Sun, Jul 12, 2026NY 7:54 PM EDTLA 4:54 PM PDTLON 12:54 AM GMT+1PAR 1:54 AM GMT+2DXB 3:54 AM GMT+4SIN 7:54 AM GMT+8TOK 8:54 AM GMT+9SYD 9:54 AM GMT+10UTC 11:54 PM UTCBTC delayed quote CoinGeckoETH delayed quote CoinGeckoFresh explainers, verified sources, practical next steps
Strangely Useful

Clear, verified help for apps, money, security, AI, and everyday tech problems.

Browse the site
Topic hubsFake support guideWrong Cash App paymentLatest storiesTopicsMoney & ChargesSearchInternet & CultureTech & AISecurity & TrustPractical TechnologyMoney & PaymentsBrowser & PrivacyAI ToolsSoftware & ServicesInternet Culture & Everyday WorkflowsHidden HistoryUseful ThingsEntertainmentQuizzesAboutHow we workHow guides are madeNewsletter
Tech & AI - story

A passkey is not your face. It is a locked credential your device helps use.

The biometric or PIN unlocks an authenticator; the website receives cryptographic proof rather than your fingerprint.

Last verified July 11, 20262 sources checkedEditorial standards
An open metal vessel holds a disk and ring, a physical metaphor for a credential that remains inside an authenticator.
A passkey is not your face. It is a locked credential your device helps use.An open metal vessel holds a disk and ring, a physical metaphor for a credential that remains inside an authenticator.A physical metaphor: the credential remains with the authenticator while the website receives cryptographic proof after local verification. Strangely Useful generated editorial illustration.
In this story3 sectionsThe website gets proof, not your fingerprint“Passkey” can describe more than one storage arrangementThe part marketing pages tend to skip

When a website says “sign in with your face,” it is skipping the most important part. Your face is not the passkey. It is one possible way to unlock an authenticator that holds or can access a cryptographic credential for that site.

The distinction sounds fussy until something goes wrong. It explains why some passkeys can be backed up and synced, why a device may offer a PIN or biometric for local verification, and why account recovery still matters even after passwords disappear.

The website gets proof, not your fingerprint

The W3C Web Authentication specification defines public-key credentials scoped to a relying party—the website or service asking you to sign in. During authentication, the authenticator uses the credential's private-key side to produce a signed assertion in response to the site's challenge. The service verifies that response using the public-key side. The private key is not sent to the service.

The user-verification step happens on the authenticator side. Depending on the device and setup, that can be a PIN, biometric, or another authorization gesture. WebAuthn communicates the result of that verification in the ceremony; it does not define sending a fingerprint or face scan to the website.

“Passkey” can describe more than one storage arrangement

Some credentials are device-bound, including credentials on some hardware security keys. Other passkeys can be backed up and made available across a user's devices through a credential provider. That convenience changes recovery and ecosystem questions, but it does not turn the credential into a reusable password shared with every site.

Each relying party receives a credential scoped to it. WebAuthn validates the calling origin and relying-party identifier as part of the ceremony. That binding helps resist a look-alike origin trying to use the real site's credential. It does not make unsafe recovery, enrollment, or a compromised unlocked device harmless.

The part marketing pages tend to skip

Passkeys do not remove every account problem. A service still needs a secure enrollment and recovery process. A stolen unlocked device is a different threat from a remote phisher. Shared devices, device migration, and accessibility all require careful product decisions.

The useful mental model is small: the passkey is the credential; the authenticator protects and uses it; your face, finger, or PIN proves locally that the authenticator should act. Once those pieces are separate, the login prompt is much less mysterious.

Sources & methodology2 sources - evidence for this revision

The records below show what each source supports in this published revision.

  1. Web Authentication Level 3W3Cprimary - Retrieved Jul 11, 2026

    What it supportsWebAuthn credentials are scoped to a relying party. - An authenticator returns a signed assertion during authentication.

  2. FIDO PasskeysFIDO Allianceprimary - Retrieved Jul 11, 2026
The Useful Dispatch

Keep the good rabbit holes coming.

The weekly email is being prepared. No address is collected yet.

See the newsletter plan →