Passkeys, Which Replace Passwords, Arrive on iOS 16 - CNET

Passkeys, a technology designed to replace relatively insecure password logon tech, let you log on with just a fingerprint or face ID.

Apple and Google are updating their phone software and web browsers this year with technology called passkeys that's designed to be easy to use and more secure than passwords.

Passwords are plagued with problems, but tech giants have cooperated to design a practical alternative that reduces vulnerabilities and hacking risks.

With the iOS 16 release on Monday, Apple introduced support for passkeys, a new logon technology that promises to be more secure than passwords at guarding access to our bank accounts and email. Apple demonstrated passkeys at its Worldwide Developers Conference and said they'll come to iOS 16 and MacOS Ventura this fall, and they're coming to Google's Android and to web browsers, too.

Passkeys are as easy -- maybe easier -- to use than passwords. They replace the riot of keystrokes needed for passwords with a biometric check on our phones or computers. They also stop phishing attacks and banish the complications of two-factor authentication, like SMS codes, that strengthen the password system's weaknesses.

Once you set up a passkey for a site or app, it's stored on the phone or personal computer you used to set it up. Services like Apple's iCloud Keychain or Google's Chrome password manager can synchronize passkeys across your devices. Dozens of tech companies developed the open standards behind passkeys in a group called the FIDO Alliance, which announced passkeys in May.

"Now is the time to adopt them," Garrett Davidson, an authentication technology engineer at Apple, said in a WWDC talk about passkeys. "With passkeys, not only is the user experience better than with passwords, but entire categories of security -- like weak and reused credentials, credential leaks, and phishing -- are just not possible anymore."

You'll have to spend a little time on the learning curve before passkeys meet their potential. You'll also have to decide whether Apple, Microsoft or Google is the best option for you.

Here's a look at the technology.

It's a new type of login credential consisting of a little bit of digital data your PC or phone uses when logging onto a server. You approve each use of that data with an authentication step, such as fingerprint check, face recognition, a PIN code or the login swipe pattern familiar to Android phone owners.

Here's the catch: You'll have to have your phone or computer with you to use passkeys. You can't log onto a passkey-secured account from a friend's computer without a device of your own.

Passkeys are synchronized and backed up. If you get a new Android phone or iPhone, Google and Apple can restore your passkeys. With end-to-end encryption, Google and Apple can't see or alter the passkeys. Apple has designed its system to keep passkeys secure even if an attacker or Apple employee compromises your iCloud account.

It's pretty simple. Use your fingerprint, face or another mechanism to authenticate a passkey when a website or app prompts you to set one up. That's it.

These steps show how to log on with passkeys on an Android phone: choose the passkey option, choose the appropriate passkey, and authenticate with a fingerprint ID. Face recognition also is an option on compatible phones.

When using a phone, a passkey authentication option will appear when you try to log on to an app. Tap that option, use the authentication technique you've chosen, and you're in.

For websites, you should see a passkey option by the username field. After that, the process is the same.

Once you have a passkey on your phone, you can use it to facilitate login on another nearby device, like your laptop. Once you're logged in, that website can offer to create a new passkey linked to the new device.

You can use a passkey stored on your phone to log onto another nearby device, like a laptop you're borrowing. The login screen on the borrowed laptop will have an option to present a QR code you can scan with your phone. You'll use Bluetooth to ensure your phone and the computer are close by, then let you use a fingerprint or face ID check on your own phone. Your phone then will communicate with the computer over a secure connection to complete the authentication process.

Passkeys employ a time tested security foundation called public key cryptography for login operation. That's the same technology that protects your credit card number when you type it into a website. The beauty of the system is that a website only has to base its passkey record on your public key, data that's designed to be openly visible. The private key used to set up a passkey is stored only on your own device. There's no database of password data that a hacker can steal.

Another big benefit is that passkeys block phishing attempts. "Passkeys are intrinsically linked to the website or app they were set up for, so users can never be tricked into using their passkey on the wrong website," Ricky Mondello, who oversees authentication technology at Apple, said in a WWDC video.

Using passkeys requires that you have your device handy and be able to unlock it, a combination that offers the protection of two-factor authentication but with less bother than SMS codes. And with passkeys, nobody can snoop over your shoulder to watch you type your password.

Passkeys begin emerging this year.

At its Worldwide Developers Conference, Apple said it'll bring passkeys to iOS 16 and MacOS Ventura, its major operating system software updates expected this fall. In May, Google will bring passkey support to Android software by the end of 2022 for developer testing, Google authentication leader Mark Risher said. Passkey support should arrive in Chrome and Chrome OS at the same time. Microsoft plans support in Windows in coming months.

Some websites and apps will be eager to update their login software to use passkeys, so they can take advantage of the security benefits. Others will move more slowly. Even if passkeys catch on fast, don't expect passwords to disappear.

It's unlikely you'll be forced to use passkeys while the technology is new and unfamiliar. Websites and apps you already use will likely add passkey support alongside existing password methods.

If you need to log into a friend's computer that doesn't have your passkey, scanning a QR code will let your phone handle the authentication process. Apple

When you sign up for a new service, passkeys may be presented as the preferred option. Eventually, they may become the only option.

Not exactly. Although passkeys are anchored to one company's technology suite, you'll be able to bridge out of, say, Apple's world to use passkeys with Microsoft's or Google's.

"Users can sign in on a Google Chrome browser that's running on Microsoft Windows, using a passkey on an Apple device," Vasu Jakkal, a Microsoft leader of security and identity technology, said in a May blog post.

Passkey advocates also are working on technology to let people migrate their passkeys from one tech domain to another, Apple and Google say.

Password managers play an increasingly important role in generating, storing and synchronizing passwords. But passkeys will likely be anchored to your phone or personal computer, not your password manager, at least in the eyes of tech giants like Google and Apple.

That could change, though.

"We expect a natural evolution to an architecture that allows third-party passkey managers to plug in, and for portability among ecosystems," Google's Risher said.

He anticipates that passkeys will evolve to lower barriers between ecosystems and to accommodate third-party passkey managers. "This has been a discussion point since early in this industry push."

Indeed, password manager Dashlane is testing passkey support and plans to release it broadly in coming weeks. "Users can store their passkeys for multiple sites and benefit from the same convenience and security they already have with their passwords," the company said in a blog post.

1Password maker AgileBits just joined the FIDO Alliance, and DashLane, Bitwarden and LastPass already are members.

First published on June 9, 2022 at 5:00 a.m. PT.