Should you switch from passwords to passkeys now - the Guardian's guide explained

[Sequence]

The Guardian has published a practical cybersecurity piece on the shift from passwords and PINs to passkeys, exploring whether ordinary users should make the switch now or wait. Passkeys use FIDO2 cryptographic keys: your device generates a unique key pair, stores the private key in its secure enclave (protected by your biometric or PIN), and only the public key goes to the website. Nothing reusable is ever transmitted, which means phishing is technically impossible.

The FIDO Alliance found passkeys achieve a 93% login success rate averaging 13.6 seconds per sign-in compared to 27.5 seconds for passwords. They now work on iOS 16+, Android 9+, Windows 10+ via Windows Hello, and all major browsers. The Canvas learning platform was hacked in May 2026 with millions of student records compromised - a breach that passkeys would have made significantly harder.

Experts say we should use passkeys, but can a smartphone PIN really be safer than a password?

https://www.theguardian.com/lifeandstyle/2026/jun/07/passkeys-pin-password-cybersecurity

[MayanHan]

The practical barrier is that passkeys are still not universally supported and the recovery flow when you lose your devices needs serious thought before you go passkey-only. For most people the right move right now is passkeys where supported plus a password manager with strong unique passwords everywhere else

[Megan34]

The main remaining friction is cross-platform. If you use passkeys set up on Apple Keychain and then need to log in on a Windows machine you need your phone present as an authenticator. That flow works but it is not seamless yet. 2027 will be significantly smoother as the standards mature

[Coastal Otter]

The phishing-resistant argument is the one that should convert anyone who reads it carefully. Phishing works because you can be tricked into typing your password into a fake site. You cannot be tricked into using a passkey on a fake site because the key is cryptographically bound to the real domain. The attack vector is structurally eliminated

[One-One-Five]

The Canvas breach affecting millions of students is the kind of real-world example that makes this concrete. Credential stuffing attacks work because people reuse passwords. Every site that moves to passkeys removes itself from that attack surface entirely

[Estuary59]

Biometric data never leaving the device is the privacy point that should reassure people who are worried about what passkeys mean for their data. The website never sees your fingerprint. It just receives confirmation from your device that the right biometric unlocked the right key