A future without passwords – what Passkey means for everyone
Apple is helping lead the charge towards a passwordless future.
A future where you never use a “forget password?” link, and never get phished again. It really could be a magical thing and help change the face of account security.
But first, a little history of why this problem exists and what a passkey will solve.
The problem with passwords
Passwords suck. Banks and employers make you change them every three months. You can’t reuse them. Some make you have less than 8 characters, while others want an intro, a main character, a plot with 3-act structure, symbols, numbers, and upper case letters.
People suck at using passwords. People use their birthday, their anniversary, and literally, ‘password12345’. And they re-use them, and write them down.
Then came the password managers
And they were good. But the problem with a password manager is that you have to manage a lot of passwords.
A password manager records your passwords when you enter them into a site the first time and automatically fills them each future time. For new sites, it will offer to create passwords. And, it will encrypt them all to keep them safe.
Then came two-factor authentication, or 2FA. 2FA is the idea that you enter your username and password, and generate a six-digit code with an app or SMS.
The code changes every time, so it’s more secure, and it comes to your phone, so it’s ‘something you know’ (the password), and ‘something you have (the phone). Those are the two factors.
Instead of 2FA that relies on you having a password and receiving an SMS (insecure), or setting up an app to receive codes, this all gets simpler.
It seems a little silly that you have to create a password, use the phone to remember it, and then get a code to enter from the phone. That’s a lot of manual work for something that is stored at a remote computer and has a history of getting hacked.
What if all that went away? What if services didn’t have to store a password in the first place, so there’d be no password to get hacked?
Passkey, Apple’s name for FIDO2 (Fast IDentity Online 2) uses Touch ID or Face ID to create a key for a website or service. When you go to sign in, you’ll be asked to use Touch or Face ID, instead of a password.
Benefits of this system:
- The key is end-to-end encrypted
- The key is synchronized in iCloud, so it’s synchronized to your Apple devices
- The key is stored in your local Apple device
- It’s cross-platform
As you can see, there are a lot of benefits of a system like this.
That last detail is important. Cross-platform support is what’s going to make this catch on and eliminate passwords everywhere over time.
I asked Tim Cappalli of Microsoft what cross-platform means. You can find their response below:
Because the integration for Windows is via the browser at first, Windows 10 users can take advantage of this.
The way it works is, that when you go to a site on a PC, the site will display a QR code. Hold up your phone’s camera to the code, and it will prompt the phone to authenticate.
The method will ask for your Touch or Face ID. The phone will then provide the key back to the site, and you’ll be logged in.
Google has been making FIDO2 password-less authentication available to Google accounts on Android 7+ devices, starting with Pixel devices.
Users can use their fingerprint or screen lock method instead of typing in their password when visiting Google services and websites. The fingerprint is said to never be sent to Google’s servers.
Converting passwords to Passkey
If you’re like me, you have around 1,700 passwords. As you go to sites, an iPhone with iOS 16 will offer to convert them to Passkey, making it easy to never have to deal with a password again. While also preventing passwords from being compromised ever again.
There are still a few things we don’t know about Passkeys. We know that it will be supported in iOS16, iPadOS16, macOS 13 Ventura, Safari, Chrome, Edge, Android, Windows 10 (at the browser level), and Windows 11.
What we don’t know is, what this means for the people that switch platforms. Sometimes, Android users buy iPhones. Sometimes, iPhone users buy Android phones. If Passkeys are stored securely in iPhone and synchronized through iCloud Keychain, how would you port them to Android?
You’re going to want Passkey
Even if it seems like passwords are a comfortable, known way of getting into sites and services, they’re vulnerable to bad hacks.
Using Passkey, even though it seems very new, is going to be better over time. It’s a building block to get to a future where hacks don’t happen as much, or as widely, and one where everyone can go without passwords: Apple, Windows, iPhone, and Android users alike.
- Someone got Doom to work on Apple’s forgotten OS
- iOS 16 will finally let you see saved WiFi passwords on iPhone
- Apple’s 2022 Macbook Air features the M2 chip and a new design
- Netflix says 100 million accounts share passwords, but not for long