The password is one of the internet's least beloved inventions. It is easily forgotten, frequently reused, routinely stolen in data breaches, and almost never as strong as security guidance recommends. The shopping account problem is particularly acute: the average American has accounts at dozens of retailers, each theoretically requiring a unique strong password that in practice becomes a variation on three or four themes. Passkeys — a credential standard developed by the FIDO Alliance and now supported by Apple, Google, Microsoft, and most major browsers — are designed to make this entire situation obsolete, and they are arriving on shopping sites faster than most shoppers have noticed.
The security case for passkeys is straightforward. In 2024, compromised credentials remained the leading cause of data breaches, according to Verizon's annual Data Breach Investigations Report. Passwords can be phished — a user can be tricked into typing them into a fake site. They can be guessed through credential stuffing — reusing a username-password pair exposed in one breach to try other sites. They can be stolen from a password manager if that manager's master password is weak or reused. Passkeys eliminate all three attack vectors simultaneously. There is no password to phish, to stuff, or to steal from a manager. The credential is cryptographic, device-bound, and never transmitted over the internet in a usable form.
What it is / How it works
A passkey is a cryptographic credential pair — a public key stored by the website and a private key stored in your device's secure enclave — that together replace a password for signing into an account. There is nothing to memorize, nothing to type, and nothing that can be phished. Signing in requires proving possession of the private key, which the device does automatically after biometric confirmation (Face ID, fingerprint, or PIN).
The standard behind passkeys is called FIDO2 / WebAuthn, a set of specifications developed by the FIDO (Fast IDentity Online) Alliance — a consortium whose members include Apple, Google, Microsoft, Amazon, PayPal, Visa, and Mastercard. Apple integrated passkey support into iOS 16 and macOS Ventura in September 2022. Google followed on Android 9 and Chrome 108 in late 2022. Microsoft supports passkeys in Windows 11 and Edge. The standard is now supported across all major platforms and is gaining rapid adoption among major retailers, financial institutions, and payment services.
The mechanics
Public-private key cryptography
When you create a passkey for a shopping site, your device's operating system (or browser, which calls the OS) generates a mathematically linked key pair: a public key, which is shared with and stored by the website, and a private key, which is stored in your device's secure enclave and never leaves it. The private key is protected by the same hardware isolation that protects biometric templates and payment tokens — it cannot be extracted by the operating system, by applications, or by physical memory inspection.
To sign in, the website sends a cryptographic challenge — a random string of data — to your device. The device signs the challenge with the private key (after biometric confirmation from you) and sends the signature back. The website verifies the signature using the stored public key. If the signature is valid, authentication is confirmed. The private key performed a mathematical operation and the result was verified, but the private key itself was never transmitted. There is nothing for an attacker to intercept, replay, or steal from the server side.
Synchronization across devices
A passkey stored on a single device creates a dependency: lose the device, lose access. The major platform vendors address this through secure cloud synchronization. Apple syncs passkeys across all devices signed into the same Apple ID via iCloud Keychain, encrypted end-to-end so that Apple's servers hold only encrypted data they cannot read. Google Password Manager synchronizes passkeys across Android devices and Chrome instances signed into the same Google account. Microsoft's Windows Hello credential manager handles synchronization for Windows devices.
This synchronization is the feature that makes passkeys practical for everyday shoppers rather than just security researchers. A passkey created on an iPhone is available on a Mac, iPad, and new iPhone immediately — without the user taking any explicit migration step. When you upgrade to a new phone and sign into your Apple ID, your passkeys arrive with your other data. The credential infrastructure is as durable as your platform account.
Cross-device authentication
Passkeys also support a cross-device authentication flow: using a passkey on your phone to sign into a website on a different computer. This is useful when signing into a shopping account on a shared or work computer where you do not want to install or use a password manager. The flow uses Bluetooth proximity to confirm the phone is physically near the computer — the phone must be within Bluetooth range — and then the website displays a QR code that the phone scans to initiate the authentication. The biometric confirmation happens on the phone; the authentication result is delivered to the browser. This prevents remote attacks: a fraudster who has your credentials remotely cannot complete this flow without your physical phone present nearby.
Passkeys in the context of shopping and checkout
For shopping specifically, passkeys address the account sign-in step — not the payment step, which is handled separately by mobile wallets and tokenization. However, faster and frictionless account sign-in has a meaningful effect on checkout. One of the most common reasons shoppers abandon checkout and complete a purchase as guest — rather than signing into an existing account to use saved addresses and payment methods — is that they have forgotten their password and do not want to interrupt the flow for a reset email. A passkey eliminates this friction: sign-in is a Face ID scan, and the full account with saved addresses and payment methods is immediately available.
