LONDON — If you’re tired of memorizing passwords, then give passkeys a try.
You might have noticed that many online services are now offering the option of using passkeys, a digital authentication method touted as an easier and more secure way to log in. The passkey push started gaining major momentum after Google started accepting them about 18 months ago.
Passkeys are seen as eventual replacements for passwords, but if you’re still not sure what they’re all about, read on:
Forget about memorizing an optimized 14 character password consisting of letters, numbers and symbols. Passkeys do away with that because you never need to see them. Instead you are using existing biometrics like your face or fingerprints, digital patterns or PINs to access your accounts.
Passkeys are made up of two parts of a code that only makes sense when they’re combined, kind of like a digital key and padlock. You keep half of the encrypted code, typically stored either in the cloud with a compatible password manager or on a physical security dongle. The other half is stored on the participating apps, services or accounts you want to access.
When you want to log in to your Gmail account, for example, both parts of the code will then communicate directly with each other and give you entry.
A passkey won’t work with any website except the one it has been created for, eliminating the security risks associated with traditional passwords.
That means bad actors carrying out phishing scams won’t be able to trick you into entering your details into a copycat login page for your bank. And because passkeys use cryptographic security, they also can’t brute force their way into your account by trying passwords exposed in previous data breaches or guessing them.
Some 20% of the world’s top 100 websites now accept passkeys, said Andrew Shikiar, CEO of the FIDO Alliance, an industry group that developed the core authentication technology behind passkeys.
Passkeys first came to the public’s attention when Apple added the technology to iOS in 2022. They got more traction after Google started using them in 2023. Now, many other companies including PayPal, Amazon, Microsoft and eBay work with passkeys. There’s a list on the FIDO Alliance website.
Still, some popular sites like Facebook and Netflix haven’t started using them yet.
Passkey technology is still in the “early adoption” phase but “it’s just a matter of time for more and more sites to start offering this,” Shikiar said.
I tried setting up passkeys for some of the major online services I use. It was fairly easy for some but confusing for others. Shikiar said his group is constantly working on ways to improve the user experience.
Google users can go to myaccount.google.com and under “How to sign in to Google”, click Passkeys and security keys. Upon reaching the setup screen, I received a prompt to create a passkey while simultaneously my password manager’s browser plug-in popped up offering to save it. I clicked to confirm and the setup work was all done automatically.
So far, pretty easy.
Then, I tried adding more Google passkeys to my Windows-based work laptop and a Yubico physical security key. This time, when I got to the Google setup screen, it asked for my existing passkey to confirm my identity. But then it somehow failed to authenticate through my password manager.
I tried again using other verification methods, including my Google authenticator app that I already had on my iPhone, and it eventually succeeded.
Setting up a passkey on LinkedIn was easy, though it involved running through some menus.
When I attempted to set up a passkey for my WhatsApp account, I discovered I had, apparently, already created one months earlier when I activated the app lock feature requiring a fingerprint scan.
There was more friction with my PayPal account because passkeys work on the app but not on some browsers, like Firefox. After setting one up, I also found the login process wasn’t smooth.
Amazon provided the smoothest experience. But when I tried to login with my Amazon passkey, it asked for a one-time verification code from my authenticator app, which confused me because I thought passkeys were supposed to eliminate the need for multi-factor authentication.
Shikiar said it depends on the site, but, in theory, the passkey already has enough protection built in.
“When the primary factor’s un-phishable, other factors aren’t necessary,” he said.
If you’ve lost the device containing your passkey, that doesn’t necessarily mean it’s gone. That’s because the typical method to store passkeys on phones is a cloud-based password manager from Apple, Google, or third-party providers. So just log back into the password manager from another phone or computer.
Passkeys stored on security dongles, on the other hand, aren’t synced to the cloud so there’s no way to recover them if they’re lost. It’d be a good idea to get a second hardware key and keep it as a backup.
And don’t forget you can always mix both cloud and hardware methods to keep multiple passkeys for extra redundancy.
Based on my experience, setting up a passkey can be easy, or tedious and bewildering, depending on the service and what other security technology you want to layer in.
So I wouldn’t recommend doing all your accounts right away.
Instead, choose a few of your most important and frequently used services or accounts and focus on a proper setup for those.
In theory, you could delete your old passwords. Some services like Microsoft already offer this option. Shikiar says it should be a “personal preference,” because “some people may feel extremely nervous” about going passwordless.
It’s fine to keep your password but make sure there’s also multi-factor authentication set up for it, he said.
___
Is there a tech challenge you need help figuring out? Write to us at onetechtip@ap.org with your questions.
