Passkeys Are Here
Nobody likes passwords. They are a pain for users and a pain for companies with websites. Many people take the easy route by using almost trivial passwords. A study found the most popular passwords are 123456, 123456789, qwerty, password, 1234567, 12345678, 12345, iloveyou, 111111, 123123, abc123, and qwerty123. Many users have a favorite password which they use on multiple sites. This takes the risks from bad to worse. If one password is guessed or stolen, it can give bad actors access to multiple accounts. The consequences of using weak passwords are numerous as cybercrimes, fraud, spoofing, phishing, and a host of other attacks are on the rise. A gentleman approached me after one of my lectures and said he had been the victim of an attack which stole more than $1 million from his crypto exchange account.
Every year at a lecture on security, I implore my audience to use strong passwords. I shared with them my bank password. At the time it was….
Needless to say, nobody can remember or guess such a password. This is why password managers are important. There are many to choose from. I have used and recommended 1Password for quite a few years. It is an excellent app to have on all your devices. It creates strong passwords for you, and remembers them so you do not have to.
For several years, I have forecasted an even better solution is on the way. It is a passwordless solution called passkeys. My forecast of the availability of a world without passwords was a bit overly optimistic, but this year it has started to roll out, and I believe all of us will be able to be passwordless soon.
A passkey is a new type of login credential that is designed to replace passwords. The concept was developed by an industry group called the Fast Identity Online (FIDO) Alliance. The FIDO passkey group includes Apple, Google, Microsoft, Samsung, and Yubico (a Swedish security company). I view this as an alliance powerful enough to make passwordless a reality. Following are some high-level concepts to help you understand what passkeys are all about.
Passkeys are more secure than passwords because they are unique to each website or app. When you create a passkey for a website or app, it is stored on your smartphone and the passkey is not shared with the website or app. This means if one website or app is hacked, your passkeys for other websites or apps are not at risk.
Passkeys are protected by biometric authentication, such as fingerprint or facial recognition. The time has come where mostly everyone has a smartphone with such capabilities. This means you will not have to remember any passwords. Instead, you can simply authenticate with your fingerprint or facial recognition. Passkeys are easy to use. When you visit a website or app that supports passkeys, your device will prompt you to authenticate with the biometric authentication. Once you have authenticated, you have access to the website or app. Passwordless.
There are additional benefits to using passkeys. Passkeys are stored only on your smartphone (or another device such as a laptop), not on servers in the cloud. You do not have to remember multiple passwords. Passkeys are way more secure. They are extremely difficult to crack. If you are looking for a more secure and convenient way to sign in to websites and apps, which we all should be, I recommend using passkeys.
The rollout has begun and there are already dozens of websites and apps which support passkeys or have said they will. A few prominent sites include:
Apple: iCloud, App Store, Apple Music, Apple TV+, and Safari
Google: Gmail, Google Drive, Google Photos, Google Play, and Chrome
Microsoft: Outlook, OneDrive, Teams, and Edge
PayPal, Kayak, Best Buy, eBay, GoDaddy, Dashlane, CardPointers
So far, I have added passkeys for Amazon, Apple, Google, Best Buy, eBay, Kayak, and passkeys.io. I recommend trying Amazon first.
Using your browser on your desktop or laptop, go to Amazon and then Your Account, then Login & Security, and then click Passkey. Once you have authenticated with your fingerprint or faceprint on your phone, Amazon will confirm it has created a passkey and stored it in your browser. To test it, logout of your Amazon account and then start from scratch. Enter your email address in the login field and then click “Sign in with a passkey”. You will automatically be logged in. No password.
Now I can use the Amazon passkey anywhere: iPhone, iPad, MacBook, or iMac. Good riddance passwords. 1Password has announced they will support passkeys in addition to passwords. This will be especially valuable for people who may have an iPhone but a Windows desktop. I tried it out, and it works fine. If you are 100% Apple, I don’t think you will need a password manager much longer. All your passkeys will be stored in the Apple keychain. If you are interested in the nitty gritty of how passkeys work, I suggest visiting Passkeys.io. You can also read password stories in some of my books at johnpatrick.com.