Passkeys are a game-changer for user convenience and sign-in success, but unlocking their true potential for your websites, apps, and users involves making accounts themselves phishing-resistant by dropping authentication methods that are vulnerable to phishing, including and especially passwords. This talk covers how to get the most out of having deployed passkeys, including deprecating traditional multifactor authentication mechanisms, the iOS 26 account creation API, and automatic passkey upgrades.