fbpx

What is a Passkey? by John R. Patrick

Words: 1,154  Reading time: 4.3 minutes

Every March for the past 12 years, I have given a lecture called Tech Talk at Hammock Dunes Club in Palm Coast, Florida where I live in the winter. The purpose of the annual lecture is to share with my friends and neighbors my perspective on developments in technology. Topics this year included cryptocurrencies, NFTs, AI, Metaverse, Healthcare, and Space.

Each year I start the lecture with two topics which I call obligatory. First is the Apple ID, which is an important but underutilized part of the Apple Health app. I demonstrated how first responders can get into your iPhone in case you have become incapacitated. Once in the iPhone, the first responder can see your Medical ID which contains emergency contact information, blood type, organ donor designation, medications, and much more. It is up to you to include a lot or a little health information. Young or old, this is an important capability of our smartphones. Similar capabilities exist for those with Android phones.

The second obligatory annual topic is passwords. Nobody likes them. They are a pain for users and websites alike. Many people take the easy route by using almost trivial passwords. A study found the most popular passwords are 123456, 123456789, qwerty, password, 1234567, 12345678, 12345, iloveyou, 111111, 123123, abc123, and qwerty123. Many users have a favorite password which they use on multiple sites. This takes the risks from bad to worse. If one password is guessed or stolen, it can give bad actors access to multiple accounts. The consequences of using weak passwords are numerous as cybercrimes, fraud, spoofing, phishing, and a host of other attacks are on the rise. One gentleman approached me after the lecture and said he had been the victim of an attack which stole more than $1 million from his crypto exchange account.

 Every year I implore my audience to use strong passwords. I shared with them my then bank password. At the time it was….

AzQmtx6_Wb@Bh*zF6U-*38A6n._3pWK9

Needless to say, nobody can remember such a password. This is why password managers are important. There are many to choose from. I have used and recommended 1Password for quite a few years. It is an excellent app to have on all your devices. It creates strong passwords for you, and remembers them so you do not have to.  For the second year in a row, I forecasted an even better solution is on the way. It is a passwordless solution called passkeys. My forecast of the availability of a world without passwords was a bit overly optimistic, but this year I can confidently predict it is finally happening and by this time next year, I believe all of us will be able to be passwordless.

A passkey is a new type of login credential that is designed to replace passwords. The concept was developed by an industry group called the Fast Identity Online (FIDO) Alliance. The FIDO passkey group includes Apple, Google, Microsoft, Samsung, and Yubico (a Swedish security company). I view this as an alliance powerful enough to make passwordless a reality. Following are some high-level concepts to help you understand what passkeys are all about.

Passkeys are more secure than passwords because they are unique to each website or app. When you create a passkey for a website or app, it is stored on your smartphone (or another device) and the passkey is not shared with the website or app. This means if one website or app is hacked, your passkeys for other websites or apps are not at risk. Passkeys are protected by biometric authentication, such as fingerprint or facial recognition. The time has come where mostly everyone has a smartphone with such capabilities. This means you do not have to remember a long, complex password. Instead, you can simply authenticate with your fingerprint or facial recognition. Passkeys are easy to use. When you visit a website or app that supports passkeys, your device will prompt you to authenticate with biometric authentication. Once you have authenticated, you have access to the website or app. Passwordless.

There are additional benefits of using passkeys. Passkeys are stored only on your smartphone (or another device), not on servers in the cloud. You do not have to remember multiple passwords. Passkeys are way more secure. They are more difficult to crack. If you are looking for a more secure and convenient way to sign in to websites and apps, which we all should be, I recommend using passkeys.

The rollout has begun but is far from widely available. Some of the websites and apps which support passkeys or have said they will include:

Apple: iCloud, App Store, Apple Music, Apple TV+, and Safari

Google: Gmail, Google Drive, Google Photos, Google Play, and Chrome

Microsoft: Outlook, OneDrive, Teams, and Edge

PayPal, Kayak, Best Buy, eBay, GoDaddy, Dashlane, CardPointers

This list is not exhaustive, and more websites and apps are expected to support passkeys in the future. I was able to add Apple, Google, and Best Buy passkeys. I tried several others and did not find anything about passkeys. I am sure they will be updating soon.  Although, passkeys are still a new technology, they have the potential to make online security much stronger. If you are not already using passkeys, I encourage you to give it a try. If you are not sure if a website or app supports passkeys, you can check the website or app’s settings.

To give you an idea of how to setup passkeys, I will now describe how it worked for Best Buy. I went to bestbuy.com and signed in with my login and password (the old way). I then visited account settings and then account security. In the account security section, I clicked on Passkey (Face or Fingerprint Sign-In), and then clicked Create Passkey. It confirmed a passkey had been created and stored in my Apple keychain. The passkey would now be available on all my devices. To test it, I deleted my login and password in 1Password. I then logged out of bestbuy.com. I closed the browser and started from scratch. I opened the browser and headed to bestbuy.com. I was logged in automatically after the bestbuy.com retrieved my passkey from my iPhone. Passwordless.  

  Now I can use the bestbuy.com passkey anywhere: iPhone, iPad, MacBook, or iMac. Good riddance password. 1Password has announced they are going to support passkeys. This will be especially valuable for people who may have an iPhone but a Windows desktop. 1Password said this new capability will be available this summer. I will report on it once I get to try it out. If you are 100% Apple, I don’t think you will need a password manager. All your passkeys will be stored in the Apple keychain.

Epilogue

If you are interested in seeing a video of the Tech Talk lecture I gave in March, you can find it here.