In the ever-intensifying fight against digital criminals, passwords are a liability for people and organizations, cybersecurity experts say. Hackers frequently steal passwords in targeted attacks or sweeping data leaks, then break into online accounts to steal money or data. Consumers, meanwhile, struggle to make and remember strong passwords for what could be hundreds of online accounts.
The FIDO Alliance — an industry group that includes Amazon, Apple, Google and Meta — built passkeys in an effort to make online sign-ins simpler and safer, and the technology is showing up in more places. Google introduced passkey support in May, iOS 16 users can save passkeys to their Apple accounts, and the Meta-owned messaging app WhatsApp said Monday that it will support passkey log-ins for Android users. These decisions may signal a broader changeover on the horizon.
A passkey is an alphanumeric string that’s completely unique to you. It proves you are who you say you are, so apps and websites can let you into your account without providing a traditional password.
Passkeys rely on a type of cryptography called public key, where an algorithm comes together like puzzle pieces to unlock your account. When you log in, the app or website shares a “public key” algorithm with your device, which your device decodes using its unique “private key.”
To enable the passkey, all you have to do is unlock your device the normal way — with a PIN, face ID or fingerprint — when prompted. Then the app or site knows it’s you and lets you in.
In many cases, passkeys get saved to your cloud account such as Google or Apple iCloud. That means you can use the passkey from multiple devices tied to that account.
Google and other passkey supporters still accept passwords, so no worries if something goes sideways.
How do I set up passkeys?
Google should prompt you to set up your passkey at sign-in. Otherwise, open any Google app, click on your profile icon in the top-right corner and go to “Manage your Google Account.” From there, go to “Security” in the left-hand menu, scroll to “How you sign in to Google” and turn on passkeys.
Apps and websites that support passkeys should prompt you to set one up when you create a new account. This will involve unlocking your device to authenticate yourself. If you already have an account for that website or app, go to your account settings and look for options like privacy, security or passwords. You should see a way to enable passkeys.
Depending on what device you’re using, you can save passkeys to your iCloud keychain, Google Password Manager or Windows Hello — or a password manager app or browser extension.
Passkeys eliminate a few of the biggest risks and headaches that come with passwords.
First, no more remembering passwords. People and businesses spend a lot of time and money each year dealing with forgotten passwords, so passkeys save everyone some grief.
Passkeys also protect people and businesses against leaked credentials. When hackers compromise a company’s servers, they often use stolen username-password combinations to try to break into other sites, too. Since so many people get tired of remembering passwords and use the same ones for every account, those hackers are often successful. Passkeys drastically reduce this potential, since they are stored on the user’s device or personal cloud rather than a company’s servers.
Finally, no more hunting for that six-digit code in your text messages when you’re trying to log in. That additional safety check is called two-factor authentication, and it has helped make passwords safer. But passkeys make extra authentication unnecessary because they confirm the user’s identity from the jump.
Passkeys aren’t a great fit for environments where lots of people are sharing the same devices, like university libraries, said Steve Won, chief product officer at password manager company 1Password. If you share a device and don’t set up separate user profiles, other users may be able to unlock the passkey to access your Google account and Google apps. (To fix this, just set up separate user profiles that remain locked with a PIN, password or biometrics.)
Since passkeys are often tied to your devices, you may need to set up new passkeys if you lose your phone or laptop. Your accounts should be safe from interlopers, however, as long as they don’t know the PIN to unlock your device.
Which websites and apps support passkeys?
Building the technology to support passkeys takes time and money, so companies have been relatively slow to get on board, said Igor Kuznetsov, a researcher at cybersecurity company Kaspersky. We are still years away from a password-free life.
But the list of players that allow passkeys is steadily growing. In addition to Google, big names such as Uber, TikTok, Amazon, Microsoft, PayPal and Nintendo let you sign in with passkeys.
The more large companies support passkeys, the more pressure smaller ones will feel to switch over, Kuznetsov said. Eventually, you may have far fewer passwords to remember and type in, saving you time and brain space. (Until then, make sure you’re using long, distinct, complicated passwords and storing them in a password manager.)