What Are Passkeys? Passwordless Login Made Simple
You’ve probably seen the word popping up. You go to sign in to your email or your bank, and instead of asking for your password, the screen offers to set up a passkey. It sounds technical, and it’s easy to tap “not now” and carry on. But a passkey is one of the simplest and safest changes you can make to the way you sign in, and it’s worth a few minutes to understand.
Here’s the short version. A passkey lets you sign in the same way you unlock your phone. With your face, your fingerprint, or the PIN you already use. No password to remember, and nothing for a scammer to trick out of you. In Australia, where people lost more than two billion dollars to scams last year, that second part matters a great deal.
Quick answer
A passkey replaces your password with your phone’s own lock. When a website asks who you are, your phone confirms it using your face, fingerprint or PIN, and lets you straight in. There’s no password to type, forget, or give away by mistake. Passkeys are free, they’re built into modern iPhones and Android phones, and big names like Google, Apple, Microsoft and the myGov service already use them. You can keep your old password as a backup while you get used to it.
What a passkey actually is
A password is a secret you make up and the website stores a copy of. That’s the weak point. If someone tricks you into typing it into a fake page, or the website’s records are stolen, your secret is out.
A passkey works differently. When you create one, your phone makes a pair of matching keys. One stays locked inside your phone and never leaves it. The other is a harmless partner that sits with the website. On its own, the website’s half is useless to anyone who steals it. To sign in, your phone quietly proves it holds the private half, and it will only do that after you unlock it with your face, fingerprint or PIN.
You don’t need to follow the cryptography. The part that matters is this. There’s no secret written down, no secret typed into a box, and no secret for anyone to steal or phish. You just unlock your phone, the same as you do fifty times a day already.
Why passkeys are safer than passwords
Most scams that reach Australians are after one thing: your password. The fake bank text, the email that says your account is locked, the copycat login page. They all want you to type your secret into the wrong place. Phishing is one of the most reported scams to Scamwatch, year after year, and it works because a password can be handed over by a person who’s been fooled.
A passkey closes that door. It’s tied to the exact website it was made for, so it simply won’t work on a fake copy, no matter how convincing the page looks. Even a perfect clone of your bank’s login screen can’t collect a passkey, because the web address won’t match and your phone won’t play along. And since you never type anything, there’s nothing to hand over in the first place. You can’t be tricked into giving away a secret you don’t have.
Passkeys don’t replace good habits or your other scam defences, and they’re not a reason to stop being careful. But they take away the single trick behind most of the phishing messages landing in Australian inboxes. If you’d like the wider picture on spotting those, our guide on how to spot text message scams pairs well with this one.
What using a passkey feels like
If you’ve unlocked your phone to get into your banking app lately without typing anything, you’ve likely already used one. That’s the whole experience. You go to sign in, your phone asks for your face or fingerprint, and you’re in. It takes a couple of seconds.
Compare that to the old routine. Hunt for the password, get it slightly wrong, ask for a reset email, wait for it to arrive, make up yet another password you’ll forget by next week. Passkeys skip all of that. For a lot of older Australians, the relief of never wrestling with a forgotten password again is reason enough on its own.
Where you can use passkeys in Australia
This isn’t a future idea. It’s already here and growing quickly. On World Passkey Day in May 2026, the FIDO Alliance, the industry group behind the standard, reported more than five billion passkeys in use around the world. Google alone has over 800 million accounts using them.
Closer to home, the Australian Government switched on passkeys for myGov, so you can now sign in to Centrelink, Medicare and the Australian Taxation Office by unlocking your phone instead of typing a password. Hundreds of thousands of Australians have already set one up, which puts Australia among the first countries to offer passkeys on its government services. Here are places you can turn a passkey on today:
- Your Google account, which covers Gmail, YouTube and Google Photos.
- Your Apple ID, used for iCloud, the App Store and FaceTime.
- Your Microsoft account, for Outlook email and Windows.
- myGov, for Centrelink, Medicare and the Australian Taxation Office.
Australian banks are moving this way too, and many already let you approve a sign-in by unlocking your phone, which works on the same idea. When a site offers you a passkey, that’s your cue that it’s ready.
How to set one up
You don’t create passkeys all at once. You add one to an account when that account offers it, and each takes under a minute. The steps look much the same wherever you are.
On an iPhone or iPad
Your iPhone stores passkeys in something called iCloud Keychain, which is usually already switched on. When a website or app offers to save a passkey, tap yes, then confirm with Face ID or Touch ID. That’s it. The passkey is saved, and because it lives in your iCloud, it also appears on your iPad and Mac if you use them. You’ll need iOS 16 or newer, which covers any iPhone from the last several years.
On an Android phone
Android phones save passkeys through Google Password Manager, which is built in. When a site offers a passkey, tap to create it and confirm with your fingerprint or screen lock. To set one up for your Google account directly, open your phone’s Settings, tap Google, then Manage your Google Account, and look under the security options for Passkeys. Make sure you have a screen lock turned on first, since the passkey relies on it.
Whichever phone you have, the golden rule is the same. Say yes when a trusted site you’re already signed in to offers a passkey. You can leave your password in place as a backup, so there’s no risk in trying it.
Before you finish
Download the free Family Tech Safety Checklist to help check phone safety, passwords, scam messages, emergency contacts and medical alarm details.
What if you lose your phone
This is the question everyone asks, and it’s a sensible one. Losing your phone doesn’t lock you out. Your passkeys are backed up to your iCloud or your Google account, so when you set up a new phone and sign in, they come back with everything else. You’re not carrying your only copy in your pocket.
It’s still wise to keep a backup way in, at least for now. Leave your existing password on the account, or set up a second passkey on a tablet you own. Account recovery is the one part of all this that’s still being smoothed out, so a reliable backup is worth keeping. If you’ve been meaning to sort your passwords out anyway, a good password manager works hand in hand with passkeys and keeps that backup tidy.
Do you have to switch?
No. Nobody’s forcing passwords out overnight, and you can ignore passkeys entirely if you’d rather. But there’s no downside to adding one to an account you use often, especially your email, since your email is the master key to everything else. Turn a passkey on there, keep your password as a backup, and see how it feels for a week. Most people who try it don’t go back to typing.
If you want to build a wider safety net around the accounts that matter, our overview of antivirus for seniors and our guide to online banking safety are both worth a read. You’ll find more like them in our scam safety guides.
FAQ: Passkeys
Is a passkey the same as my phone PIN?
Not quite. Your PIN unlocks your phone. A passkey uses that same unlock to prove who you are to a website, so it feels the same to you, but it’s doing a separate job behind the scenes.
Are passkeys free?
Yes. They’re built into modern iPhones and Android phones at no cost, and websites don’t charge to use them. There’s nothing to buy.
Can a scammer steal my passkey?
It’s very hard. The private half never leaves your phone and can only be used after you unlock it with your face, fingerprint or PIN. There’s no password to type into a fake page, so the usual phishing trick doesn’t work.
What happens if I get a new phone?
Your passkeys are backed up to your iCloud or Google account, so they move across when you sign in to the new phone. It’s a good idea to keep your password as a backup too, just in case.
Do I need a new phone to use passkeys?
Almost certainly not. Any iPhone running iOS 16 or newer, or an Android phone from the last few years, already supports them. If your phone can use Face ID or a fingerprint, it can use passkeys.
Researched and checked against Australian sources, including the FIDO Alliance and myGov, in July 2026. Details change, so confirm the latest on each service before you rely on it.
