In mid-June 2025, Meta announced that Facebook will soon support passkeys on its mobile app, enabling users to log in using biometric data or a device PIN instead of—or in addition to—their traditional passwords. This move arrives at a time when phishing remains one of the most prevalent threats to online accounts, and as industry heavyweights increasingly move toward passwordless authentication solutions.

Phishing attacks continue to plague users of all digital services. In 2024 and early 2025, security reports highlighted that despite growing awareness, many users still fall prey to fake login pages that harvest credentials. Password reuse across services exacerbates the risk: if credentials from one breach surface, attackers often try them elsewhere, leading to credential stuffing attacks. Passwords themselves have long been criticized for human limitations: users choose weak passwords, reuse them, or rely on easy-to-guess patterns. Two-factor authentication (2FA) via SMS or authenticator apps has helped but is not foolproof, with SIM-swapping and sophisticated social-engineering still successful against some users.

Enter passkeys: cryptographically secured credentials that replace the need to type a password into a login form. Because passkeys are bound to a specific domain and device, they cannot be phished in the traditional sense—your browser or OS will only surface them when the domain matches exactly. This domain binding makes it extremely difficult for attackers to trick users into inadvertently handing over usable credentials to fake websites. Moreover, passkeys leverage biometric data (fingerprint, face scan) or a device PIN, reducing the friction of remembering complex passwords and offering stronger resistance to brute-force or guessing attacks.

What are passkeys, technically speaking?

Passkeys rely on the FIDO Alliance’s WebAuthn standard, an open, industry-driven protocol designed to eliminate reliance on passwords. When you create a passkey for a service, a pair of cryptographic keys is generated: a private key stored securely on your device (protected by biometric or PIN-based device authentication) and a public key registered with the service provider. During login, the service sends a cryptographic challenge that only the private key on your device can sign. Since the private key never leaves your device, phishing sites cannot intercept or spoof this exchange. And because each passkey is tied to a specific origin (domain), it simply won’t work if a user is on a malicious lookalike site.

One concern users often raise is: what happens if my device is lost or replaced? Modern implementations allow passkeys to sync across devices via encrypted backups—e.g., built into iCloud Keychain on Apple devices or Google Password Manager on Android—so users can recover credentials when switching devices. Additionally, many services let you register fallback methods (such as a phone number, email-based recovery, or a hardware security key) to regain access if all else fails.

On June 18, 2025, Meta’s official Newsroom post detailed the introduction of passkey support on Facebook mobile apps for iOS and Android, with Messenger integration coming “in the coming months.” The company emphasized that passkeys offer a simpler and safer way to sign in, leveraging the same biometric or PIN-based device authentication users already trust. Meta stated that passkeys are resistant to guessing or theft by malicious websites or scam links, making them effective against phishing and password spraying attacks.

Meta did not provide an exact rollout schedule, but suggested users should see the option to set up and manage passkeys in the Accounts Center within the Facebook mobile app soon. Once set up, the same passkey will work across both Facebook and Messenger when Messenger support goes live. Meta also highlighted that passkeys will extend beyond login: they will enable secure autofill of payment information via Meta Pay, streamlining checkout while keeping payment data secure on the device.

Despite the push for passkeys, Meta reassured users that existing authentication options remain available. You can still log in with your password, use physical security keys, or continue with two-factor authentication methods. Passkeys complement, rather than replace, these methods for users who wish to adopt them.

Facebook joins a growing list of major platforms adopting passkeys. Google, Microsoft, Apple, and various password managers (1Password, Dashlane, Bitwarden, etc.) already support passwordless login via passkeys or their proprietary implementations built on WebAuthn. WhatsApp, another Meta-owned property, rolled out passkey support earlier on Android and iOS. Microsoft recently even made passkeys the default sign-in method for new consumer accounts, signaling strong industry momentum toward passwordless authentication.