Passkeys Explained: What They Mean for Email Security

For decades, the security community has been trying to solve the password problem. Passwords are reused across services, stolen in breaches, guessed by brute force, and surrendered to phishing pages. Every year, the same statistics appear: “123456” is still one of the most common passwords, billions of credentials are exposed in data breaches, and phishing attacks continue to grow in volume and sophistication.

Passkeys are the first technology with a genuine chance of replacing passwords for mainstream users. Backed by Apple, Google, and Microsoft through the FIDO Alliance, passkeys are already available on billions of devices and supported by hundreds of major websites. But the transition raises an important question that most coverage overlooks: what happens to email security when passwords disappear?

What Passkeys Actually Are

A passkey is a cryptographic credential based on public-key cryptography, the same mathematical foundation that secures HTTPS connections and cryptocurrency wallets. When you create a passkey for a website, your device generates two keys: a private key that never leaves your device and a public key that is sent to the website.

When you sign in, the website sends a challenge—a random piece of data—to your device. Your device signs the challenge with your private key and sends the signature back. The website verifies the signature using the public key it stored during registration. If the signature is valid, you are authenticated.

The critical difference from passwords is that nothing secret is ever transmitted or stored on the server. The website only has your public key, which is useless to an attacker. There is no shared secret that can be stolen, phished, or reused.

How This Differs from Passwords

With passwords, both you and the website know the secret (or at least a hash of it). This creates multiple points of failure. The password can be intercepted in transit, stolen from the server, guessed by an attacker, or tricked out of you by a phishing page. A passkey eliminates all four attack vectors:

• No interception: The private key never leaves your device, so there is nothing to intercept.
• No server-side theft: The public key on the server is not a secret. Breaching the database gives an attacker nothing useful.
• No guessing: Cryptographic keys are not guessable. There is no equivalent of a weak password.
• No phishing: Passkeys are bound to the specific domain they were created for. If you visit a fake website that looks like your bank, your device will not offer the passkey because the domain does not match. This is the most significant improvement—passkeys make phishing technically impossible for the services that support them.

The Current State of Adoption

Passkey adoption has accelerated faster than most security technologies. As of mid-2025, passkeys are supported by Apple (iCloud Keychain syncs passkeys across all Apple devices), Google (Google Password Manager syncs passkeys across Android and Chrome), and Microsoft (Windows Hello and Microsoft accounts). Major websites and services that support passkey login include Amazon, PayPal, GitHub, eBay, Best Buy, Kayak, Adobe, and hundreds more.

The FIDO Alliance reports that over 15 billion accounts are passkey-capable as of 2025, meaning the user’s device and the service both support passkey authentication. Actual adoption lags behind capability—most users have not yet created passkeys for their existing accounts—but the infrastructure is in place.

The experience is remarkably simple. On a supported service, you click “Create a passkey,” verify your identity with Face ID, fingerprint, or device PIN, and you are done. Future logins require only the biometric check. No password to remember, no code to enter, no authenticator app to open.

The Transition Period: Passwords and Passkeys Coexist

Here is where the idealized vision meets reality. Passkeys will not replace passwords overnight. For years—probably a decade or more—most services will support both authentication methods. This means the password-based attack surface does not disappear; it just gets a passkey-based alternative layered on top.

During this transition, several complications arise:

• Password fallback: Most services that support passkeys still allow password login as a fallback. An attacker who cannot phish your passkey can still attempt to phish or guess your password. The chain is only as strong as the weakest authentication method.
• Account recovery: If you lose access to your passkey (lost device, broken hardware), you need a recovery path. For most services, that recovery path is email. You receive a password reset link, create a new password, and log in. The entire passkey security model collapses back to email security at the recovery step.
• Not all services will adopt passkeys quickly. Your bank might support passkeys, but the niche industry tool you use for work probably will not for years. You will continue to use passwords for many services, which means password managers and good password hygiene remain essential.

Email: The Weakest Link in a Passkey World

This is the point that most passkey coverage misses entirely. In a world where every service uses passkeys, email becomes the single point of failure for the entire system.

