This story is part ofCNET’s collection of news, tips and advice on Apple’s most popular product.
What’s going on
Apple’s new iPhone 14 models come with a technology called passkeys designed to be as easy to use as passwords, but much more secure. They work on all iPhones running iOS 16, but Google is creating passkeys on Android and Chrome as well.
why does it matter
Passwords have long been plagued with problems, but starting with iPhones, tech giants have cooperated to devise a practical alternative that reduces vulnerabilities and hacking risks.
Access keys will come to Macs running macOS Ventura later in 2022, but support on websites and apps will be more gradual.
WithY now available, you can try a new login technology called passkeys. High-power allies including Google and Microsoft argue that access keys are more secure than passwords in protecting access to websites, email, and other online services, but are still easy enough to use to to become mainstream.
at its Worldwide Developers Conference in June. After his debut in they will arrive in this autumn. They will also come to Google’s Android and its Chrome web browser later this year.
Access keys replace the multitude of keystrokes required for passwords with biometric control on our phones or computers. They also stop phishing attacks and remove two-factor authentication complications, such as SMS codes, that are linked to password system weaknesses.
Once you set up a passcode for a site or app, it is stored on the phone or personal computer you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome Password Manager can sync passwords across all your devices. Dozens of technology companies developed the open standards behind the access keys in a group called the FIDO Alliance, which announced the access keys in May.
“Now is the time to adopt them,” Garrett Davidson, Apple’s authentication technology engineer, said in a WWDC talk on passcodes. “With access keys, not only is the user experience better than passwords, but entire categories of security, such as weak and reused credentials, credential leaks, and phishing, are no longer possible.”
You’ll have to spend a bit of time on the learning curve before access keys reach their potential. You will also have to decide if Apple, Microsoft or Google is the best option for you.
Here’s a look at the technology.
What is a passkey?
It is a new type of login credential that consists of a small amount of digital data that is used by your PC or phone when you log in to a server. You approve each use of that data with an authentication step, such as fingerprint verification, facial recognition, a PIN code, or the familiar login swipe pattern for Android phone owners.
Here’s the kicker: you’ll need to have your phone or computer with you to use passkeys. You can’t log in to a passcode-protected account from a friend’s computer without a device of your own.
Access keys are synchronized and backed up. If you get a new Android phone or iPhone, Google and Apple can reset your passcodes. With end-to-end encryption, Google and Apple cannot see or change access keys. Apple has designed its system to keep access keys safe even if an attacker or an Apple employee compromises your iCloud account.
How does setting up a passcode work?
It’s pretty simple. Use your fingerprint, face, or other mechanism to authenticate a passkey when a website or app asks you to set one. That is all.
How do I use an access key to log in?
When using a phone, a password authentication option will appear when you try to log in to an app. Tap that option, use the authentication technique you’ve chosen, and you’re done.
For websites, you should see a password option next to the username field. After that, the process is the same.
Once you have a passkey on your phone, you can use it to make it easy to log in to another nearby device, like your laptop. Once you’re signed in, that website may offer to create a new passkey tied to the new device.
What if I need to log in to a website while using someone else’s computer?
You can use a passkey stored on your phone to log in to another nearby device, like a laptop you’re borrowing. The login screen on the loaner laptop will have an option to present a QR code that you can scan with your phone. It’ll use Bluetooth to make sure your phone and computer are close, then let you use a fingerprint or face ID verification on your own phone. Your phone will then communicate with the computer over a secure connection to complete the authentication process.
Why are passkeys more secure than passwords?
Access keys employ a proven security foundation called public key cryptography for the login operation. That’s the same technology that protects your credit card number when you enter it on a website. The beauty of the system is that a website only has to base its access key record on your public key, data that is designed to be openly viewable. The private key used to set up a passkey is stored only on your own device. There is no password database that a hacker can steal.
Another great benefit is that access keys block phishing attempts. “Access keys are inherently tied to the website or application they were set for, so users can never be tricked into using their access key on the wrong website,” said Ricky Mondello, who oversees authentication technology at Apple, in a video from WWDC.
Using keys requires you to have your device on hand and be able to unlock it, a combination that offers the protection of two-factor authentication but with less hassle than SMS codes. And with passcodes, no one can peer over your shoulder to see how you type your password.
When will I see the passkeys?
Skeleton keys have begun to emerge this year.
Passkeys are in iOS 16 now and will arrive inY when Apple releases that software later this fall. Google will provide passkey support to Android software in late 2022 for developer testing, Google authentication lead Mark Risher said in May. Access key support should come to Chrome and Chrome OS at the same time. Microsoft plans support on Windows in 2022.
However, that is just enabling technology. Websites and apps must also be updated to support passkeys. Some developers will be eager to take advantage of the security benefits, but many will move more slowly. Even if access keys become fast, don’t expect passwords to disappear.
A company that has already added support for access keys, Kayak travel booking service, added passkey support to his app and website this week. Expect to see many more gradually adopt it.
Will websites and apps require me to use access keys?
It is unlikely that you will be forced to use access keys as long as the technology is new and unknown. The websites and apps you already use are likely to add passcode support along with your existing password methods.
When you sign up for a new service, access keys may be presented as the preferred option. Eventually, they may become the only option.
Will access keys lock me out of the Apple or Google ecosystems?
Not quite. Although access keys are anchored to a company’s technology stack, you’ll be able to go outside of, say, the world of Apple to use access keys with Microsoft or Google.
“Users can sign in to a Google Chrome browser running on Microsoft Windows, using a passkey on an Apple device,” Vasu Jakkal, identity and security technology leader at Microsoft, said in a May blog post. .
Password advocates are also working on technology to allow people to migrate their passwords from one technology domain to another, Apple and Google said.
How do password managers get involved with passkeys?
Password managers play an increasingly important role in generating, storing, and synchronizing passwords. But the access keys are likely to be tethered to your phone or personal computer, not your password manager, at least in the eyes of tech giants like Google and Apple.
However, that could change.
“We expect a natural evolution toward an architecture that enables third-party access key managers to connect and portability across ecosystems,” said Google’s Risher.
He anticipates that access keys will evolve to reduce barriers between ecosystems and to accommodate third-party access key managers. “This has been a point of contention since the beginning of this industry push.”
In fact, the Dashlane password manager is currently testing password support and plans to roll it out widely in the coming weeks. “Users can store their access keys for multiple sites and benefit from the same convenience and security they already have with their passwords,” the company said in an August 31 blog post.
1Password maker AgileBits has just joined the FIDO Alliance, and DashLane, Bitwarden, and LastPass are already members.