You can now sign in to your Hostney account with a passkey. That means unlocking your control panel with the same Face ID, fingerprint, or device PIN you already use to unlock your phone or laptop – no password to type, and nothing an attacker can phish or guess. Passkeys are live today in your account settings, and they work right alongside the password and two-factor setup you already have.
This is one of those changes that sounds small and is actually a big deal. Passwords have been the weakest link in account security for as long as accounts have existed. Passkeys are the first mainstream login method that removes that weak link entirely, and after years of the technology maturing across Apple, Google, and Microsoft devices, it is finally ready for everyday use. Here is what a passkey is, why it is more secure than a password, and how to add one to your Hostney account in about thirty seconds.
What a passkey actually is#
A passkey is a login credential that lives on your device instead of in your head. When you create one, your phone or laptop generates a pair of cryptographic keys. The private key stays locked inside your device’s secure hardware and never leaves it. The matching public key is stored with Hostney. When you sign in, your device proves it holds the private key by signing a one-time challenge, and you approve that with your fingerprint, face, or PIN.
The important part is what is not involved: there is no shared secret. With a password, the same string of characters exists in two places – your memory and Hostney’s records – and anyone who obtains it from either side can log in as you. With a passkey, the secret half never leaves your device and is never transmitted anywhere. There is nothing to write down, nothing to reuse across sites, and nothing sitting in a database waiting to be stolen in a breach.
If you have ever used Face ID to approve a purchase or Windows Hello to unlock your laptop, you already understand the experience. A passkey applies that same one-tap approval to signing in, and it is backed by the FIDO2 and WebAuthn standards that the entire industry has agreed on.
Why passwords were always the weak link#
Passwords fail in predictable ways, and none of them are really the user’s fault.
They get reused. Most people cannot remember dozens of unique strong passwords, so they reuse one across many sites. The moment any of those sites is breached, attackers take the leaked email-and-password pairs and try them everywhere else. This is called credential stuffing, and it is automated and relentless. We have written before about what happens when bots find your login page, and the pattern is always the same: thousands of stolen credential pairs, tried at machine speed, until one works.
They get brute-forced. Even a unique password is only as strong as its length and randomness, and automated tools guess billions of combinations. If you want to see how ugly that process gets up close, our breakdown of brute-force attacks and how to stop them walks through the mechanics.
They get phished. This is the one that defeats even careful people with strong, unique passwords. An attacker sends a convincing email, you click a link to a page that looks exactly like the real login screen, you type your password, and you have just handed it to them. Two-factor codes do not fully solve this either, because a good phishing page will ask for your 6-digit code too and relay it in real time.
Every layer we normally stack on top of passwords – rate limiting, two-factor authentication, IP restrictions – exists to compensate for the fact that the password itself is fundamentally guessable and stealable. Passkeys attack the problem at the root instead of patching around it.
What makes passkeys phishing-resistant#
The single most valuable property of a passkey is that it cannot be phished, and this is worth understanding because it is not marketing language, it is how the technology works.
A passkey is cryptographically bound to the exact website that created it. Your Hostney passkey only works on the real Hostney sign-in page. If an attacker builds a pixel-perfect copy of our login screen on a lookalike domain and tricks you into visiting it, your device simply will not offer the passkey, because the domain does not match. There is no field for you to type the secret into, because the secret never gets typed at all. The whole class of attack that relies on tricking a human into entering credentials on the wrong page stops working.
This is a genuinely different security model from passwords and even from authenticator-app codes. A password can be typed anywhere, including on a fake page. A one-time code can be read aloud, forwarded, or relayed. A passkey’s private half never leaves your device and only ever responds to the legitimate site. That is why security teams describe passkeys as phishing-resistant rather than merely phishing-resilient, and it is the reason major banks and platforms are moving to them.
There is also a privacy benefit worth stating plainly: Hostney never sees your fingerprint or your face. Biometric data is used only locally, by your own device, to unlock the private key. It never touches our servers. We store only the public key, which is useless to anyone who steals it.
How to add a passkey to your Hostney account#
Adding a passkey takes about thirty seconds and you can do it right now.
- Sign in to your Hostney account and open your account settings.
- Find the Passkeys section. It sits alongside your password, two-factor authentication, and active sessions.
- Click Add passkey. Your browser and operating system will prompt you to create one.
- Approve with whatever your device uses – Face ID, Touch ID, a fingerprint sensor, Windows Hello, your device PIN, or a hardware security key.
