| Passkeys: 99% yay

A new technology promises to replace passwords for good. No more remembering or changing passwords!

Dive into what's behind passkeys and find out if they're for you.

Passkeys replace passwords

If you have used the internet, you have used passwords and have heard of their issues: Weak passwords, password reuse, leaking passwords by sites that store them, phishing. Counter measures have made the problem worse, such as forcing people to use more complicated passwords or change them quickly. Now people remember them even less, reuse them even more.

A different route to making passwords more secure is adding more information: asking you for the name of your pet, or sending you an SMS. Pet names fell for social engineering and SMS can be circumvented. Also, people didn't like the extra work. In security, the way to hell is paved with things people didn't like.

When something needs to be really secure, the IT world has relied on hardware instead: Hardware devices that continuously display random numbers or USB keys that you plug into your PC (and even have to touch when you log in!). These are good - but they're expensive and impractical. Replacing them is a hassle and they don't work easily on mobile or public computers.

Enter passkeys! A passkey is a password that is specific to your account on a site or an application. Only you never see the password, instead a password manager keeps it for you. The password manager is usually your browser for web-based apps (Chrome on the desktop, Safari on mobile) and your operating system (Windows/Mac/Android/iOS) when you need to enter a password for a program or app. Third-party password managers like LastPass are also able to store passkeys.

Passkeys are not the "log in with Apple/Amazon/Facebook/Google" buttons you see everywhere. Passkeys are a new standard - an extension of those hardware keys, their virtualization if you wish. All the heavyweights sit on its consortium: Apple, Google, Microsoft and security companies like LastPass.

You will never think about passwords again

Passkeys solve many problems - starting with having to remember passwords. You don't get to see your passwords (even if you wanted to). If you manage your passwords today (as you should), your list will shrink as more services adopt passkeys.

Behind the scenes, each site you use gets a different passkey, making stolen passkeys worthless. Requirements to change passwords, make them long or complex will become a thing of the past, as will SMS authentication and mothers' maiden names.

Passkeys can be synched across your devices

We talked about hardware keys and how they never became really popular - one of the reasons was that they are not easily portable. It's nice that you are logged into Gmail and Facebook on your computer, but how do you log in on your mobile without a password? What if your computer gets damaged, with the passkey in it?

This is where the heavyweights come in (and why they come in). Apple syncs your passkeys to all your devices via iCloud, in a way that only you can unlock them. Google does the same via the Google Password Manager, as will Microsoft, LastPass and many others. When you unlock your phone or your browser, your passkeys become securely available. Buying a new phone or computer becomes easy.

There is even a way to use your passkey on a public computer (say, in a library) where you don't want to log in with Google.

Using a passkey on iOS. The experience looks similar on Android. Both platforms use their password managers to store passkeys, which is why this screen might look familiar-ish.

If this is so amazing, why is this only 99% yay?

The main drawback is vendor lock-in. The standard says there must be a way to export passkeys, so the big players are doing the bare minimum. If you ever decide to switch from Google to Apple or vice versa, you will have to export and import passkeys individually.

What if you lose access to your account? You would be unable to use any of your passkeys. This risk comes less from hacking, but from upsetting Apple/Google/Microsoft by not paying bills, posting something they don't like or mistakes (sending your doctor pictures of your kids is a known way to get in trouble). Independently of passkeys, do read up on account recovery and a plan B.

Sites have leeway in implementation. Unfortunately, your local bank is allowed to decide that it likes Windows and not Apple. Hopefully, this is to accelerate deployment, because ...

It's taking too long. The people building websites and phone apps have to implement changes to their login systems, accommodating the new passkeys as well as passwords. Some operating systems are also taking too long - Apple has rolled out passkey support to MacOS 16 and iOS 16, so if you have an older device, you need to buy a new one. Windows requires version 11 to really get going. Android requires 9.0. Chromebooks rely on phones.

Passkeys are rolling by replacing passwords in existing accounts (and in new ones, of course). You will be prompted if you want to use a passkey instead of your existing password from now on. If you see such an offer, you will know this site is taking security seriously.

How can you get started? You can enable your (personal) Google account to start using passkeys when possible.

If you're impatient to try (or you're a developer), you can see how it works on this test site. It lets you create a test account (that'll be deleted after 24h) secured with a passkey that you can log into. And when you start seeing passkeys offered on sites (Best Buy, eBay, PayPal etc.), make the web better by eliminating one password at a time. Thank you for reading!

Join 2100+ people who read these tips weekly. Subscribe now!

#strategyPublished 2023-05-02 by Holger Matthies.Modified 2023-05-02 by Holger Matthies.

Page updated

Report abuse