Consider the chain: you lose your phone. You need to recover access to your accounts. Every service sends a recovery link to your email. If an attacker controls your email, they control the recovery process for every account linked to that address. Passkeys protect against phishing and credential theft, but they do not protect against email account compromise.

In fact, passkeys arguably make email security more important, not less. Today, compromising someone’s email gives you access to password reset flows. In a passkey world, it gives you access to passkey recovery flows. The attack surface shifts, but the critical infrastructure—email—remains the foundation.

This means that the single most important security investment you can make, regardless of whether you use passkeys, is securing your email.

Securing Email in the Passkey Era

Given that email is the recovery backbone for virtually every online account, here is what robust email security looks like:

Enable Two-Factor Authentication on Your Email

If you do one thing after reading this article, enable two-factor authentication (2FA) on your primary email account. Use a hardware security key (like a YubiKey) or an authenticator app (like Authy or Google Authenticator). Avoid SMS-based 2FA if possible, as SIM-swapping attacks can intercept text messages.

With 2FA enabled, an attacker who obtains your email password still cannot log in without the second factor. This single step blocks the vast majority of email account compromises. For a deeper explanation, see our guide on two-factor authentication.

Reduce Your Email Attack Surface

Every service linked to your email address is a potential vector for compromise. If an attacker knows your email, they can craft targeted phishing emails that reference services you actually use. They can attempt password reset flows. They can use your email in social engineering attacks against your email provider’s support team.

Using unique aliases for different services limits this exposure. If your banking alias is different from your social media alias, an attacker who compromises one cannot easily identify or target the other. The aliases serve as compartments that contain the blast radius of any single compromise.

Cleanbox supports this approach by letting you create purpose-specific aliases that all forward to your primary inbox. You get the convenience of a single mailbox with the security benefit of compartmentalized addresses. Combined with 2FA on your Cleanbox account, this provides layered protection that remains effective even as authentication methods evolve.

Monitor for Unauthorized Access

Most email providers offer activity logs showing recent sign-ins, including device type, location, and IP address. Check this periodically. If you see a login from a device or location you do not recognize, change your password immediately and review your account recovery options.

For a comprehensive approach to email account protection, our article on preventing email account compromises covers the full spectrum of threats and countermeasures.

Limitations of Passkeys

Passkeys are a genuine improvement, but they are not without limitations that are worth understanding:

• Device-bound vs. synced: Some passkeys are stored only on the device that created them (device-bound). If you lose that device, the passkey is gone. Synced passkeys (through iCloud Keychain or Google Password Manager) survive device loss but introduce a new dependency: the security of Apple or Google’s cloud infrastructure.
• Cross-platform friction: Passkeys created in Apple’s ecosystem do not natively sync to Android devices, and vice versa. Third-party password managers like 1Password and Bitwarden are bridging this gap, but the experience is not yet seamless.
• Account recovery complexity: Passkeys make daily authentication simpler but make account recovery harder. If you lose all your devices and your cloud account is locked, recovering access to passkey-protected services is extremely difficult. Planning for recovery scenarios is more important, not less.
• Enterprise adoption: Organizations that need centralized credential management face challenges with passkeys because there is no password to reset from an IT admin console. Enterprise passkey management tools are emerging but are not yet mature.

What You Should Do Now

Passkeys represent a genuine leap forward in authentication security. But the transition will be gradual, messy, and dependent on email security at every step. Here is a practical action plan:

1. Enable 2FA on your email immediately. This is the highest-impact single action regardless of your passkey adoption status.
2. Create passkeys where available. Start with high-value accounts: your primary email, financial services, and cloud storage. Each service you convert to passkey login removes one phishing target.
3. Keep your password manager. Passkeys will not replace passwords everywhere for years. Continue using unique, strong passwords for services that do not yet support passkeys.
4. Plan for recovery. Ensure you have recovery codes, backup email addresses, or secondary authentication methods for critical accounts. Test the recovery process before you need it.
5. Use unique aliases for different services. Whether you authenticate with a passkey or a password, limiting the exposure of your primary email address reduces the attack surface for social engineering and targeted phishing.

The future of authentication is better than the present. But the foundation—your email security—remains the same. Passkeys make it harder for attackers to get through the front door. Make sure the back door is equally secure.