Learn about passkeys, the passwordless login technology coming to iOS 16 and Android

This story is part of WWDC 2022CNET’s full coverage of and about the annual Apple Developer Conference.

Apple and Google will introduce support for Passkeys later this year, a new login technology that promises to be more secure than passwords in protecting access to our bank accounts and email. Apple offered passkeys At the Worldwide Developers Conference they said they would attend iOS 16 And the macOS Ventura This fall.

Passkeys are easier – and perhaps easier – to use than passwords. They are replacing the riot of keystrokes needed for passwords with biometrics checks on our phones or computers. It also stops phishing attacks and removes the complexities of two-factor authentication, such as SMS codes, that strengthen password system weaknesses.

Once you set up a passkey for a website or app, it is stored on the phone or PC you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome password manager can sync passkeys across your devices. Dozens of technology companies have developed the open standards behind passkeys in a group called video allianceWhich Announcing passkeys in May.

Garrett Davidson, Apple’s authentication technology engineer, said at WWDC talks about passkeys. “With passkeys, not only is the user experience better than using passwords, but there is no longer potential for full security categories – such as weak and reused credentials, credential leaks, and phishing.”

You’ll have to spend some time on the learning curve before passkeys realize their potential. You will also have to decide if Apple, Microsoft or Google is the best option for you.

Here is a look at the technology.

What is a passkey?

It is a new type of login credential that consists of a little bit of numeric data that your computer or phone uses when you log into the server. You consent to each use of this data with an authentication step, such as a fingerprint scan, facial recognition, PIN or swipe-to-login pattern familiar to Android phone owners.

Here’s the problem: You must have your phone or computer with you to use passkeys. You can’t sign into a passkey-secured account from a friend’s computer without your own.

Passkeys are synchronized and backed up. If you get a new Android phone or iPhone, Google and Apple can recover your passkeys. With end-to-end encryption, Google and Apple cannot see or change passkeys. Apple designed its system for Keep passkeys safe Even if an attacker or an Apple employee has compromised your iCloud account.

How does setting passkey work?

It’s very simple. Use your fingerprint, face, or other passkey authentication mechanism when a website or app prompts you to set one. This is it.

How do I use the passkey to log in?

When using the phone, the passkey authentication option will appear when you try to sign in to an app. Tap that option, use your chosen authentication technology, and you’re good to go.

For websites, you should see a passkey option next to the username field. After that, the process is the same.

Once you have a passkey on your phone, you can use it to make it easier to sign in on another device nearby, like a laptop. Once logged in, this website can offer to create a new passkey associated with the new device.

What if I need to log into a website while using someone else’s computer?

You can use a passkey stored on your phone to sign in to another nearby device, such as a laptop you’re borrowing. The login screen on the borrowing laptop will have an option to provide a QR code that you can scan with your phone. It will use Bluetooth to make sure your phone and computer are close to you, and then let you use your fingerprint or verify your face ID on your phone. Your phone will then communicate with your computer over a secure connection to complete the authentication process.

Why are passkeys more secure than passwords?

Passkeys use a time-tested security foundation called public key cryptography for the login process. This is the same technology that protects your credit card number when you type it into a website. The beauty of the system is that the website only has to base its passkey record on your public key, which is data that is designed to be openly visible. Only the private key used to set up the passkey is stored on your device. There is no password data database that a hacker can steal.

Another great benefit is that passkeys prevent phishing attempts. “Passkeys are intrinsically linked to the website or application for which they are set up, so users can never be deceived into using their passkey on the wrong website,” Ricky Mondellowho oversees authentication technology at Apple, in a WWDC video.

Using passkeys requires that you have your device close at hand and be able to unlock it, a combination that offers two-factor authentication protection but with less trouble than SMS codes. And with passkeys, no one can snoop over your shoulder to watch as you type your password.

When will I see passkeys?

Passkeys may appear as soon as this year.

At its Worldwide Developers Conference, Apple said it would bring passkeys to iOS 16 and macOS Ventura, the major operating system software updates expected this fall. in May, Google said it will provide passkey support for Android By the end of 2022 to test developers, said Mark Reacher, Google’s authentication lead. Passkey support should reach Chrome and Chrome OS at the same time. Microsoft plans to support Windows in the coming months.

Some websites and apps will be keen to update their login software to use passkeys so that they can take advantage of the security features. Others will move slower. Even if passkeys are turned on quickly, don’t expect passwords to disappear.

Will websites and apps require me to use passkeys?

You are less likely to have to use passkeys when the technology is new and unfamiliar. The websites and apps you already use will likely add passkey support along with your existing password methods.

When registering for a new service, passkeys may be presented as a preferred option. In the end, they may become the only option.

Will Apple or Google passkeys lock me?

not exactly. Even though passkeys are tied to one company’s own set of technology, you’ll be able to get out of the Apple world for example to use passkeys with Microsoft or Google.

“Users can sign in on the Google Chrome browser running on Microsoft Windows, using a passkey on an Apple device,” Vaso JackalMicrosoft’s leader in security and identity technology, in a May blog post.

Passkey advocates are also working on technology to allow people to migrate their passkeys from one technology domain to another, Apple and Google say.

How do password managers handle passkeys?

In short, they are not at the moment. Password managers play an increasingly important role in creating, storing, and synchronizing passwords. But the passkeys will be installed on your phone or PC, not your password manager.

It could change, though.

“We expect a natural evolution of an architecture that allows third-party passkey managers to communicate, and for portability between ecosystems,”

Risher expects Google to evolve passkeys to reduce barriers between ecosystems and accommodate third-party passkey managers. “This has been a talking point since early in the industry.”

1 password maker AgileBits just joined the FIDO AllianceAnd the DashLane and LastPass are already members.