Passwords explained: Apple, Google and Microsoft finally have an easy way to dump passwords

This story is part of WWDC 2022CNET’s full coverage of Apple’s annual developer conference.

What is going on

Apple and Google will update their phone software and web browsers later this year with technology called passkeys designed to be more user-friendly and more secure than passwords.

Why it matters

Passwords are plagued with problems, but tech giants have teamed up to design a practical alternative that reduces vulnerabilities and hacking risks.

Apple will introduce support later this year for a new login technology that promises to be more secure than passwords, the jumble of letters, numbers, and special characters we routinely curse while trying to get to our bank accounts or email.

Enter iOS 16 and MacOS Ventura this fall, passwords do not require a unique configuration for each app or service, which is recommended practice with passwords. They also do not require a second authentication factor, such as an SMS code, to amplify the shortcomings of the password system.

Passkeys are just as easy—perhaps easier—to use than passwords because they don’t require typing or remembering the many keystrokes required for passwords. They also stop phishing attacks and eliminate the complications of two-factor authentication.

After you set up a passcode for a site or app, it’s saved on the phone or PC you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome Password Manager can sync passkeys across all your devices. Dozens of tech companies developed the open standards behind passkeys in a group called the FIDO Alliance, which announced passkeys in May.

“Now is the time to adopt them,” Garrett Davidson, an authentication technology engineer at Apple, said in a WWDC talk about passwords. “Not only do passkeys improve the user experience than passwords, but entire categories of security — such as weak and reused credentials, credential leaks, and phishing — are simply no longer possible.”

You will have to spend some time on the learning curve before passkeys reach their potential. You will also have to decide whether Apple, Microsoft or Google is the best option for you.

Here’s a look at the technology.

What is an access code?

It is a new type of credentials that consists of a small amount of digital data that your PC or phone uses when logging into a server. You approve any use of that data with an authentication step, such as fingerprint verification, facial recognition, a PIN, or the login swipe pattern known to Android phone owners.

Here’s the catch: you have to have your phone or computer with you to use passkeys. You cannot log into a password protected account from a friend’s computer without your own device.

Passkeys are synced and backed up. If you buy a new Android phone, Google can recover your passkeys. With end-to-end encryption, Google cannot see or change the passkeys.

How does setting a passkey work?

It’s pretty simple. Use your fingerprint, face, or some other mechanism to verify a password key when a website or app asks you to set one. That is it.

A three-step illustration of the password login process on an Android phone

These steps show you how to sign in with passkeys on an Android phone: choose the passkey option, choose the correct passkey, and authenticate with a fingerprint ID. Facial recognition is also an option on compatible phones.

google

How do I use a password to log in?

When using a phone, a password verification option will appear when you try to sign in to an app. Tap that option, use the authentication technique you chose and you’re in.

For websites, you should see a password option near the username field. After that, the process is the same.

Once you have a passkey on your phone, you can use it to facilitate logging into another nearby device, such as your laptop. Once you are logged in, that website may offer to create a new passcode associated with the new device.

What if I need to log in to a website while using someone else’s computer?

You can use a passkey stored on your phone to log in to another nearby device, such as a laptop you borrow. The login screen on the borrowed laptop has an option to present a QR code that you can scan with your phone. You use Bluetooth to make sure your phone and computer are nearby, then have a fingerprint or face ID check on your own phone. Your phone will then communicate with the computer over a secure connection to complete the authentication process.

Why are passkeys more secure than passwords?

Passkeys use a proven security foundation called public key cryptography for login. That’s the same technology that protects your credit card number when you type it on a website. The beauty of the system is that a website only needs to base its password record on your public key, data designed to be openly visible. The private key used to set a password key is only stored on your own device. There is no database of password information that a hacker can steal.

Another big advantage is that passwords block phishing attempts. “Passkeys are intrinsically linked to the website or app they are set up for, so users can never be tricked into using their password on the wrong website,” Ricky Mondello, who oversees authentication technology at Apple, said in a WWDC video.

Using passkeys requires that you have your device on hand and can unlock it, a combination that offers the protection of two-factor authentication but with less effort than SMS codes. And with passkeys, no one can look over your shoulder as you type your password.

When will I see passwords?

Passkeys may appear as early as this year.

At the Worldwide Developer Conference, Apple said it will bring passwords for iOS 16 and MacOS Ventura, with major operating system software updates expected this fall. In May, Google said it will provide password support for Android software for developer testing by the end of 2022, Google authentication leader Mark Risher said. Passkey support should arrive in Chrome and Chrome OS at the same time. Microsoft plans support in Windows in the coming months.

Some websites and apps will be happy to update their login software to use passkeys so they can take advantage of the security benefits. Others will move more slowly. Even if passkeys catch on quickly, don’t expect passwords to disappear.

Do I need to use passkeys for websites and apps?

You are unlikely to be forced to use passkeys while the technology is new and unknown. Websites and apps you already use will likely add passkey support in addition to existing password methods.

A person uses a phone to scan a QR code to enable login with a password on a nearby computer

If you need to log into a friend’s computer who doesn’t have your password, scanning a QR code on your phone will help you handle the authentication process.

Apple

When you sign up for a new service, passkeys may appear as the preferred option. In the end, they may become the only option.

Do passkeys lock me into Apple or Google ecosystems?

Not exactly. While passkeys are anchored in one company’s technology suite, for example, you can leave the world of Apple to use passkeys with those of Microsoft or Google.

“Users can log in to a Google Chrome browser running on Microsoft Windows, using a passkey on an Apple device,” Vasu Jakkal, a Microsoft leader in security and identity technology, said in a May blog post. .

Password proponents are also working on technology to let people migrate their passkeys from one tech domain to another, Apple and Google say.

How are password managers involved with passkeys?

In short, they are not for now. Password managers are playing an increasingly important role in password generation, storage and synchronization. But passkeys are anchored to your phone or PC, not your password manager.

That could change.

“We expect a natural evolution towards an architecture that allows for plugging in third-party key managers, and for portability across ecosystems,”

Google’s Risher expects passkeys to evolve to lower barriers between ecosystems and accommodate third-party passkey administrators. “This has been a topic of discussion since the beginning of this industry push.”

1Password creator AgileBits just joined the FIDO Alliance, and DashLane and LastPass are already members.

Leave a Comment