One of the world’s largest web browsers has flipped a long-anticipated switch: passkeys are now the default sign-in recommendation for supported sites. The change nudges users toward biometric or device-based authentication that cannot be copied and reused in the way passwords can.

Security experts say the benefit is straightforward. When attackers cannot steal reusable secrets, phishing becomes less profitable. The challenge, they add, is recovery—what happens when a user loses a device and cannot reach backup credentials.

Service providers are responding by tightening recovery flows and pushing multi-device passkey sync, but the transition will not be seamless. The next few months will test whether convenience can be maintained while security improves.