Coming up with and remembering different passwords has always been necessary to protect accounts, but it has also been problematic. To further enhance security while making logging into accounts much easier, major technology companies – such as Microsoft, Google and Apple – have joined forces, resulting in passkeys.
With passkeys, you no longer need to remember – and enter – your password each time you need to log into an account, but only confirm your login with your phone or other device. They are also much less susceptible to being stolen by hackers, which significantly increases security.
But how exactly do they work? Here’s everything you should know about passkeys.
What are passkeys?
Passkeys aren’t easy to explain without using security jargon. However, suffice to say, they’re a much longer “password” that replaces both your username and password. You never see this passkey: it’s handled entirely by your device.
In technical terms, a passkey is a “cryptographic entity” using the well-established principles of public-key cryptography. This approach incorporates public keys, securely stored on an external server in the cloud, alongside private keys, securely located on the specific device, such as your phone or laptop.
The combination of these keys renders it exceedingly difficult for unauthorised individuals to gain access to the device’s memory and the data it contains. This means passkeys are an excellent method for thwarting phishing attempts: you couldn’t accidentally give someone your passkey if you tried: you have no idea what it is. Plus, you can’t intentionally use the same passkey for multiple accounts, as you can with passwords.
Any login with a passkey is securely verified on your device. This can be accomplished through either biometric authentication, such as fingerprint or facial recognition, or a PIN or swipe pattern. Only a single login is required, followed by the appearance of a passkeys notification on the device, offering the option to approve the login request.
How do you use passkeys?
There are two ways to use passkeys: you can create a passkey when creating a new account or you can replace the password for an existing account with a passkey.
In future the process might change, but right now, when creating a new account using a passkey, you’ll be asked to provide a username or email address. You’ll be then asked if you wish to use passkey and your device will automatically generate the encryption key pair for your account and ask for authentication through biometrics, a PIN or swipe pattern (this will depend upon which one is supported and chosen as default on your device). Your passkey will be then stored and synced across all of your devices.
The other way is to upgrade an account to use passkey instead of a standard password. You have to log in to your account using your existing username and password. Then you will see a prompt asking if you wish to upgrade to using a passkey or you will have to manually go to the password settings of your account and choose the option to create a passkey. Both original password and a new passkey will be stored, but next time you log in you won’t have to use your old password.
You can also use passkeys to log in to sites and services on your computer using other devices. For example, you might have to generate a QR Code that your smartphone camera can scan. Then simply verify your identity before granting or denying permission for the application or website running on the other device.
Artur Tomala / Foundry
Where you can use passkeys?
Passkeys are still very new, despite Apple adding support for them in iOS 16. There aren’t loads of websites and services that use passkeys yet. As of mid 2023, some notable sites supporting passkeys include:
- PayPal
- Shop by Shopify
- Instacard
- KAYAK
- Robinhood
- Adobe
- Tailscale
- GitHub
- TikTok (on iOS)
- Best Buy
- Cloudflare
- eBay
Password management company, 1Password, operates a platform named Passkeys.directory. You can find there a list of websites that currently support passkeys. And talking of password managers, we’re already seeing some rolling out passkey support including Bitwarden.
What devices are compatible with passkeys?
All of the big tech giants worked together to develop passkeys using FIDO Alliance and W3C standards. This makes them compatible with the best smartphones and best laptops on the market.
Any iPhone running iOS16 or later can store passkeys in iCloud Keychain, so they are synced across all your Apple devices, and authenticated using Touch ID or Face ID.
If you are using an Android smartphone, you also have the option of using passkeys, which are stored and synchronised using Google Password Manager. However, setting up a screen lock is required to use them. And if you don’t use one, you should.
Users of Windows 10 or 11 PCs have not been left behind either and can use passkeys via the Windows Hello function. They are synchronised using your Microsoft account and can be accessed wherever you are logged into our account.
In addition, the most popular web browsers such as Safari (version 13 or higher), Chrome and Edge (version 79 or higher), as well as Firefox (version 60 or higher) also support passkeys.
Are passkeys secure?
While standard passwords are still available and have not been fully replaced by passkeys, the latter offer some important improvements, even over the best password managers.
Passkeys are much longer than passwords, thus enhancing security. In addition, they do not need to be entered manually, removing the need to remember them. The device and web server securely store a pair of passkeys, linking them quickly when needed. You only need to use biometrics or other way of authentication to validate them and prove your identity.
As a result, they provide a solid resistance to all forms of brute force attacks, while traditional hacking methods such as most phishing techniques are ineffective. Passkeys are too complex for modern hacking software to have a chance of correctly guessing the correct combination in a relatively short period of time.
Only a private key can accurately resolve and accept the sequence of events presented by the server, making it unfeasible to intercept. Public keys, on the other hand, while more vulnerable to possible hacking, are insufficient in themselves for identification, and therefore useless to hackers.
Moreover, sharing passkeys with third parties is simply impossible, even if you wanted to do it. This means that if a phishing attempt prompts you to log in using a fake web form, it will fail because there is no passkey element for authentication.
Be sure to check out the best antiviruses if you want comprehensive protection of your data against viruses and hacker attacks. You can also increase your privacy online (and do more) with one of the best VPN services.