Google and Apple (and others soon) Want You to Log In With Passkeys. Here’s What That Means
As passwords are inherently flawed, tech companies are turning to more secure logins that just require your face or fingerprint. Decades of password reuse, and even password managers which help with providing complex passwords, it’s just not enough anymore to protect us. Recently Google, started suggesting that you create a passkey after signing into Gmail or YouTube.
Put simple, there’s a bit of software code that lives on your device (the key), and another bit of code provided by the website (the keyhole). Each website has a keyhole that only your passkey can unlock.
Passkeys are a consumer-friendly implementation of the FID02/WebAuthN authentication protocol (FIDO stands for fast identity on-line). Two protocols are used: Clienet to Authenticator Protocol (CTAP) and Web Authentication (WebAuthN). It’s not a time-based key that many websites use nowadays as part of two-factor identification using SMS/TOTP (text message with time based, one-time passcode). Web passwords are responsible for most of malicious activity because they can be stolen, guessed, or are too simple to provide protection. Password123, anyone use(d) this?
Passkeys are easier to use because:
- You don’t have to remember or type in complicated passwords.
- Passkeys can replace passwords and two-factor authentication codes that often come via text as 6-digit numbers.
- The passkey approach doesn’t play into the weakness of using a password on multiple sites.
- Each passkey is unique. There’s no risk of reuse.
- Passkeys won’t fall for fake websites designed to trick us.
- Hackers can’t steal them from company servers—they’d need access to your personal device.
- Passkeys consist of a private key on your local device which stays there and a public key from the website sent to match and let you enter. They are mathematically related and allows you to verify who you are.
Passkeys are designed to automatically sync everywhere your password manager is installed (though in some instances, you need a separate passkey for each device). It’s good to make sure you can access your passkeys from several devices (phone, laptop, tablet, etc.) in case you lose one.
A major strength of passkeys is that if a website you visit has a data breach, only the public key created by the website is breached and not the private key on your local device.
A safer alternative than using your computer’s keychain (or password file) is to download a third-party password manager like 1Password or Dashlane. Third party password managers like these will offer services for creating your passkey instead of having to rely on Apple or Google to do so.
To get started with Google to create a passkey already, go to your account security settings in a web browser. In a Google app, tap your profile picture, then “Manage your account,” then Security. In the “How you sign into Google” section, tap Passkeys, then “Create a passkey.” A pop-up from your password manager will ask you to confirm.
Next time you sign in with a Google account on that device, your password manager should prompt you to use that passkey. If you see a password field, click “Try another way” to use your passkey. You will need to go through this passkey setup on each device you use. The upside: Once each device is covered, signing in will be a breeze.
To sign into your Google account on a device you don’t own, enter your username then click “Use another phone or tablet” when prompted. A QR code should pop up. Scan that with your phone and your password manager should do the rest.
You can sign up for passkeys on other services, including DocuSign, GitHub and Uber. You might encounter some quirks. For instance, I couldn’t get Uber passkeys to work in the app but they did work on the website. 1Password has a list of other passkey-eligible services.
Amazon’s passkeys only work on its websites for now—not on its shopping or streaming apps. To set one up, go to your account settings, then Login & security. Where you see Passkey, click Edit. Tap “Add a passkey.” Once set up, you can sign in with a passkey. If you have two-factor authentication turned on, Amazon may still ask you for a code.
Passkeys for Apple IDs are automatically set up. As long as you’re running iOS 17, iPadOS 17 and MacOS Sonoma, just click the “Sign In with iPhone” option instead of entering your password on Apple sites such as icloud.com. Just be aware that Apple ID passkeys can’t be saved in third-party password managers. If Face ID fails on your phone, the site will ask for your device passcode.
Even if you have passkeys set up, your old passwords can still open your services’ front doors. If you have passwords that are short, easily guessed or reused, hackers could exploit them. Until passkeys completely take over, make sure your passwords are long, complicated and, of course, unique to each and every app, site and service. That’s where password managers come in.
Instead of digital passkeys, some readers might be interested in a hardware bound key like Ubikey, which comes in several configurations such as Lightening, USB-C, or NFC. It is a small “key-chain size device) that plugs into a port on your device and provides secure logins,. About $50 to $75. See https://www.yubico.com/
Passkey technology is relatively new, and not all sites use it. Adoption will come over time. It is better than passwords or two-factor authentication, and you should consider looking into it and use it when available.
See https://passkeys.directory for a listing of passkey compatible sites and services.
Here’s an eight minute video explaining it more in more detail. https://youtu.be/AhP0q8c38QU?si=nWoHVt2rGG6AMJRV
From an article in the WSJ, October 21, 2023 by Nicole Nguyen