Passkeys Explained: Apple, Google and Microsoft finally have an easy way to dump passwords

Passkeys Explained: Apple, Google and Microsoft finally have an easy way to dump passwords
Written by admin_3fxxacau

This story is part WWDC 2022CNET’s full coverage from and about Apple’s annual developer conference.

What is happening

Apple and Google will update their phone software and web browsers later this year with a technology called passkeys, designed to be easier to use and more secure than passwords.

why is it important

Passwords are plagued with problems, but tech giants have cooperated to design a convenient alternative that reduces vulnerabilities and hacking risks.

Apple and Google will introduce support for security keys later this year, a new login technology that promises to be more secure than passwords for protecting access to our bank accounts and emails. Apple demonstrated security keys at its Worldwide Developers Conference and said they would come iOS16 and Mac OS Ventura this autumn.

Access keys are as easy, perhaps easier, to use than passwords. They replace the riot of keystrokes needed for passwords with biometric verification on our phones or computers. They also stop phishing attacks and banish the complications of two-factor authentication, such as SMS codes, which reinforce weaknesses in the password system.

After you set up a password for a site or app, it’s stored on the phone or personal computer you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome Password Manager can sync passkeys across your devices. Dozens of tech companies have developed the open standards behind security keys in a group called the FIDO Alliancewho announced security keys in May.

“Now is the time to embrace them,” said Garrett Davidson, authentication technology engineer at Apple, in a WWDC talks about access keys. “With access keys, not only is the user experience better than with passwords, but whole categories of security – like weak and reused credentials, credential leaks, and phishing – are simply no longer possible.”

You will have to spend some time on the learning curve before security keys reach their potential. You’ll also need to decide if Apple, Microsoft, or Google is the best option for you.

Here is an overview of the technology.

What is a password?

This is a new type of login ID consisting of a bit of numerical data that your PC or phone uses when connecting to a server. You approve each use of this data with an authentication step, such as fingerprint verification, facial recognition, a PIN, or the login pattern familiar to Android phone owners.

Here’s the catch: you’ll need to have your phone or computer with you to use the passkeys. You cannot log into a password-secured account from a friend’s computer without your own device.

Security keys are synchronized and backed up. If you get a new Android phone or iPhone, Google and Apple can restore your security keys. With end-to-end encryption, Google and Apple cannot see or change access keys. Apple has designed its system to keep security keys safe even if an attacker or an Apple employee compromises your iCloud account.

How does setting up a password work?

It’s quite simple. Use your fingerprint, face, or other mechanism to authenticate a passkey when a website or app prompts you to set one up. That’s it.

A three-step illustration of the authentication key login process on an Android phone

These steps show how to sign in with passkeys on an Android phone: choose the passkey option, choose the appropriate passkey, and authenticate with a fingerprint ID. Facial recognition is also an option on compatible phones.


How do I use a password to log in?

When using a phone, a password authentication option appears when trying to log into an app. Tap that option, use your chosen authentication technique, and you’re there.

For websites, you should see a password option in the username field. After that, the process is the same.

Once you have a passcode on your phone, you can use it to make logging in easier on another nearby device, like your laptop. Once logged in, this website may offer to create a new password related to the new device.

What if I need to log into a website while using someone else’s computer?

You can use a password stored on your phone to log in to another nearby device, like a borrowed laptop. The login screen on the borrowed laptop will have the option to present a QR code that you can scan with your phone. You’ll use Bluetooth to make sure your phone and computer are nearby, and then let you use fingerprint or face ID verification on your own phone. Your phone will then communicate with the computer over a secure connection to complete the authentication process.

Why are access keys more secure than passwords?

Access keys use a proven security foundation called public key cryptography for the login operation. It’s the same technology that protects your credit card number when you enter it on a website. The beauty of the system is that a website only has to base its passkey record on your public key, data designed to be openly visible. The private key used to set up a password is stored only on your own device. There is no database of passwords that a hacker can steal.

Another great advantage is that security keys block phishing attempts. “Security keys are inherently tied to the website or application for which they were configured, so users can never be tricked into using their security key on the wrong website,” Ricky Mondellowho oversees authentication technology at Apple, said in a WWDC video.

Using passkeys requires you to have your device at hand and be able to unlock it, a combination that offers the protection of two-factor authentication but with less hassle than SMS codes. And with passkeys, no one can snoop over your shoulder to watch you type in your password.

When will I see the access keys?

Master keys could emerge this year.

At its Worldwide Developers Conference, Apple said it will bring access keys to iOS 16 and MacOS Ventura, its major operating system software updates expected this fall. In May, Google has announced that it will bring support for Android software passkeys by the end of 2022 for developer testing, said Google Authentication Manager Mark Risher. Passkey support is expected to arrive in Chrome and Chrome OS at the same time. Microsoft is planning Windows support in the coming months.

Some websites and apps will be eager to update their login software to use security keys so that they can enjoy the security benefits. Others will move slower. Even though access keys are spreading rapidly, don’t expect passwords to disappear.

Will websites and apps require me to use passkeys?

It is unlikely that you will be required to use security keys when the technology is new and unfamiliar. Websites and apps you already use will likely add passkey support to existing password methods.

A person uses a phone to scan a QR code to activate passkey login on a nearby computer

If you need to connect to a friend’s computer who doesn’t have your password, scanning a QR code will allow your phone to handle the authentication process.


When you sign up for a new service, Access Keys may be presented as the preferred option. Eventually, they may become the only option.

Will access keys lock me into the Apple or Google ecosystems?

Not exactly. Although security keys are rooted in a company’s technology suite, you will be able to disconnect, for example, from the world of Apple to use security keys with those of Microsoft or Google.

“Users can sign in on a Google Chrome browser running on Microsoft Windows, using a password on an Apple device”, Vasu Jakkala Microsoft leader in security and identity technologies, said in a blog post in May.

Passkey advocates are also working on technology to allow people to migrate their passkeys from one area of ​​technology to another, according to Apple and Google.

How are password managers involved with access keys?

In short, they are not, for the moment. Password managers are playing an increasingly important role in generating, storing, and synchronizing passwords. But the passkeys will be rooted on your phone or personal computer, not your password manager.

That could change, however.

“We expect a natural evolution toward an architecture that allows third-party passkey managers to plug in and portability across ecosystems,”

Google’s Risher expects security keys to evolve to reduce barriers between ecosystems and accommodate third-party security key managers. “That’s been a talking point since the start of this industry push.”

1Password maker AgileBits has just joined the FIDO Allianceand DashLane and LastPass are already members.

#Passkeys #Explained #Apple #Google #Microsoft #finally #easy #dump #passwords

About the author


Leave a Comment