Shop Pay's phone-number-verified credential system for accelerated checkout represents an early version of this principle in action — reducing sign-in friction to the point where the authentication step is nearly invisible. Shop Pay stores up to 10 payment methods and 20 shipping addresses per account, and its checkout flow is designed so that returning customers complete purchases in seconds without re-entering any information. As passkeys spread, a similar experience — biometric sign-in directly into a full account, with no password step — will become the norm across more retailers. Our Shop App review covers the Shop Pay checkout experience in detail.
Real-world examples
A shopper visits a major retailer's website on their iPhone for the first time. They create an account and, when prompted, the browser offers to "Save a passkey." They tap Save, authenticate with Face ID, and the passkey is created and synchronized to iCloud Keychain in about five seconds. The next time they visit the site — on their iPhone, their Mac, or their iPad — a Face ID prompt appears instead of a login form. There is no username to type, no password to remember, and no password reset to initiate if they have not visited in six months. The account is as accessible on day 180 as it was on day one.
A second scenario: the same shopper wants to sign into their retail account on a friend's laptop to make a purchase as a gift. They tap "Sign in with a passkey from another device," a QR code appears on the laptop's screen, and they scan it with their iPhone. Face ID confirms identity on the phone. The laptop's browser receives the authentication result and signs into the account. The friend's laptop has no access to the passkey; it was used transiently, confirmed by physical proximity, and the session ends when the browser tab is closed. No password was entered, no credential was left behind on the friend's computer.
What to watch out for
Passkeys are not yet universal. Many shopping sites still rely primarily on passwords during this transition period, often offering a passkey option as an alternative rather than a replacement. A mixed environment — some sites with passkeys, most without — can create confusion about which authentication method applies where. Password managers like 1Password and Bitwarden can store passkeys alongside traditional passwords, providing a unified interface. But on devices without passkey-capable password manager integration, falling back to passwords for non-passkey sites remains necessary.
Device dependency is a real consideration. If your phone is lost or stolen, recovery depends on your iCloud or Google account — which itself needs to be secured with a strong, unique password and two-factor authentication. The chain of trust shifts from "remember your shopping passwords" to "maintain secure access to your Apple ID or Google account." This is generally a better position — the platform account has stronger recovery infrastructure than most retailers' password reset flows — but it concentrates risk in a single critical account that deserves proportionately serious protection.
Privacy implications also exist for the cross-device authentication flow: it uses Bluetooth, which means Bluetooth must be enabled on both devices for the QR-code flow to work. Some shoppers who disable Bluetooth for privacy or battery reasons will need to enable it for this specific use case. For those who prefer to keep Bluetooth disabled, adding the passkey to a password manager that supports cross-platform passkey sync (1Password, for example) provides an alternative that does not require Bluetooth for cross-device use. Our biometric payments guide covers the authentication technology that passkeys build on, and our shopping app privacy guide addresses the broader data collection practices of shopping accounts that passkeys help protect.
Practical tips
- Adopt passkeys wherever they are offered. When a shopping site prompts you to create a passkey, accept. Setup takes about ten seconds, and the security and convenience improvement is permanent. There is no reason to continue using a password for a site that supports passkeys.
- Secure your platform account rigorously. Since passkeys sync through your Apple ID or Google account, that account's security is the foundation. Use a strong, unique password and hardware security key or authenticator-app 2FA on your Apple ID or Google account — not SMS 2FA, which is vulnerable to SIM-swap attacks.
- Consider a passkey-capable password manager. Services like 1Password and Bitwarden support passkey storage and can sync across platforms, providing passkey access on devices where the platform's native sync does not apply (e.g., accessing a passkey on a Windows device from an iPhone-created passkey).
- Save recovery codes where required. Some services provide a one-time recovery code when passkey enrollment is completed. Store it in a secure location — a printed copy in a physical safe, or encrypted cloud storage — not in the notes app on the same device that holds the passkey.
- Check which sites support passkeys. The FIDO Alliance and the website passkeys.dev maintain directories of services that support passkey sign-in. Major retailers, financial institutions, and payment services are rapidly appearing on these lists.
Where to learn more
Our biometric payments guide explains the device-level authentication technology — Face ID, fingerprint, secure enclaves — that passkeys rely on for user verification. The mobile wallet security guide covers the payment tokenization layer that works alongside passkey-secured sign-in to protect the full transaction. For an example of a checkout service that has already dramatically reduced sign-in and checkout friction, our Shop App review describes how Shop Pay handles identity and payment together. The Shop Pay vs Apple Pay comparison explores how two different approaches to accelerated checkout handle identity verification and what the tradeoffs look like from a shopper's perspective.