Bye-Bye, Passwords? Why Passkeys Can Be the New Way to Log Into Apps, Sites

Companies look for high-tech ways to block criminals from our private information

Edward C. Baig,

AARP

Comments

En español

Published July 14, 2022

/ Updated May 04, 2023

Video: What Is a Passkey? How Do I Use One?

Most of us agree passwords are a drag. At best, we’re indifferent to them even as we begrudgingly recognize their purpose.

The biggest tech companies share your frustration. Apple, Google and Microsoft, along with giant companies in other fields, are throwing their collective weight behind a password alternative called passkeys, which promise to be more secure than regular passwords and eliminate the associated hassles.

Passkeys are based on an emerging standard developed by the Fast IDentity Online (FIDO) Alliance, an industry group, and the World Wide Web Consortium. FIDO Alliance members include Amazon, American Express, Bank of America, Chase, CVS Health, eBay, Intel, Lenovo, Mastercard, Meta, PayPal, Samsung, Sony, Qualcomm, Verizon, Visa and Wells Fargo.

While passwords as we know them aren’t going to disappear anytime soon, the new passkey solution has already started showing up.

Password security

• How to build a better password
• Members Only: Frustrations
• Using a password manager
• The future of logging in
• Data safety habits to cultivate

On May 3, Google began rolling out passkeys across all Google Accounts on all major platforms, meaning you now have the option to ditch passwords. Passkeys leverage biometric login methods you may already be taking advantage of, such as facial recognition, fingerprint scanning or even a personal identification number that you probably know better as a PIN code.

At its Worldwide Developers Conference in June 2022, Apple went all in on passkeys, which it made available to developers as part of its macOS Ventura and iOS 16 operating system software for Mac computers and iPhones. Apple’s future operating systems promise to replace passwords for good in the long term.

More changes are possible in 2023

Apple’s very public embrace of passkeys last year came about a month after Google heralded the solution at its own developer conference.

Google initially added passkey support for developers of Android and Chrome.

What’s the difference?

Passcode, a.k.a. personal identification number (PIN). A secret numeric code of at least four digits that a person uses to verify his or her identity

Password. A word or string of characters that an authorized user creates to log in to a computer system or service

Passphrase. A sentence-like set of words or characters, longer than a password but often easier to remember, that serves as a login to apps and websites

Passkey. A method of verifying an app or website user who is tied to both the app or site and the device trying to gain access. Both “keys” need to fit before a user is allowed in, but the process is done without entering a username or other proof of identification.

Microsoft is on board, too, and expects people to be able to use passkeys across all its platforms as well.

A year ago, the three normally fierce rivals issued a joint news release with FIDO. “The complete shift to a passwordless world will begin with consumers making it a natural part of their lives,” Alex Simons, a Microsoft corporate vice president for identity program management, said in the release. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today. By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords.”

“In the near future, you’ll be able to sign in to your Microsoft account with a passkey from an Apple or Google device,” Simons said in a separate blog post.

For now, people who want to remove the password from their Microsoft accounts can use the Microsoft Authenticator app to log in. It works in tandem with two-factor authentication, such as a mobile phone you’ve logged in to with your face, fingerprint or PIN.

The problems with existing passwords

We’re all too familiar with the problems passkeys aim to solve. Most people ignore the advice of security experts and use the same or similar passwords across the board when signing in to apps and websites. Indeed, 2 in 3 Americans report reusing passwords for different online accounts, according to an Ipsos poll of 4,000 U.S. adults.

Making matters worse: We often choose passwords that are no more complex than the name of our pet or kindergarten teacher, not to mention “password” as a password or “12345.” In other words, soft credentials the bad guys can easily guess.

And when we do choose strong passwords that are way harder to crack — a long seemingly random string of upper- and lower-case letters, numbers and symbols — we often have a hard time remembering them.

Password managers that let you store and auto-generate complex passwords can ease some of the irritation folks feel, sometimes for a subscription price. But relatively few people take advantage of them.

