Passkey Recovery Checklist: What to Save Before You Switch Phones

Passkeys make sign-in safer, but they also make recovery planning more important. If you replace a phone, reset a laptop, lose a hardware key, or change ecosystems without checking your passkeys first, you can lock yourself out of accounts that were supposed to be easier to use.

The goal is not to avoid passkeys. The goal is to adopt them with a recovery plan. Before you wipe, trade in, sell, repair, or factory-reset a device, make sure your most important accounts have a second way back in.

Why passkey recovery matters now

Passkeys are no longer a niche feature. The FIDO Alliance reported in May 2026 that billions of passkeys are now in use worldwide and that most surveyed consumers have enabled a passkey on at least one account. That is good news for phishing resistance. It also means more people are depending on device and account ecosystems to keep authentication recoverable.

Unlike a password, a passkey is not something you can remember and retype. It lives in a credential provider, device, security key, or synced account system. If you lose access to that system, the recovery path depends on how the service and provider are configured.

Start with your highest-value accounts

You do not need to audit every account before switching phones. Start with the accounts that control money, recovery, identity, or business access:

  • Primary email and cloud accounts.
  • Banking, payment, tax, payroll, and crypto accounts.
  • Phone carrier account and device account.
  • Password manager, passkey provider, and authenticator accounts.
  • Domain registrar, hosting, GitHub, social, ad, and admin accounts.
  • Healthcare, insurance, school, and government portals.

For each one, record whether it uses a passkey, a password fallback, backup codes, a recovery email, a recovery phone, or a hardware security key.

The passkey recovery checklist

Before switching devices, work through this checklist from a trusted device while you still have the old device available:

  1. Confirm where the passkey lives. Is it synced through a platform account, stored on one device, saved in a credential provider, or held on a hardware security key?
  2. Add a second sign-in method. Register another passkey, hardware key, authenticator method, or backup method when the account supports it.
  3. Save backup codes. Generate fresh codes if needed and store them in an encrypted vault record, not in screenshots.
  4. Verify recovery email and phone. Make sure they still belong to you and are protected with strong MFA.
  5. Check trusted devices. Remove old devices you do not use, but keep the current device until the new one is proven.
  6. Document the official login URL. Store the real account URL so phishing pages are easier to avoid later.
  7. Test sign-in on the new device. Do this before wiping or trading in the old device.

Do not wipe the old phone too soon

The most common mistake is treating device transfer as proof that authentication transferred. Photos, contacts, and apps may move cleanly while passkeys, authenticator codes, or trusted-device status still need separate verification.

Before wiping the old phone or laptop, sign in to your important accounts from the new device. Confirm that the passkey works, backup codes are saved, and recovery settings are current. Only then remove the old device from trusted-device lists.

What to save in Krypt

A passkey is not a note you can paste into a vault, but the recovery plan around it should be documented. For each important account, save:

  • Official login URL and username.
  • Whether a passkey is enabled and where it is stored.
  • Which backup sign-in methods are registered.
  • Backup codes and the date they were generated.
  • Recovery email, recovery phone, and trusted-device notes.
  • Where to add or remove passkeys for that account.

Krypt is a zero-knowledge password manager and secure vault for the account details that passkeys do not replace. It can keep passwords, recovery codes, secure notes, files, and passkey context together in encrypted local-first storage.

On Android 14+, Krypt can also store third-party website passkeys through Android Credential Manager. Those passkeys help you sign in to outside websites and services. Your recovery notes still matter because the account's backup methods, recovery codes, and trusted-device settings live across each service's own security page.

Passkeys still need backup thinking

For high-value accounts, one passkey is usually not enough. Add more than one authenticator when the service allows it. That can mean a synced platform passkey plus a hardware security key, a phone plus a laptop, or a primary key plus a backup key stored safely.

For families and small businesses, document ownership too. Know who controls the account, who has a backup authenticator, and where emergency recovery material lives. A passkey that only exists on one person's lost phone can turn into an operational problem fast.

After the switch

Once the new device is working, do a final cleanup:

  • Remove the old phone from trusted devices after verifying the new one.
  • Revoke sessions you no longer recognize.
  • Update recovery phone numbers if the number changed.
  • Regenerate backup codes if they were exposed during migration.
  • Update your encrypted vault notes with the new setup date.

Passkeys reduce phishing and password reuse, but they do not remove the need for recovery planning. Treat device changes like security events. Verify first, wipe later.

Technical references

For adoption context, see the FIDO Alliance's 2026 passkey adoption report. CISA's MFA guidance explains why phishing-resistant authentication matters, and the FIDO passkeys guide is a useful standards-level explainer.

Store passkey notes, backup codes, recovery contacts, and device-migration steps in one encrypted local-first vault.

Download on the App Store Get it on Google Play
Back to Blog | Passkey Manager