passwords
So far in our comprehensive guide to passkeys, we’ve covered how to ditch passwords on popular combinations of Android, iOS, macOS, and Windows smartphones and computers. This post focuses on important specific cases:
- One-time sign-ins to your account from someone else’s device
- Tips for frequent computer and smartphone switchers
- Ways to secure your account when backup password sign-in is enabled
- Potential issues when traveling internationally
- What happens when using niche browsers and operating systems
How to use passkeys on public or shared computers?
What if you need to sign in to your passkey-protected account from a library, an airport computer, or a relative’s home? Don’t rush to remember your backup password.
Start the sign-in process on the computer: enter your username and, if prompted, click Sign in with passkey. A QR code will appear on the screen for you to scan with the smartphone that stores your passkey. If the scan is successful, the QR code will disappear, and you’ll be signed in to your account.
Several factors must align for this seemingly simple process to proceed smoothly:
- The computer must support Bluetooth Low Energy (BLE), which verifies that your smartphone and the computer are indeed nearby.
- The computer’s operating system and browser must support passkeys.
- Both the computer and your smartphone need a reliable internet connection.
How to save passkeys to a hardware security key?
You might find using passkeys via QR codes inconvenient if you frequently access your accounts from different devices. If that’s the case, you can store your passkeys not on your computer or smartphone, but on a USB hardware security key — such as a YubiKey, Google Titan Security Key, or a similar device — for secure website sign-in. When you create a passkey, just choose to save it to your hardware key. Then you can sign in to your account from any computer or smartphone by plugging in that security token.
Just make sure it has the right combination of ports (USB-A, USB-C, Lightning) or NFC support to work with all your devices. Some token models even include a fingerprint scanner, which provides an extra layer of protection against account hijacking if your device is stolen or lost.
Unfortunately, there’s a catch: many older and popular token models can store a maximum of only 25 passkeys. Only a few advanced models — like the YubiKey with firmware version 5.7 — have raised this limit to 100.
Additionally, operating system developers view passkeys as a great opportunity to tie users more closely to their ecosystems. By default, depending on your smartphone, you’ll likely be prompted to save your passkey to either iCloud Keychain or Google Password Manager. As a result, the option to use a hardware security key might be hidden deep within the interface.
To create a passkey on a hardware token, you’ll often need to click the not-so-obvious Other options link on macOS/iOS, or Different device on Android, to select the hardware key option.
How to transfer passkeys between iOS and Android?
The biggest headache right now is if you store all your passkeys in your smartphone’s default storage and you want to switch ecosystems — moving from Android to iOS or vice versa. Currently, none of the three major OS developers — Google, Apple, or Microsoft — let you directly transfer passkeys. That’s because no one can guarantee the process will be secure. Both Apple and Google are working on implementing this feature in the future, but if you decide to swap devices today — say, from an iPhone to a Google Pixel — transferring your passkeys won’t be straightforward.
- First, you’ll need to sign in to the account protected by a passkey on your new device. You can do this either by using your good old password (if it’s still enabled), or by scanning a QR code with your old device that has the active passkey.
- Next, you’ll need to create and save a new passkey on your new device. Yes, you can have multiple passkeys for each website or online service.
- Finally, if you plan to get rid of your old gadget, you’ll need to delete the old passkey from it.
To avoid this hassle, it’s best to use a third-party password and passkey manager right from the get-go. With Kaspersky Password Manager, passkey support is already available on Windows, with Android support planned for July, and iOS and macOS support — for August 2025.
How to protect an account with a passkey from being hacked using a backup password?
Most online services that offer to switch to passkeys don’t disable other sign-in methods. If your account was protected by a weak or compromised password before you switched to a passkey, cybercriminals can still bypass your shiny new passkey by simply signing in with that old password.
Creating a passkey for an account that still has a weak password is like installing a bulletproof front door while leaving the flimsy back door unlocked with the key hidden under the mat.
That’s why, before you enable passkeys for any online service, we strongly recommend changing your password as well. Since you won’t be typing this password every day — it’s just a backup for your passkey-protected account — you can really go wild with its complexity. We’re talking strong passwords that are 16 characters or longer, and mixing up letters, numbers, and special characters. These are practically uncrackable. Ideally, generate and save that robust password in the same password manager where you’re planning to store your passkeys. Don’t rely on AI models to generate complex passwords. Our recent research revealed that while these passwords might look complex, LLMs tend to favor certain characters for no obvious reason when creating passwords, which makes their output surprisingly predictable.
Passkey drawbacks?
The underlying WebAuthn standard that powers passkeys can be implemented quite differently across browsers and operating systems. Websites often adopt these capabilities in their own unique ways. This can lead to frustrating challenges — even for tech-savvy users. Here are a few examples of this:
- When creating passkeys, standard Windows prompts give you plenty of options for where and how to save them. By default, Windows saves passkeys in secure local storage on your computer. If you forget to select your password manager as the save location, that passkey won’t be available on your other devices.
- Many online services like Kayak or AliExpress have dozens of regional versions, with each one being a separate website: .com, .com.tr, .co.uk, etc. If you create a passkey for, say, your local site, and then for some reason try to access the same online service in a different region, it’s highly likely you won’t be able to sign in with that passkey.
- Some websites don’t support creating or signing in with passkeys when using Firefox, regardless of the platform. In reality, there’s no technical incompatibility here, and simple tricks can resolve the issue, but it’s unclear why users should have to resort to these workarounds.
- Some Apple users have reported that all their previously saved passkeys periodically disappear from their Keychain, while certain Android users can’t activate passkeys without re-flashing or factory-resetting their devices.
Any one of these situations is made worse by the fact that errors when creating or signing in with passkeys are either not mentioned at all in help documentation, or described very vaguely. It’s often completely unclear how to fix the problem. However, when passkey issues arise, websites almost always offer a backup option, such as sending a one-time access code to your email.
Despite these challenges, a passwordless future with passkeys is on the horizon. We recommend getting ready now by creating passkeys wherever possible, saving them in your password manager, and remembering to check and update your passwords and contact information on websites to make sure you can recover access if your passkeys ever give you trouble.
Want to read more about passwords and passkeys?
Tips