Passkeys, the passwordless login technology, is coming to iOS 16 on Monday

This story is part of WWDC 2022CNET’s full coverage of and about the annual Apple Developer Conference.

What is happening

Apple and Google are updating their phone software and web browsers this year with technology called passkeys designed to be easy to use and more secure than passwords.

why does it matter

Passwords are full of problems, but the tech giants have teamed up to design a workable alternative that reduces vulnerabilities and hacking risks.

with the iOS 16 release on MondayApple will introduce support for passkeys, a new login technology that promises to be more secure than passwords in protecting access to our bank accounts and email. Apple offered passkeys At the Worldwide Developers Conference they said they would attend iOS 16 And the macOS is coming This fall, they’re coming to Android from Google and web browsers, too.

Passkeys are easier to use – perhaps easier – than passwords. They are replacing the riot of keystrokes needed for passwords with biometrics checks on our phones or computers. It also stops phishing attacks and removes the complexities of two-factor authentication, such as SMS codes, that strengthen password system weaknesses.

Once you set up a passkey for a website or app, it is stored on the phone or PC you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome password manager can sync passkeys across your devices. Dozens of technology companies have developed the open standards behind passkeys in a group called video allianceWhich Announcing passkeys in May.

Garrett Davidson, Apple’s authentication technology engineer, said at WWDC talks about passkeys. “With passkeys, not only is the user experience better than using passwords, but there is no longer potential for full security categories – such as weak and reused credentials, credential leaks, and phishing.”

You’ll have to spend some time on the learning curve before passkeys realize their potential. You will also have to decide if Apple, Microsoft or Google is the best option for you.

Here is a look at the technology.

What is a passkey?

It is a new type of login credential that consists of a little bit of numeric data that your computer or phone uses when you log into the server. You consent to each use of this data with an authentication step, such as a fingerprint scan, face recognition, PIN code, or login pass pattern familiar to Android phone owners.

Here’s the problem: You must have your phone or computer with you to use passkeys. You can’t sign into a passkey-secured account from a friend’s computer without your own.

Passkeys are synchronized and backed up. If you get a new Android phone or iPhone, Google and Apple can recover your passkeys. With end-to-end encryption, Google and Apple cannot see or change passkeys. Apple designed its system for Keep passkeys safe Even if an attacker or an Apple employee has compromised your iCloud account.

How does setting passkey work?

It’s very simple. Use your fingerprint, face, or other passkey authentication mechanism when a website or app prompts you to set one. This is it.

Three-step illustration of the passkey login process on an Android phone

These steps explain how to sign in with passkeys on your Android phone: choose the passkey option, choose the appropriate passkey, and authenticate with your fingerprint ID. Face recognition is also an option on compatible phones.

The Google

How do I use the passkey to log in?

When using the phone, the passkey authentication option will appear when you try to sign in to an app. Tap that option, use your chosen authentication technology, and you’re good to go.

For websites, you should see the passkey option through the username field. After that, the process is the same.

Once you have a passkey on your phone, you can use it to make it easier to sign in on another device nearby, like your laptop. Once logged in, this website can offer to create a new passkey associated with the new device.

What if I need to log into a website while using someone else’s computer?

You can use a passkey stored on your phone to sign in to another nearby device, such as a laptop that you’re borrowing. The login screen on the borrowing laptop will have an option to provide a QR code that you can scan with your phone. It will use Bluetooth to make sure your phone and computer are close to you, and then let you use your fingerprint or verify your face ID on your phone. Your phone will then communicate with your computer over a secure connection to complete the authentication process.

Why are passkeys more secure than passwords?

Passkeys use a time-tested security foundation called public key cryptography for the login process. This is the same technology that protects your credit card number when you type it into a website. The beauty of the system is that the website only has to base its passkey record on your public key, which is data that is designed to be openly visible. Only the private key used to set up the passkey is stored on your device. There is no password data database that a hacker can steal.

Another great benefit is that passkeys prevent phishing attempts. “Passkeys are intrinsically linked to the website or application for which they are set up, so users can never be deceived into using their passkey on the wrong website,” Ricky Mondellowho oversees authentication technology at Apple, in a WWDC video.

Using passkeys requires you to have your device close at hand and be able to unlock it, a combination that offers two-factor authentication protection but with less trouble than SMS codes. And with passkeys, no one can snoop over your shoulder to keep an eye on you as you type your password.

When will I see passkeys?

Passkeys start appearing this year.

At its Worldwide Developers Conference, Apple said it will bring passkeys to iOS 16 and macOS Ventura, major operating system software updates expected this fall. in May, Google will provide passkey support for Android By the end of 2022 to test developers, said Mark Reacher, Google’s authentication lead. Passkey support should reach Chrome and Chrome OS at the same time. Microsoft plans to support Windows in the coming months.

Some websites and apps will be eager to update their login software to use passkeys, so that they can take advantage of the security benefits. Others will move slower. Even if the passkeys are quickly discovered, don’t expect passwords to disappear.

Will websites and apps require me to use passkeys?

You are less likely to have to use passkeys when the technology is new and unfamiliar. The websites and apps you already use will likely add passkey support along with your existing password methods.

A person uses a phone to scan a QR code to enable passkey login on a nearby computer

If you need to log into a friend’s computer that doesn’t have your passkey, scanning the QR code will allow your phone to process the authentication process.

apple

When registering for a new service, passkeys may be presented as a preferred option. In the end, they may become the only option.

Will passkeys confine me to Apple or Google systems?

not exactly. Even though passkeys are tied to one company’s own set of technology, you’ll be able to get out of the Apple world for example to use passkeys with Microsoft or Google.

“Users can sign in on the Google Chrome browser running on Microsoft Windows, using a passkey on the Apple device,” Vaso JackalMicrosoft’s leader in security and identity technology, in a May blog post.

Passkey advocates are also working on technology to allow people to migrate their passkeys from one technology domain to another, Apple and Google say.

How do password managers handle passkeys?

Password managers play an increasingly important role in creating, storing, and synchronizing passwords. But it’s possible that the passkeys are installed on your phone or PC, not your password manager, at least in the eyes of tech giants like Google and Apple.

It could change, though.

“We expect a natural evolution of an architecture that allows third-party passkey managers to communicate, and for portability between ecosystems,” said Google’s Richer.

Passkeys are expected to evolve to reduce barriers between ecosystems and accommodate third-party passkey managers. “This has been a talking point since early in the industry.”

In fact, Dashlane password manager tests passkey support It plans to release it widely in the coming weeks. “Users can store their passkeys for multiple sites and benefit from the same convenience and security they already have with their passwords,” the company said in a blog post.

1 password maker AgileBits just joined the FIDO AllianceAnd the DashLane and LastPass are already members.