Phishing attacks could become passé

The promise behind passkeys is they won’t force you to confront the usual trade-off between convenience and ease of use versus something far more bulletproof. Garrett Davidson, who works in the authentication experience area at Apple, told developers that passkeys will eliminate not only problems with hacking passwords stored in companies’ computer systems but also phishing attacks where users are tricked into voluntarily surrendering their credentials.

Physical security tokens and sometimes the two-factor authentication codes that are meant to add another layer of protection by complementing passwords may no longer be required. While the “public key cryptography” technique behind passkeys is complex, FIDO’s executive director and chief marketing officer, Andrew Shikiar, says consumers using facial recognition or fingerprints to log in to sites and apps won’t see big changes from what they’re accustomed to today.

“The difference is there is no password there for a hacker to hack because even a strong password can be manipulated,” he says.

According to Google, you’ll need the following to sign in with a passkey:

A laptop or desktop that runs Windows 10, macOS Ventura or ChromeOS 109 or later
A mobile device that runs iOS 16 or Android 9 or later
A hardware security key that supports the FIDO2 protocol

Google adds that your computer or mobile device will also need a supported browser, including Chrome 109, Edge 109 or Safari 16 or later.

Devices must also have a screen lock, and Bluetooth if you wish to use a passkey on a phone to sign in to another computer. If you haven’t set up a passkey yet, tap Create a Passkey | Continue and follow the instructions. You will be prompted to create a passkey on any supported device that you use to sign in to your Google account.

Do not create a passkey for a shared device if you don’t want other users to access your account, Google warns.

You can use a passkey to sign on to another device. The first time you sign in on a computer with a passkey, a QR code will appear on the computer screen for you to scan using your phone’s camera. This step won’t be required the next time you try to sign in with the same computer. Once you do sign in, you’ll be presented the option to create a passcode for that machine. Make sure this is your own device before doing so.

In Apple’s case, once a passkey is set up, which you can do in conjunction with Face ID facial recognition or the Touch ID fingerprint sensor on Apple devices, a unique digital key is created that works only for the site you intended. Since Apple securely syncs passkeys through what’s known as its iCloud Keychain, they are instantly available across the Apple product portfolio on Apple TVs, iPads, iPhones and Macs.

How passkeys work

In layman’s terms, you have a pair of hidden keys that need to match. One is a public key that resides on a web server. The other is the corresponding private key, unique to your device, so someone would have to be in possession of your computer, phone or tablet for a security rupture to be possible.

“If I steal your [standard] password and have your credential, I would go right away and try to stuff that into every major banking site, travel site, retail site,” Shikiar says. “I can do that for pennies [and] I’d probably have around a 5 percent success rate and take over those accounts.”

“But if I steal your public key, I can’t do anything with it. There’s no value to that public key,” he says. “[Since] the private key stays on your device safely, the only way for you to activate that private key is to verify yourself [on] your device.”

Will passwords ever die?

Despite tech giants’ very public push, passkeys won’t happen overnight. Your bank, broker and other companies you do business with are likely to be on their own timeline.

“Every service provider will have their own path for when they choose to implement this,” Shikiar says. Some regulatory issues also must be fleshed out.

But “all the platforms will have support for passkeys in the market,” he says. “In late 2023, 2024, this will become more and more of a common login option or experience.”

Even so, suggesting passwords are on borrowed time is premature. Consider it highly unlikely that the companies you frequently encounter will tell you something along the lines of, “Sorry, we no longer accept passwords,” in the near term, if ever.

“We will always have passwords in some capacity,” says Christopher Budd, senior manager of threat research at British-based Sophos. That means brushing up on good security practices and choosing passwords that are strong and not repeated elsewhere.

This story, originally published July 14, 2022, has been updated to reflect the rollout of passkeys for Google Accounts.

%{postComment}%

Edward C. Baig covers technology and other consumer topics. He previously worked for USA Today, BusinessWeek, U.S. News & World Report and Fortune, and is author of Macs for Dummies and coauthor of iPhone for Dummies and iPad for Dummies. Follow him on LinkedIn; Threads; and X, formerly known as Twitter.