Passkeys, the passwordless login technology, is coming to iOS 16 on Monday

This story is part WWDC 2022CNET’s full coverage from and about Apple’s annual developer conference.

What is happening

Apple and Google are updating their phone software and web browsers this year with a technology called passkeys that’s designed to be easier to use and more secure than passwords.

why is it important

Passwords are plagued with problems, but tech giants have cooperated to design a convenient alternative that reduces vulnerabilities and hacking risks.

With the iOS 16 release on MondayApple will introduce support for security keys, a new login technology that promises to be more secure than passwords in protecting access to our bank accounts and emails. Apple demonstrated security keys at its Worldwide Developers Conference and said they would come iOS 16 and Mac OS Ventura this fall, and they’re also coming to Google’s Android and web browsers.

Access keys are as easy – perhaps easier – to use than passwords. They replace the riot of keystrokes needed for passwords with biometric verification on our phones or computers. They also stop phishing attacks and banish the complications of two-factor authentication, such as SMS codes, which reinforce weaknesses in the password system.

After you set up a password for a site or app, it’s stored on the phone or personal computer you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome Password Manager can sync passkeys across your devices. Dozens of tech companies have developed the open standards behind security keys in a group called the FIDO Alliance, which announced security keys in May.

“Now is the time to embrace them,” said Garrett Davidson, authentication technology engineer at Apple, in a WWDC talk about passkeys. “With access keys, not only is the user experience better than with passwords, but entire categories of security — like weak and reused credentials, credential leaks, and phishing – are simply no longer possible.”

You will have to spend some time on the learning curve before security keys reach their potential. You’ll also need to decide if Apple, Microsoft, or Google is the best option for you.

Here is an overview of the technology.

What is a password?

This is a new type of login ID consisting of a bit of numerical data that your PC or phone uses when connecting to a server. You approve each use of this data with an authentication step, such as fingerprint verification, facial recognition, a PIN, or the login pattern familiar to Android phone owners.

Here’s the catch: you’ll need to have your phone or computer with you to use the passkeys. You cannot log into a password-secured account from a friend’s computer without your own device.

Security keys are synchronized and backed up. If you get a new Android phone or iPhone, Google and Apple can restore your security keys. With end-to-end encryption, Google and Apple cannot see or change access keys. Apple has designed its system to keep security keys safe even if an attacker or an Apple employee compromises your iCloud account.

How does setting up a password work?

It’s quite simple. Use your fingerprint, face, or other mechanism to authenticate a passkey when a website or app prompts you to set one up. That’s it.

These steps show how to sign in with passkeys on an Android phone: choose the passkey option, choose the appropriate passkey, and authenticate with a fingerprint ID. Facial recognition is also an option on compatible phones.

Google

How do I use a password to log in?

When using a phone, a password authentication option appears when trying to log into an app. Tap that option, use your chosen authentication technique, and you’re there.

For websites, you should see a password option in the username field. After that, the process is the same.

Once you have a passcode on your phone, you can use it to make logging in easier on another nearby device, like your laptop. Once logged in, this website may offer to create a new password related to the new device.

What if I need to log into a website while using someone else’s computer?

You can use a password stored on your phone to log in to another nearby device, like a borrowed laptop. The login screen on the borrowed laptop will have the option to present a QR code that you can scan with your phone. You’ll use Bluetooth to make sure your phone and the computer are nearby, then let you use fingerprint or face ID verification on your own phone. Your phone will then communicate with the computer over a secure connection to complete the authentication process.

Why are access keys more secure than passwords?

Access keys use a proven security foundation called public key cryptography for the login operation. It’s the same technology that protects your credit card number when you enter it on a website. The beauty of the system is that a website only has to base its passkey record on your public key, data designed to be openly visible. The private key used to set up a password is stored only on your own device. There is no database of passwords that a hacker can steal.

Another great advantage is that security keys block phishing attempts. “Security keys are inherently tied to the website or application for which they were configured, so users can never be tricked into using their security key on the wrong website,” Ricky Mondello oversees the authentication technology at Apple, said in a WWDC video.

Using passkeys requires you to have your device at hand and be able to unlock it, a combination that offers the protection of two-factor authentication but with less hassle than SMS codes. And with passkeys, no one can snoop over your shoulder to watch you type in your password.

When will I see the access keys?

Master keys are starting to emerge this year.

At its Worldwide Developers Conference, Apple said it will bring access keys to iOS 16 and macOS Ventura, its major operating system software updates expected this fall. In May, Google will bring support for Android software access keys by the end of 2022 for developer testing, Google Authentication Manager Mark Risher said. Passkey support is expected to arrive in Chrome and Chrome OS at the same time. Microsoft is planning Windows support in the coming months.

Some websites and apps will be eager to update their login software to use passkeys, so they can reap the security benefits. Others will move slower. Even though access keys are spreading rapidly, don’t expect passwords to disappear.

Will websites and apps require me to use passkeys?

It is unlikely that you will be required to use security keys when the technology is new and unfamiliar. Websites and apps you already use will likely add passkey support to existing password methods.

A person uses a phone to scan a QR code to activate passkey login on a nearby computer

If you need to connect to a friend’s computer who doesn’t have your password, scanning a QR code will allow your phone to handle the authentication process.

Apple

When you sign up for a new service, Access Keys may be presented as the preferred option. Eventually, they may become the only option.

Will access keys lock me into the Apple or Google ecosystems?

Not exactly. Although security keys are rooted in a company’s technology suite, you will be able to disconnect, for example, from the world of Apple to use security keys with those of Microsoft or Google.

“Users can sign in on a Google Chrome browser that runs on Microsoft Windows, using a password on an Apple device,” Vasu Jakkal, a Microsoft security and identity technology leader, said. in a blog post in May.

Passkey advocates are also working on technology to allow people to migrate their passkeys from one area of ​​technology to another, according to Apple and Google.

How are password managers involved with access keys?

Password managers are playing an increasingly important role in generating, storing, and synchronizing passwords. But passkeys will likely be rooted to your phone or personal computer, not your password manager, at least in the eyes of tech giants like Google and Apple.

That could change, however.

“We expect a natural evolution toward an architecture that allows third-party security key managers to plug in and portability across ecosystems,” Google’s Risher said.

It anticipates that security keys will evolve to lower barriers between ecosystems and to accommodate third-party security key managers. “That’s been a talking point since the start of this industry push.”

Indeed, Dashlane Password Manager is testing passkey support and plans to release it widely in the coming weeks. “Users can store their access keys for multiple sites and enjoy the same convenience and security they already have with their passwords,” the company said in a blog post.

1Password maker AgileBits has just joined the FIDO Alliance, and DashLane and LastPass are already members.

Leave a Comment