Passwords are the weakest link in 2026. Real-time MFA interception attacks now defeat SMS codes, authenticator apps, and even push approvals — the attacker proxies your login to the real site and steals the resulting session token. FIDO2 passkeys are the only consumer-grade defense that stops this attack by design, because they use cryptographic origin binding: a passkey for google.com will simply refuse to sign you in to g00gle-login.com, no matter how convincing the page looks.
This guide walks through passkey setup on the three biggest consumer accounts and explains when to add a hardware security key on top.
Google Account
- Go to myaccount.google.com/signinoptions/passkeys.
- Sign in if prompted.
- Click Create a passkey → Continue.
- Authenticate with your device's biometrics, PIN, or screen lock.
- Repeat on other devices for redundancy.
Apple (iOS, iPadOS, macOS)
Passkeys sync automatically via iCloud Keychain — enable it in Settings → [Your Name] → iCloud → Passwords & Keychain. When a supported site or app offers to create a passkey, approve it with Face ID or Touch ID. The passkey then syncs across every Apple device on the same Apple ID.
Microsoft Account (Personal and Work/School)
- Go to account.microsoft.com → Security → Advanced security options.
- Select Add a new way to sign in or verify → Face, fingerprint, PIN, or security key.
- Follow the prompts to create and save the passkey on your device (Windows Hello, phone, etc.).
Best practice for all platforms
Create passkeys on at least two separate devices (e.g. phone + laptop) before removing passwords. Keep a backup method (recovery email or phone) active in case both devices are lost at once.
Passkeys vs hardware security keys (YubiKey, etc.)
| Aspect | Synced passkeys (phone/laptop) | Hardware keys (YubiKey) | | --- | --- | --- | | Convenience | Excellent — biometrics on everyday devices | Good, but requires carrying the key | | Security level | Very high (phishing-resistant) | Highest (physical possession required) | | Phishing resistance | Strong (origin binding) | Strongest | | Recovery | Easier — syncs across devices | Harder — need a backup key | | Cost | Free (uses existing devices) | $20–$80+ per key | | Best for | Most consumers and everyday accounts | High-value accounts, enterprises, paranoid users | | Limitation | Device loss without backups | Can be lost or stolen — use multiple |
Recommendation: synced passkeys for daily convenience, plus a hardware key as backup for critical accounts (primary email, banking, government, crypto exchanges). That combination gives you the best of both worlds.
Why this matters more than any other security upgrade in 2026
Most account takeovers we see at GACS no longer start with a leaked password. They start with a perfectly cloned login page reached via a Google Sponsored ad or a "your account is locked" SMS. The victim enters their credentials, completes their normal MFA prompt, and the attacker walks off with a valid session token within 60 seconds. Passkeys break that chain because the cryptographic challenge is bound to the legitimate domain — the fake site cannot replay it.
Before you sign in to any account that holds money, identity, or recovery access for other accounts, run the URL through the free GACS Safe Scanner. Combine that habit with passkeys on every account that supports them, and the 2026 attack playbook stops working on you.
WebAuthn Level 3 (2026)
The underlying spec just levelled up: WebAuthn Level 3 (W3C Candidate Recommendation, May 2026) adds conditional create/get for smoother sign-up flows, the Signal API for cleaner credential lifecycle, Related Origin Requests for multi-domain brands, and better hybrid (phone ↔ desktop) transport — all while keeping strict origin binding the default. Read the full breakdown in our WebAuthn Level 3 guide or see how it fits the broader FIDO2 picture in our WebAuthn vs FIDO2 comparison.