins. Go to your Microsoft Account security page, select Security and then select Manage how I sign in. From there, select Use a passkey to expand a list of options. You can get set up here.
For Apple, passkeys seem to be created automatically now. Also, when you go to a website that supports passkeys, you can enable passkeys when you sign in, or if you already have an account, you can change the settings through the account settings page. Passkeys will then be stored in the Passwords app.
Again, your priority should start with the email accounts tied to banking, tax filing and shopping. Once they’re locked down with passkeys, the rest of your accounts are a lot harder for anyone to hijack.
Protect your files, cloud storage, photos and backups
Cloud storage and photo libraries belong in the next round of upgrades. These accounts tend to hold sensitive information — scans of IDs, tax forms, contracts, personal photos — that can become a big problem if a breach happens. It’s all material that can be used for fraud or leverage if someone gets inside. Treat them like the sensitive stores they are.
Google Drive and OneDrive rely on your main Google or Microsoft account settings, so that fix is simple. Open the security section of your account page and enable passkeys if you haven’t already. Apple handles iCloud the same way.
Remember that passkeys are strongest when the device itself is secure. Turn on device encryption, set a screen lock and avoid leaving those devices unlocked.
Secure the vault that secures everything else
Password managers don’t just store the stash of 50 logins you have anymore. Most of them now double as passkey managers, and many password managers allow you to lock the vault itself down with a passkey. Locking the vault with a passkey is one of the smartest upgrades you can make. If someone can’t get into the password manager, they can’t get into any of the accounts that are stored in the password manager (not through the vault, at least).
Password managers like 1Password and Bitwarden are already storing FIDO-based passkeys and taking part in the newer credential exchange work that lets people move passkeys between services without starting from scratch. The industry is slowly giving people more control instead of trapping everything inside one ecosystem. Finally.
Wherever your security apps offer a passkey or hardware-backed sign-in, turn it on. That applies to your password manager, your VPN, your antivirus app and the identity monitoring service you’re using. These accounts are the guardrails, and they shouldn’t depend on a guessable password.
While you’re in the vault, do a little year-end cleaning. Clear out the fossil layer of old entries you don’t use anymore, and think about closing accounts that still can’t handle modern authentication. Every dead account is another loose end waiting to be pulled, after all.
Bonus wins: Shopping, ride share and subscriptions
Passkeys are already being used at scale on services most people use every week. eBay reports higher login success rates and lower phishing risk after expanding passkey support. Uber has been steering people toward passkeys for the same reason. When companies with millions of sign-ins a day say it works, it’s worth paying attention.
This is the point where you start securing the accounts that handle your money and your habits. Shopping accounts such as Amazon, eBay and the big retail apps store card numbers, saved addresses and order history. Payment apps hold even more. These shouldn’t be left with weak authentication when a stronger option is sitting in the settings menu.
Ride share and food delivery apps have their own risks. They keep location history, pickup locations, home and work addresses and payment data. Many of these services are rolling out passkey-based logins, so check their security or account pages and turn it on if it’s there.
A simple way to stay organized in the beginning is to look at the five apps you use the most on your phone. Open each one, check the security settings and enable passkeys if they have the option. It’s a quick pass through the accounts you depend on daily, and it closes off a lot of easy entry points.
Myths and worries you can safely ignore
A lot of the anxiety around passkeys comes from ideas that don’t match how the system actually works. One is the claim that passkeys live in the cloud in plain text. They don’t. Syncing uses end-to-end encryption, meaning the private key never leaves your device in a readable form. Apple, Google, Microsoft and everyone else are unable to see it. What gets stored on their servers can’t be used to sign in to anything.
Another worry is being trapped in one ecosystem, but the industry is moving the other way. FIDO is building credential exchange standards to let people move passkeys between providers, and third-party managers like 1Password and Bitwarden already support cross-platform passkey storage. So the walls are coming down, not going up.
There’s also the idea that passkeys only make sense for pure cloud setups or single vendors. In reality, they’re running in mixed environments across cloud and on-premises systems and are treated as phishing-resistant by Microsoft and national security agencies. This is production-level tech, not a pilot program.
Finally, and the big one people seem to be worried about, is that losing a phone doesn’t mean losing control of your accounts. Passkeys on the device require your biometric data or your device PIN to work, so they’re useless to anyone who picks up the device. Recovery falls back to the same methods you should already be using for Apple, Google or Microsoft accounts. Recovery codes, a second device or a trusted contact get you back in without starting over.
How to switch in one weekend
No, you don’t need a tech overhaul or a week off work to move into a passkey setup. You should be able to lock down the accounts that actually matter all in a single weekend. The trick is to follow a clear order and build enough backup paths so you never box yourself out.
This checklist keeps the whole thing grounded and manageable without turning it into a project you abandon halfway through. Let’s get started!
Step 1: List your priority accounts
- Bank and investing accounts
- Primary email
- Apple, Google and Microsoft accounts
- Cloud storage and photo services
- Password manager
- Shopping, subscription, ride share and delivery apps
Step 2: Gather your accounts
- Set aside one focused hour.
- Make a list of the accounts you actually use.
- Open each service and go straight to the security or sign-in settings page. You can check the official documentation for each service to see if passkeys are supported.
Step 3: Turn on passkeys wherever they live
- Look for passkey, security key or device-based sign-in.
- Register your phone or computer when you’re prompted.
- Add a second device if the service allows it — phone and laptop or phone and hardware key.
Step 4: Keep a backup path
- Leave one non-passkey recovery method active while you settle in.
- Use recovery codes, a second email or a trusted device.
- Check that you can still get into the account if one device disappears.
Step 5: Clean up old methods and accounts
- Remove SMS-based two-factor authentication only when the provider confirms your account is fully covered.
- Delete any leftover sign-in methods and accounts you no longer need.
Run through this list once, and you’ll have most of your high-risk accounts sitting behind stronger authentication and set a stable foundation for the rest.