Passkeys, the No-Password Login Tech, Come to iOS 16 on Monday

This story is part of WWDC 2022CNET’s complete coverage from and around Apple’s annual developer conference.

with iOS 16 is released on MondayApple will introduce support for passkeys, a new identification technology that promises to be more secure than passwords in keeping access to our bank and email accounts. Apple demonstrated toggle switches at its Worldwide Developers Conference and said it will come to iOS 16 AND MacOS is coming this fall, and they’re coming to Google’s Android and web browsers, too.

Password keys are just as easy—perhaps easier—to use than passwords. They replace the fuss of keystrokes required for passwords with a biometric check on our phones or computers. They also stop phishing attacks and remove two-factor authentication complications, such as SMS codes, that strengthen password system weaknesses.

After you set up a passkey for a site or app, it’s saved on the phone or PC you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome password manager can sync passkeys across your devices. Dozens of technology companies developed the open standards behind the passkeys in a group called the FIDO Alliance, which announced the passkeys in May.

“Now is the time to adopt them,” said Garrett Davidson, an authentication technology engineer at Apple, in a WWDC talk about passkeys. “With passkeys, not only is the user experience better than with passwords, but entire categories of security — like weak and reused credentials, credential leaks, and phishing — are simply no longer possible.”

You’ll need to spend some time on the learning curve before the toggle switches live up to their potential. You’ll also need to decide whether Apple, Microsoft, or Google is the best option for you.

Here’s a look at the technology.

What is a key?

It’s a new type of login credential that consists of a bit of digital data that your computer or phone uses when you log in to a server. You approve any use of that data with an authentication step, such as fingerprint control, facial recognition, a PIN code or the login swipe pattern familiar to Android phone owners.

Here’s the catch: You’ll need to have your phone or computer with you to use the passkeys. You can’t access a password-protected account from a friend’s computer without a device of your own.

Password keys are synchronized and backed up. If you get a new Android phone or iPhone, Google and Apple can reset your keys. With end-to-end encryption, Google and Apple cannot see or change the passkeys. Apple has designed its system to keep your passkeys safe even if an attacker or Apple employee compromises your iCloud account.

How does setting a passkey work?

It’s very easy. Use your fingerprint, face, or another mechanism to authenticate a password when a website or app asks you to set one. This is.

How can I use a key to sign in?

When using a phone, a password authentication option will appear when you try to sign in to an app. Tap that option, use your chosen authentication technique, and you’re in.

For websites, you should see a password option from the username field. After that, the process is the same.

Once you have a passkey on your phone, you can use it to facilitate login on another nearby device, such as your laptop. Once you’re signed in, that website may offer to create a new passkey associated with the new device.

What if I need to sign in to a website while using someone else’s computer?

You can use a passkey saved on your phone to sign in to another nearby device, such as a laptop you are borrowing. The login screen on the loaner laptop will have an option to present a QR code that you can scan with your phone. It’ll use Bluetooth to make sure your phone and computer are close, then let you use a fingerprint or facial recognition check on your phone. Your phone will then communicate with the computer over a secure connection to complete the authentication process.

Why are passkeys more secure than passwords?

Passkeys use a time-tested security foundation called public key cryptography for the login operation. This is the same technology that protects your credit card number when you enter it on a website. The beauty of the system is that a website only needs to base its passkey data on your public key, data that is designed to be visible. The private key used to set up a password is stored only on your device. There is no database of password data that a hacker can steal.

Another big benefit is that passkeys block phishing attempts. “Passwords are intrinsically tied to the website or app they’re created for, so users can never be tricked into using their passkey on the wrong website,” said Ricky Mondello, who oversees authentication technology. at Apple, in a WWDC video.

Using passkeys requires you to have the device in hand and be able to unlock it, a combination that provides the protection of two-factor authentication but with less hassle than SMS codes. And with passkeys, no one can peer over your shoulder to see how you type your password.

When will I see the passkeys?

Passkeys start appearing this year.

At its Worldwide Developers Conference, Apple said it will bring switch keys to iOS 16 and MacOS Ventura, the major software updates to the operating system expected this fall. In May, Google will bring key support to Android software by the end of 2022 for developer testing, Google authentication chief Mark Risher said. Password support should arrive in Chrome and Chrome OS at the same time. Microsoft plans support on Windows in the coming months.

Some websites and applications will be keen to update their login software to use access keys in order to take advantage of the security benefits. Others will move more slowly. Even if passkeys catch on quickly, don’t expect passwords to disappear.

Will websites and apps require me to use passkeys?

It is unlikely that you will be forced to use switches while the technology is new and unfamiliar. Websites and apps you already use will likely add passkey support in addition to existing password methods.

When signing up for a new service, passkeys may appear as a preferred option. Eventually, they may become the only option.

Will my passkeys lock me into the Apple or Google ecosystems?

Not exactly. Even though passkeys are anchored in a company’s technology suite, you’ll be able to step outside of Apple’s world, say, to use passkeys with those of Microsoft or Google.

“Users can sign in to a Google Chrome browser running on Microsoft Windows using a passkey on an Apple device,” Vasu Jakkal, a Microsoft lead for security and identity technology, said in a blog post in May.

Passkey’s backers are also working on technology to let people migrate their passkeys from one technology domain to another, Apple and Google say.

How are password managers involved with passkeys?

Password managers play an increasingly important role in generating, storing and synchronizing passwords. But the passkeys are likely to be anchored to your phone or personal computer, not your password manager, at least in the eyes of tech giants like Google and Apple.

However, this may change.

“We expect a natural evolution to an architecture that allows third-party managers to plug in and for portability across ecosystems,” Google’s Risher said.

He predicts that switches will evolve to lower barriers between ecosystems and accommodate third-party managers. “This has been a point of discussion since the beginning of this industry push.”

Indeed, password manager Dashlane is testing password support and plans to roll it out widely in the coming weeks. “Users can save their passkeys for multiple sites and benefit from the same convenience and security they already have with their passwords,” the company said in a blog post.

1Password maker AgileBits just joined the FIDO Alliance, and DashLane and LastPass are already members.