It’s time to learn more about passkeys, passwordless login technology

This story is part WWDC 2022CNET’s full coverage from and about Apple’s annual developer conference.

What is happening

Apple and Google will update their phone software and web browsers later this year with a technology called passkeys, designed to be easier to use and more secure than passwords.

why is it important

Passwords are plagued with problems, but tech giants have cooperated to design a convenient alternative that reduces vulnerabilities and hacking risks.

Later this year, Apple will introduce support for a new login technology that promises to be more secure than the passwords, jumble of letters, numbers and special characters we routinely curse when trying to log in. access our bank accounts or our e-mails.

Coming to iOS 16 and MacOS Ventura, Access Keys do not require unique configuration for each application or service, the best practice with passwords. They also don’t need a second factor of authentication, like an SMS code, to enforce gaps in the password system.

Passkeys are as easy – perhaps easier – to use than passwords because they don’t involve typing or remembering the riot of keystrokes required for passwords. They also stop phishing attacks and banish the complications of two-factor authentication.

After you set up a password for a site or app, it’s stored on the phone or personal computer you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome Password Manager can sync passkeys across your devices. Dozens of tech companies have developed the open standards behind security keys in a group called the Fast Identity Online Alliance.

“Now is the time to embrace them,” Garrett Davidson, an authentication technology engineer at Apple, told a WWDC conference on security keys. “With access keys, not only is the user experience better than with passwords, but whole categories of security – like weak and reused credentials, credential leaks, and phishing – are simply no longer possible.”

You will have to spend some time on the learning curve before security keys reach their potential. You’ll also need to decide if Apple, Microsoft, or Google is the best option for you.

Here is an overview of the technology.

What is a password?

This is a new type of login ID consisting of a bit of numerical data that your PC or phone uses when connecting to a server. You approve each use of this data with an authentication step, such as fingerprint verification, facial recognition, a PIN, or the login pattern familiar to Android phone owners.

Here’s the catch: you’ll need to have your phone or computer with you to use the passkeys. You cannot log into a password-secured account from a friend’s computer without your own device.

Security keys are synchronized and backed up. If you get a new Android phone, Google can restore your security keys. With end-to-end encryption, Google cannot see or change access keys.

How does setting up a password work?

It’s quite simple. Use your fingerprint, face, or other mechanism to authenticate a passkey when a website or app prompts you to set one up. That’s it.

A three-step illustration of the authentication key login process on an Android phone

These steps show how to sign in with passkeys on an Android phone: choose the passkey option, choose the appropriate passkey, and authenticate with a fingerprint ID. Facial recognition is also an option on compatible phones.

Google

How do I use a password to log in?

When using a phone, a password authentication option appears when trying to log into an app. Tap that option, use your chosen authentication technique, and you’re there.

For websites, you should see a password option in the username field. After that, the process is the same.

Once you have a passcode on your phone, you can use it to make logging in easier on another nearby device, like your laptop. Once logged in, this website may offer to create a new password related to the new device.

What if I need to log into a website while using someone else’s computer?

You can use a password stored on your phone to log in to another nearby device, like a borrowed laptop. The login screen on the borrowed laptop will have the option to present a QR code that you can scan with your phone. You’ll use Bluetooth to make sure your phone and the computer are nearby, then let you use fingerprint or face ID verification on your own phone. Your phone will then communicate with the computer over a secure connection to complete the authentication process.

Why are access keys more secure than passwords?

Access keys use a proven security foundation called public key cryptography for the login operation. It’s the same technology that protects your credit card number when you enter it on a website. The beauty of the system is that a website only has to base its passkey record on your public key, data designed to be openly visible. The private key used to set up a password is stored only on your own device. There is no database of passwords that a hacker can steal.

Another great advantage is that security keys block phishing attempts. “Security keys are inherently tied to the website or application for which they were configured, so users can never be tricked into using their security key on the wrong website,” said Ricky Mondello. , which oversees authentication technology at Apple, in a WWDC video.

Using passkeys requires you to have your device at hand and be able to unlock it, a combination that offers the protection of two-factor authentication but with less hassle than SMS codes. And with passkeys, no one can snoop over your shoulder to watch you type in your password.

When will I see the access keys?

Master keys could emerge this year.

At its Worldwide Developers Conference, Apple said it will bring access keys to iOS 16 and macOS Ventura, its major operating system software updates expected this fall. In May, Google announced it would bring support for Android software access keys by the end of 2022 for developer testing, Google authentication chief Mark Risher said. Passkey support is expected to arrive in Chrome and Chrome OS at the same time. Microsoft is planning Windows support in the coming months.

Some websites and apps will be eager to update their login software to use security keys so that they can enjoy the security benefits. Others will move more slowly. Even though access keys are spreading rapidly, don’t expect passwords to disappear.

Will websites and apps require me to use passkeys?

It is unlikely that you will be required to use security keys when the technology is new and unfamiliar. Websites and apps you already use will likely add passkey support to existing password methods.

A person uses a phone to scan a QR code to activate passkey login on a nearby computer

If you need to connect to a friend’s computer who doesn’t have your password, scanning a QR code will allow your phone to handle the authentication process.

Apple

When you sign up for a new service, Access Keys may be presented as the preferred option. Eventually, they may become the only option.

Will access keys lock me into the Apple or Google ecosystems?

Not exactly. Although security keys are rooted in a company’s technology suite, you will be able to disconnect, for example, from the world of Apple to use security keys with those of Microsoft or Google.

“Users can sign in on a Google Chrome browser that runs on Microsoft Windows, using a password on an Apple device,” Vasu Jakkal, a Microsoft security and identity technology manager, said in a statement. blog post in May.

Passkey advocates are also working on technology to allow people to migrate their passkeys from one area of ​​technology to another, according to Apple and Google.

How are password managers involved with access keys?

In short, they are not, for the moment. Password managers are playing an increasingly important role in generating, storing, and synchronizing passwords. But the passkeys will be rooted on your phone or personal computer, not your password manager.

That could change, however.

“We expect a natural evolution toward an architecture that allows third-party passkey managers to plug in and portability across ecosystems,”

Google’s Risher expects security keys to evolve to reduce barriers between ecosystems and accommodate third-party security key managers. “That’s been a talking point since the start of this industry push.”

1Password maker AgileBits has just joined the FIDO Alliance, DashLane is already a member and LastPass is also involved.

Comments are closed.