Why Passkeys Beat Passwords for Your Money

For decades, the password has been the front door to your financial life. It is also the door attackers know best how to pick. Phishing, credential stuffing, reused logins, leaked databases: nearly every account takeover starts with a password that ended up somewhere it should not be. At Send, we decided the simplest way to protect your money was to stop relying on passwords entirely.

The problem with passwords

A password is a shared secret. You know it, and the service you log in to knows it. That means it can be guessed, stolen in transit, captured by a fake login page, or exposed in a breach on the other end. Once it leaks, it is valid until you change it, and most people reuse the same one across dozens of services. For an app that moves real money, that is an unacceptable amount of risk to hang on a string of characters.

What a passkey actually is

A passkey replaces the shared secret with a cryptographic key pair. When you set up Send, your device generates a private key that never leaves it and a public key that we store. Logging in or approving a transfer means your device signs a challenge with the private key. We verify it against the public key.

There is no secret to phish, no password to reuse, and nothing in our database that is useful to an attacker on its own.

Tied to your device, unlocked by you

Your passkey lives in the secure hardware of your phone and is unlocked the way you already unlock your device: Face ID, Touch ID, or your device PIN. That gives you two factors by default. Someone needs both your physical device and your biometric to act on your account. A leaked database on our side gives them neither.

Phishing simply stops working

Because a passkey is bound to the real Send domain, it will not sign a challenge for a lookalike site. The classic attack, sending you to a convincing fake page and harvesting what you type, has nothing to harvest. The cryptography refuses to cooperate with an impostor.

What this means for you

In practice, the experience is faster and calmer than passwords ever were:

• Nothing to memorize, write down, or rotate after a breach
• A glance or a touch to send money, instead of typing and worrying
• No password reset emails that attackers can hijack
• Security that improves automatically as device hardware improves

Money should move at the speed of trust, and trust should not depend on whether you picked a strong enough password. By building Send on passkeys from day one, we made the most common path to stolen funds a dead end. Your keys stay on your device, your money stays yours, and signing in stays as simple as unlocking your phone.