This story is part of, CNET’s complete coverage from and about Apple’s annual developers conference.
Apple will later this year introduce support for a new logon technology that promises to be more secure than passwords, the jumble of letters, digits and special characters we routinely curse while trying to get to our bank accounts or email.
Coming in iOS 16 and MacOS Ventura, passkeys don’t require a unique configuration for each app or service, the recommended practice with passwords. They also don’t need a second authentication factor, like an SMS code, to strengthen the password system’s shortcomings.
Passkeys are as easy — maybe easier — to use than passwords because they don’t involve typing or remembering the riot of keystrokes needed for passwords. They also stop phishing attacks and banish the complications of two-factor authentication.
Once you set up a passkey for a site or app, it’s stored on the phone or personal computer you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome password manager can synchronize passkeys across your devices. Dozens of tech companies developed the open standards behind passkeys in a group called the Fast Identity Online Alliance.
“Now is the time to adopt them,” Garrett Davidson, an authentication technology engineer at Apple, said in a WWDC talk about passkeys. “With passkeys, not only is the user experience better than with passwords, but entire categories of security — like weak and reused credentials, credential leaks, and phishing — are just not possible anymore.”
You’ll have to spend a little time on the learning curve before passkeys meet their potential. You’ll also have to decide whether Apple, Microsoft or Google is the best option for you.
Here’s a look at the technology.
What is a passkey?
It’s a new type of login credential consisting of a little bit of digital data your PC or phone uses when logging onto a server. You approve each use of that data with an authentication step, such as fingerprint check, face recognition, a PIN code or the login swipe pattern familiar to Android phone owners.
Here’s the catch: You’ll have to have your phone or computer with you to use passkeys. You can’t log onto a passkey-secured account from a friend’s computer without a device of your own.
Passkeys are synchronized and backed up. If you get a new Android phone, Google can restore your passkeys. With end-to-end encryption, Google can’t see or alter the passkeys.
How does setting up a passkey work?
It’s pretty simple. Use your fingerprint, face or another mechanism to authenticate a passkey when a website or app prompts you to set one up. That’s it.
How do I use a passkey to log in?
When using a phone, a passkey authentication option will appear when you try to log on to an app. Tap that option, use the authentication technique you’ve chosen, and you’re in.
For websites, you should see a passkey option by the username field. After that, the process is the same.
Once you have a passkey on your phone, you can use it to facilitate login on another nearby device, like your laptop. Once you’re logged in, that website can offer to create a new passkey linked to the new device.
What if I need to log onto a website while using someone else’s computer?
You can use a passkey stored on your phone to log onto another nearby device, like a laptop you’re borrowing. The login screen on the borrowed laptop will have an option to present a QR code you can scan with your phone. You’ll use Bluetooth to ensure your phone and the computer are close by, then let you use a fingerprint or face ID check on your own phone. Your phone then will communicate with the computer over a secure connection to complete the authentication process.
Why are passkeys more secure than passwords?
Passkeys employ a time tested security foundation called public key cryptography for login operation. That’s the same technology that protects your credit card number when you type it into a website. The beauty of the system is that a website only has to base its passkey record on your public key, data that’s designed to be openly visible. The private key used to set up a passkey is stored only on your own device. There’s no database of password data that a hacker can steal.
Another big benefit is that passkeys block phishing attempts. “Passkeys are intrinsically linked to the website or app they were set up for, so users can never be tricked into using their passkey on the wrong website,” Ricky Mondello, who oversees authentication technology at Apple, said in a WWDC video.
Using passkeys requires that you have your device handy and be able to unlock it, a combination that offers the protection of two-factor authentication but with less bother than SMS codes. And with passkeys, nobody can snoop over your shoulder to watch you type your password.
When will I see passkeys?
Passkeys could emerge as soon as this year.
At its Worldwide Developer Conference, Apple said it’ll bring passkeys to iOS 16 and MacOS Ventura, its major operating system software updates expected this fall. In May, Google said it’ll bring passkey support to Android software by the end of 2022 for developer testing, Google authentication leader Mark Risher said. Passkey support should arrive in Chrome and Chrome OS at the same time. Microsoft plans support in Windows in coming months.
Some websites and apps will be eager to update their login software to use passkeys so they can take advantage of the security benefits. Others will move more slowly. Even if passkeys catch on fast, don’t expect passwords to disappear.
Will websites and apps require me to use passkeys?
It’s unlikely you’ll be forced to use passkeys while the technology is new and unfamiliar. Websites and apps you already use will likely add passkey support alongside existing password methods.
When you sign up for a new service, passkeys may be presented as the preferred option. Eventually, they may become the only option.
Will passkeys lock me into Apple or Google ecosystems?
Not exactly. Alhough passkeys are anchored to one company’s technology suite, you’ll be able to bridge out of, say, Apple’s world to use passkeys with Microsoft’s or Google’s.
“Users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device,” Vasu Jakkal, a Microsoft leader of security and identity technology, said in a May blog post.
Passkey advocates also are working on technology to let people migrate their passkeys from one tech domain to another, Apple and Google say.
How are password managers involved with passkeys?
In short, they aren’t, for now. Password managers play an increasingly important role generating, storing, and synchronizing passwords. But passkeys will be anchored to your phone or personal computer, not your password manager.
That could change, though.
“We expect a natural evolution to an architecture that allows third party passkey managers to plug in, and for portability among ecosystems,”
Google’s Risher expects passkeys to evolve to lower barriers between ecosystems and to accommodate third party passkey managers. “This has been a discussion point since early in this industry push.”
1Password maker AgileBits just joined the FIDO Alliance, DashLane is already a member, and LastPass also is involved.