Google, Apple, Microsoft and other tech giants are starting to offer a more secure technology than passwords, passkeys. Here is all you need to know.
With iOS 16 and iPhone 14, you can test a new authentication technology called passkeys. A technology that Apple, Google and Microsoft believe is superior to passwords. Passkeys are more secure than passwords to preserve access to your sites, email services and others, but remain simple enough to be democratized.
Apple demonstrated these passkeys during its Worldwide Developers Conference last June. Already available on iOS 16, they will be on macOS Ventura in the fall and will also soon arrive on Google Android and Chrome.
Passkeys replace keystrokes of passwords with biometric verification on the phone or computer. It also avoids phishing and the complexity of two-factor authentication.
Once you set a passkey for a site or app, it is stored on the device. Services like Apple’s iCloud Keychain or Google Chrome’s password manager can sync them across all your devices.
What is a passkey?
It is a new type of authentication which consists of some numerical data used by your PC or telephone when you connect to a server. You can approve each use of this data with an authentication step, such as fingerprint verification, facial recognition, PIN, or the traditional scheme.
But you need to have your phone or computer with you to use the passkeys. You can’t sign in to a passkey-protected account on a friend’s device, for example.
Passkeys are synchronized and saved. If you have a new Android phone or iPhone, Google and Apple can restore your passkeys. With end-to-end encryption, Google and Apple can’t see or change your passkeys.
It is very simple. Use your fingerprint, face, or other mechanism to authenticate a passkey when a site or app asks you to set one up. That’s all.
On smartphones, the option to authenticate via passkey appears when you try to connect to an app. Tap on this option, use the chosen authentication technique and you’re done.
For websites, you should see a passkey option on the username field. The process is then similar.
Once your passkey is on your phone, you can use it to simplify login on another nearby device, such as your computer. Once connected, this site may offer you to create a new passkey linked to this new device.
What if I need to sign in through someone else’s device?
You can use a passkey stored on your phone to log in on a nearby device, such as a borrowed laptop. The login screen on the borrowed device will have an option to present a QR Code which you can scan with your smartphone. You’ll use Bluetooth to make sure the phone and computer are nearby and then you’ll use a fingerprint or face recognition on your own phone. This will then communicate with the computer via a secure connection to complete the authentication process.
Why are passkeys more secure than passwords?
Passkeys use a public key. This is the same technology that protects your credit card when you enter the number on a site. The beauty of the system is that a site only has to base its passkey record on your public key, something that, as the name suggests, is public. The private key used to define a passkey is only stored on your own device. There is no database of passwords that a hacker can steal, for example.
Another great advantage is that the passkeys prevent any phishing attempt. “Passkeys are intrinsically tied to the site or app you set it up for. This way, users can never be tricked into using their passkey on the wrong site,” explained Ricky Mondello during WWDC.
Using passkeys requires having your device close at hand, a combination that offers the protection of two-factor authentication with less of the frustration of texting. And with passkeys, no one can look over your shoulder to see you type in your password.
When will the passkeys arrive?
Passkeys started arriving this year. They are present on iOS 16 and will soon arrive on iPadOS 16 and macOS Ventura. Google will introduce support to Android before the end of 2022. Chrome has already started testing them in its Canary channel. Passkeys should officially arrive in Chrome and Chrome OS at the same time. Microsoft intends to support them in Windows later this year.
That being said, this is just about enabling the technology. Apps and websites will need to be updated to support them. Some developers will do it very quickly, others much slower. And even if passkeys are rapidly becoming popular, passwords should not disappear.
Will the sites and apps require me to use passkeys?
It is very unlikely that you will be forced to use passkeys. The sites and apps you already use will certainly offer you the traditional password alongside the passkeys.
When you register for a new service, however, passkeys may be offered as the preferred option. And eventually, they could become the only possibility.
Do passkeys lock you into the Google or Apple ecosystem?
Not exactly. Although the passkeys are rooted in the technologies of one of the two giants, you will be able to switch from one to the other easily.
“Users can register on a Google Chrome browser on a Microsoft Windows device using a passkey on an Apple device,” said Vasu Jakkal of Microsoft.
The giants behind this technology are also working to allow passkeys to be migrated from one giant to another, explained Apple and Google.
Password managers play an important role in generating, storing, and synchronizing passwords. But passkeys are rooted in your smartphone or computer, not in your password manager. At least in the eyes of Google and Apple.
However, that could change. “We expect a natural evolution of the architecture that allows third-party passkey managers to enter the game and offer, in particular, portability between ecosystems”, according to Mark Risher, head of authentication at Google.
Passkeys should evolve to break down barriers between ecosystems and accommodate third-party password managers. “This has been a talking point from the start.”
And indeed, Dashlane is already testing support for passkeys. The manager plans to offer it to the general public in the coming weeks. Users can store their passkeys for their sites and enjoy the same convenience and security they already have with their passwords, the company explained in a blog post.