This is part of the story.CNET’s complete coverage from Apple’s annual developer conference.
Apple and Google are updating their phone software and web browsers this year with a technology called Passkey that’s easier to use and more secure than passwords.
Why is it important?
Passwords are plagued with problems, but tech giants have teamed up to devise a practical alternative that reduces vulnerability and hacking risks.
withApple introduces support for Passkey, a new logon technology that’s more secure than passwords when it comes to protecting our bank accounts and email. At the International Developers Conference and said to come. And This fall, and they’re coming to Google Android and web browsers, too.
Passkeys are easier — perhaps easier — to use than passwords. They replace the chaos of keystrokes required for passwords with biometric checks on our phones or computers. They also stop phishing attacks and avoid the complexity of two-factor authentication, such as SMS codes, which reinforce the weaknesses of the password system.
Once you set a password for a site or app, the password you set is stored on the phone or personal computer you use. Services like Apple’s iCloud Keychain or Google Chrome’s password manager can sync passwords across all your devices. Dozens of technology companies have developed the open standards behind Passkeys in a group called the FIDO Alliance, which announced Passkeys in May.
“It’s time to embrace them,” Garrett Davidson, an authentication technology engineer at Apple, said in a WWDC talk about passkeys. “With passwords, the user experience is not only better than passwords, but whole categories of security — like weak and reused credentials, credential hints, and phishing — are no longer possible.”
You’ll have to spend a little time on the learning curve before passkeys can live up to their potential. You’ll also need to decide whether Apple, Microsoft, or Google is the best option for you.
See technology here.
What is a passkey?
It’s a new type of login credential that contains a small piece of digital data that you use when your PC or phone logs into a server. You approve each data usage with an authentication level, such as fingerprint scanning, facial recognition, PIN code, or login swipe patterns familiar to Android phone owners.
Here’s the catch: You’ll need to have your phone or computer with you to use Passkeys. You can’t log into a password-protected account from your friend’s computer without your own device.
The passkeys are synchronized. If you get a new Android phone or iPhone, you can reset your Google and Apple passcodes. With end-to-end encryption, Google and Apple can’t see or change the passkeys. Apple has designed the system to protect your passkeys even if an attacker or an Apple employee compromises your iCloud account.
How does password generation work?
It’s very simple. Use your fingerprint, face, or other method to verify your password when a website or app asks you to set it up. no more.
How do I use a password to log in?
When you try to sign in to an app while using a phone, a passkey verification option will appear. Tap that option, use your preferred authentication method, and you’re signed in.
For websites, you should see a passkey option in the username field. After that, the process is the same.
Once you have a password on your phone, you can use it to facilitate logins on other nearby devices, such as your laptop. Once you log in, that website may offer to create a new password associated with the new device.
What if I need to access a website while using someone else’s computer?
You can use a passkey stored on your phone to log in to another device nearby, such as a laptop you’re borrowing. The login screen on the loaner’s laptop will have the option to provide a QR code that you can scan with your phone. It uses Bluetooth to make sure your phone and computer are nearby, then allows you to use fingerprint or facial recognition on your phone. Your phone will connect to the computer over a secure connection to complete the verification process.
Why are passkeys more secure than passwords?
Passwords use a time-tested security foundation called public key cryptography for login purposes. It’s the same technology that awaits you when you type your credit card number into a website. The beauty of the system is that a website should base its password record on your public key only on data that is made transparent. The private key used to set the passkey is stored only on your own device. There is no database of password data that a hacker can steal.
Another great benefit of passkeys is blocking phishing attempts. “Users can never be fooled because passwords are intrinsically tied to the website or app they’re set on,” Ricky Mondello, who oversees authentication technology at Apple, said in a WWDC video.
Using passkeys requires your device to be convenient and able to unlock it: a combination that maintains two-factor authentication, but with less hassle than an SMS code. And with passkeys, no one can peek over your shoulder to see you type your password.
When will I see the passkeys?
Passkeys will start popping up this year.
At its Worldwide Developers Conference, Apple said it would bring Passkeys to iOS 16 and MacOS Ventura, the major operating system software updates expected this fall. In May, Google will bring passkey support to 2022 Android software for developer testing, Google’s head of authentication Mark Risher said. Password support should be available in Chrome and Chrome OS at the same time. Microsoft plans support in Windows in the coming months.
Some websites and apps are eager to update their login software to use passkeys, so you can take advantage of the security benefits. Others move slowly. Don’t expect passwords to go away, even if passwords catch up quickly.
Do websites and apps require me to use passkeys?
As the technology is new and unusual, you will likely be forced to use passkeys. Websites and apps you already use can add password support to existing password methods.
Passkeys may be offered as a preferred option when signing up for a new service. Eventually, they may be the only option.
Do passkeys lock me into the Apple or Google ecosystem?
It’s not like that. Even if passkeys are installed on one company’s technology stack, you can leave Apple’s world to use passkeys with Microsoft or Google.
“Users can sign in using a passkey on an Apple device using the Google Chrome browser running on Microsoft Windows,” Vasu Jakkal, Microsoft’s security and identity technology leader, said in a May blog post.
Password advocates say Apple and Google are working on technology to allow people to transfer their passwords from one technology domain to another.
How do password managers deal with passwords?
Password managers play an important role in generating, storing and synchronizing passwords. But passkeys can be plugged into your phone or personal computer, not your password manager, at least in the eyes of tech giants like Google and Apple.
But this can change.
“We expect a natural evolution that allows third-party password managers to plug in and allow portability between ecosystems,” Google’s researcher said.
He envisions that passkeys will evolve to accommodate fewer and third-party passkey managers across the ecosystem. “This has been a talking point since the beginning of this industry push.”
In fact, password manager Dashlane is testing passkey support and plans to roll it out more widely in the coming weeks. “Users can store their passwords for multiple websites and benefit from the same convenience and security they already have with their passwords,” the company said in a blog post.
1Password maker AgileBits has just joined the FIDO Alliance, and DashLane and LastPass are already members.