This story is part ofCNET’s full coverage of Apple’s annual developer conference.
What is going on
Apple and Google will update their phone software and web browsers later this year with technology called passkeys designed to be more user-friendly and more secure than passwords.
Why it matters
Passwords are plagued with problems, but tech giants have teamed up to design a practical alternative that reduces vulnerabilities and hacking risks.
Apple and Google will introduce support for passkeys later this year, a new login technology that promises to be more secure than passwords when monitoring access to our bank accounts and email.at the Worldwide Developer Conference and said they will come to and this fall.
Passwords are just as easy – perhaps easier – to use than passwords. They replace the riot of keystrokes required for passwords with a biometric check on our phones or computers. They also stop phishing attacks and eliminate the complications of two-factor authentication, such as SMS codes, which amplify the weaknesses of the password system.
After you set up a passcode for a site or app, it’s saved on the phone or PC you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome Password Manager can sync passkeys across all your devices. Dozens of tech companies developed the open standards behind passkeys in a group called the FIDO Alliance, which announced passkeys in May.
“Now is the time to adopt them,” Garrett Davidson, an authentication technology engineer at Apple, said in a WWDC talk about passwords. “Not only do passkeys improve the user experience than passwords, but entire categories of security — such as weak and reused credentials, credential leaks, and phishing — simply no longer work.”
You will have to spend some time on the learning curve before passkeys reach their potential. You will also have to decide whether Apple, Microsoft or Google is the best option for you.
Here’s a look at the technology.
What is an access code?
It is a new type of credentials that consists of a small amount of digital data that your PC or phone uses when logging into a server. You approve any use of that data with an authentication step, such as fingerprint verification, facial recognition, a PIN, or the login swipe pattern known to Android phone owners.
Here’s the catch: you have to have your phone or computer with you to use passkeys. You cannot log into a password protected account from a friend’s computer without your own device.
Passkeys are synced and backed up. If you buy a new Android phone or iPhone, Google and Apple can recover your passkeys. With end-to-end encryption, Google and Apple cannot see or change the passkeys. Apple designed its system to keep passkeys safe even if an attacker or Apple employee compromises your iCloud account.
How does setting a passkey work?
It’s pretty simple. Use your fingerprint, face, or some other mechanism to verify a password key when a website or app asks you to set one. That is it.
How do I use a password to log in?
When using a phone, a password verification option will appear when you try to sign in to an app. Tap that option, use the authentication technique you chose and you’re in.
For websites, you should see a password option near the username field. After that, the process is the same.
Once you have a passkey on your phone, you can use it to facilitate logging into another nearby device, such as your laptop. Once you are logged in, that website may offer to create a new passcode associated with the new device.
What if I need to log in to a website while using someone else’s computer?
You can use a passkey stored on your phone to log in to another nearby device, such as a laptop you borrow. The login screen on the borrowed laptop has an option to present a QR code that you can scan with your phone. You use Bluetooth to make sure your phone and computer are nearby, then have a fingerprint or face ID check on your own phone. Your phone will then communicate with the computer over a secure connection to complete the authentication process.
Why are passkeys more secure than passwords?
Passkeys use a proven security foundation called public key cryptography for login. That’s the same technology that protects your credit card number when you type it on a website. The beauty of the system is that a website only needs to base its password record on your public key, data designed to be openly visible. The private key used to set a password key is stored only on your own device. There is no database of password information that a hacker can steal.
Another big advantage is that passwords block phishing attempts. “Passkeys are intrinsically linked to the website or app they are set up for, so users can never be tricked into using their password on the wrong website,” Ricky Mondello, who oversees authentication technology at Apple, said in a WWDC video.
Using passkeys requires that you have your device on hand and can unlock it, a combination that offers the protection of two-factor authentication but with less effort than SMS codes. And with passkeys, no one can look over your shoulder as you type your password.
When will I see passwords?
Passkeys may appear as early as this year.
At the Worldwide Developer Conference, Apple said it will bring passwords for iOS 16 and MacOS Ventura, with major operating system software updates expected this fall. In May, Google said it will provide passcode support for Android software for developer testing by the end of 2022, Google authentication leader Mark Risher said. Passkey support should arrive in Chrome and Chrome OS at the same time. Microsoft plans support in Windows in the coming months.
Some websites and apps will be happy to update their login software to use passkeys so they can take advantage of the security benefits. Others will move more slowly. Even if passkeys catch on quickly, don’t expect passwords to disappear.
Do I need to use passkeys for websites and apps?
You are unlikely to be forced to use passkeys while the technology is new and unknown. Websites and apps you already use will likely add passkey support in addition to existing password methods.
When you sign up for a new service, passkeys may appear as the preferred option. In the end, they may become the only option.
Do passkeys lock me into Apple or Google ecosystems?
Not exactly. While passkeys are anchored in one company’s technology suite, for example, you can leave the world of Apple to use passkeys with those of Microsoft or Google.
“Users can log in to a Google Chrome browser running on Microsoft Windows, using a passkey on an Apple device,” Vasu Jakkal, a Microsoft leader in security and identity technology, said in a May blog post. .
Passkey proponents are also working on technology to let people migrate their passkeys from one tech domain to another, Apple and Google say.
How are password managers involved with passkeys?
In short, they are not for now. Password managers are playing an increasingly important role in password generation, storage and synchronization. But passkeys are anchored to your phone or PC, not your password manager.
That could change.
“We expect a natural evolution towards an architecture that allows for plugging in key managers of third parties, and for portability between ecosystems,”
Google’s Risher expects passkeys to evolve to lower barriers between ecosystems and accommodate third-party passkey administrators. “This has been a topic of discussion since the beginning of this industry push.”
1Password creator AgileBits just joined the FIDO Alliance, and DashLane and LastPass are already members.