That is it. The passkey is created and named automatically with the date so you can tell your devices apart, and you can rename or remove any passkey from the same screen at any time.
You can add more than one. Most people add a passkey on each device they regularly use – a laptop and a phone, for example – so they can sign in quickly wherever they are. If you use a password manager that syncs passkeys, such as iCloud Keychain, Google Password Manager, or 1Password, your passkey can follow you across your devices automatically.
If you ever lose a device, remove its passkey from the settings page and it can no longer be used to sign in. Because each device has its own passkey, losing one never affects the others.
Passkeys work alongside your password and two-factor#
We designed this so you lose nothing and gain an option.
Turning on passkeys does not remove your password, and it does not disable your two-factor authentication. All of it keeps working. At the sign-in screen you simply choose how you want to authenticate: tap Passkey to sign in with your device, or choose Password to sign in the way you always have, including your 2FA step if you have it enabled.
This matters for a few reasons. First, it means there is no risk of locking yourself out. If you are ever on a device that does not have your passkey – a borrowed computer, say – your password and two-factor code still get you in. Second, it means you can adopt passkeys at your own pace. Add one on your main laptop today, see how it feels, and add more when you are ready. Third, removing every passkey from your account is completely safe, because your password login is always there as the fallback.
If you have not set up two-factor authentication yet, it is still worth doing for the password path, and our guide to the best WordPress 2FA plugins explains the tradeoffs between authenticator apps, SMS, and hardware keys. The same logic that makes 2FA worthwhile on your website applies to your hosting account. Passkeys and 2FA are not competitors – a passkey is effectively two factors in one, because it combines something you have, your device, with something you are, your biometric.
Which devices and browsers work#
Passkeys are supported across every current mainstream platform, because the standard is backed by the whole industry rather than a single vendor.
On Apple devices, passkeys work in Safari and sync through iCloud Keychain across your iPhone, iPad, and Mac. On Android and in Chrome, they sync through Google Password Manager. On Windows, they work through Windows Hello using your PIN, fingerprint reader, or face camera. Dedicated hardware security keys, such as a YubiKey, also work as passkeys and are a good choice if you want a physical device that is not tied to any single ecosystem.
You do not need to pick one approach. Because you can register several passkeys on your account, you might have a synced passkey on your everyday phone and laptop plus a hardware key kept somewhere safe as a backup. If a browser or device is recent enough to have received updates in the last couple of years, it almost certainly supports passkeys.
What we recommend#
If you manage anything important through your Hostney account, add a passkey. It is the strongest sign-in method available today, it is faster than typing a password, and it costs you nothing to try because your existing login stays in place.
Account security is layered, and a passkey is the strongest layer you can add to the front door. It pairs naturally with the rest of the good habits we write about: keeping your software current, using unique credentials, and understanding how to secure a login properly rather than relying on any single control. Securing your hosting account and securing the WordPress sites you run on it are two different jobs, and both deserve attention – a passkey handles the first, and good site hygiene plus a solid security plugin handles the second.
For now, your control panel account is the place to start, and it is ready today.
Where this is heading#
Right now, passkeys are entirely optional. You can add one, add several, or add none, and nothing about your current login changes until you decide to change it.
Over the coming months, we plan to make passkeys the default, recommended way to sign in to Hostney. New accounts will be guided toward creating a passkey first, and we will encourage existing customers to add one, because it is the single biggest security upgrade most accounts can make and it is the direction the whole industry is heading.
To be clear about what that shift does not mean: we are not removing passwords, and we are not removing two-factor authentication. Both stay fully supported for anyone who prefers them or wants them as a fallback. Making passkeys the default is about steering new sign-ins toward the strongest option, not taking anything away. You will always be able to sign in with your password and 2FA – for example, on a device that does not have your passkey.
The takeaway#
Passkeys let you sign in to Hostney with your face, fingerprint, or device PIN instead of a password. They cannot be phished, guessed, or stolen in a breach, because the secret never leaves your device and only ever works on the real Hostney site. They live in your account settings next to your password and two-factor options, they take about thirty seconds to set up, and they work alongside everything you already have, so there is no risk of locking yourself out. They are optional today and will become our recommended default over the coming months, while passwords and two-factor authentication stay available for anyone who wants them. Add one to your main device today, add more when you are ready, and enjoy a login that is both faster and dramatically harder to attack.