Passkeys, a passwordless sign-in technology, arrived in iOS 16

Z iOS 16 release on MondayApple has introduced support for Passkeys, a new sign-in technology that promises to be more secure than passwords in protecting access to our bank accounts and email. Apple demonstrated access keys at the World Developers Conference and said they would come iOS 16 and MacOS Ventura this fall, and they come to Android from Google and for web browsers as well.

Access keys are just as easy – maybe easier – to use than passwords. They replace the many keystrokes required for passwords with biometric verification on our phones or computers. They also stop phishing attacks and eliminate the complications of two-factor authentication, such as SMS codes, which reinforce the weaknesses of the password system.

After you set up a passkey for a site or app, it’s saved on the phone or PC you used to set it up. Services such as Apple’s iCloud Keychain or Google’s Chrome Password Manager can sync access keys across your devices. Dozens of technology companies have developed open standards behind access keys in a group called FIDO Alliancewhich in May, access keys were announced.

“Now is the time to embrace them,” said Garrett Davidson, Apple’s authentication technology engineer. WWDC talks about access keys. “With access keys, not only is the user experience better than with passwords, but entire categories of security—such as weak and reused credentials, credential leakage, and phishing—are no longer possible.”

You need to spend some time learning before the access keys can reach their full potential. You also need to decide whether Apple, Microsoft or Google is the best option for you.

Here’s a look at the technology.

What is an access key?

This is a new type of login credential that consists of a small amount of digital data that your PC or phone uses when you log in to a server. You approve each use of this data through an authentication step, such as fingerprint verification, facial recognition, a PIN, or a login pattern familiar to Android phone owners.

Here’s the catch: You need to have your phone or computer with you to use the passkeys. You can’t sign in to a passkey-protected account from a friend’s computer without your own device.

Access keys are synchronized and backed up. When you get a new Android phone or iPhone, Google and Apple can reset your passkeys. With end-to-end encryption, Google and Apple cannot see or change access keys. Apple designed its system for keep access keys safe even if an attacker or an Apple employee compromises your iCloud account.

How does the passkey setup work?

It’s pretty simple. Use your fingerprint, face, or other mechanism to authenticate your access key when a website or app prompts you to set one up. That’s all.

How do I use a passkey to sign in?

When using the phone, the passkey authentication option will appear when you try to sign in to the app. Tap that option, use your chosen authentication method, and you’re all set.

For websites, you should see an access key option in the username field. After that, the process is the same.

If you have a passkey on your phone, you can use it to facilitate access to another device nearby, such as your laptop. Once you’re signed in, this website may offer to create a new passkey associated with the new device.

What if I need to log in to a website using someone else’s computer?

You can use the passkey saved on your phone to sign in to another device nearby, such as a laptop you’re borrowing. The login screen on the borrowed laptop will have the option to present a QR code that can be scanned with your phone. You’ll use Bluetooth to make sure your phone and computer are near each other, then let you use fingerprint or Face ID verification on your own phone. Your phone will then connect to your computer over a secure connection to complete the authentication process.

Why are access keys more secure than passwords?

Access keys use a time-tested security framework called public-key cryptography for login. This is the same technology that protects your credit card number when you enter it on a website. The beauty of the system is that the website only has to base its access key record on your public key, data that is meant to be publicly visible. The private key used to set up the passkey is only stored on your device. There is no database of passwords that a hacker can steal.

Another big advantage is that passkeys block phishing attempts. “Passwords are inextricably linked to the website or app they were set up for, so users can never be tricked into using their access key on the wrong site.” Ricky Mandelawho oversees authentication technology at Apple, said in a WWDC video.

Using passkeys requires having your device close at hand and being able to unlock it, a combination that provides the protection of two-factor authentication but with less work than SMS codes. And with access keys, no one will be able to watch over your shoulder and watch you enter your password.

When will I see my access keys?

Access keys are starting to appear this year.

At its Worldwide Developers Conference, Apple said it would bring access keys for iOS 16 and MacOS Ventura, major software updates to the operating system expected this fall. in may Google will bring passkey support to Android software until the end of 2022 for developer testing, said Google’s authentication leader Mark Risher. Access key support should appear in Chrome and Chrome OS at the same time. Microsoft plans support for Windows in the coming months.

Some websites and apps will be happy to update their login software to use access keys so they can take advantage of the security benefits. Others will move more slowly. Even if passkeys catch on quickly, don’t expect passwords to disappear.

Will websites and apps require me to use keys?

It is unlikely that you will be forced to use access keys while the technology is new and unfamiliar. Websites and apps you already use will likely add support for access keys alongside existing password methods.

When you sign up for a new service, access keys may be provided as a preferred option. After all, they may be the only option.

Will passkeys lock me out of the Apple or Google ecosystems?

Not at all. Although passkeys are tied to one company’s technology stack, you’ll be able to step out of, say, Apple’s world and use passkeys from Microsoft or Google.

“Users can sign in to Google Chrome running on Microsoft Windows using a passkey on an Apple device,” Vasu JackalMicrosoft’s leader in security and identity technology, said in a May blog post.

Apple and Google say passkey proponents are also working on technology that allows people to transfer their passkeys from one technical domain to another.

How are password managers related to keys?

Password managers play an increasingly important role in creating, storing and synchronizing passwords. But your passcodes are likely to be tied to your phone or PC, not a password manager, at least in the eyes of tech giants like Google and Apple.

However, this may change.

“We expect the natural evolution of an architecture that allows third-party key managers to be plugged in and provides portability across ecosystems,” Google’s Rischer said.

He expects access keys to evolve to lower barriers between ecosystems and accommodate third-party key managers. “It’s been a topic of discussion since the beginning of the industry.”

indeed Dashlane’s password manager is testing access key support and plans to release it widely in the coming weeks. “Users can save their access keys for multiple sites and enjoy the same convenience and security they already have with their passwords,” the company said in a blog post.

1AgileBits password generator just joined the FIDO allianceand DashLane, Bitwarden and LastPass are already members.