Why kill passwords with PassKeys? Because passwords aren’t very secure.
It’s time for something better, and all the big tech players are working together on the solution.
Your passwords are stored on the servers of every website you log into. Those servers can get hacked, and they regularly do. There are sections of the “dark web” devoted to buying and selling stolen passwords.
Passwords can be phished, too, by nefarious websites and text messages purporting to be your bank or your credit card company. They can appear completely authentic and claim to require your credentials to unfreeze your checking account or remove a false ding from your credit report.
Worse, passwords are guessable. People — including Yours Truly — can get lazy about coming up with strong passwords. And without a password manager, which not everyone has or knows how to use, they’re impossible to remember. So people often use passwords that are easy for them to remember and easy for bad guys to guess.
PassKeys — a coming industry-wide standard — can’t be hacked, phished, or guessed. In fact, users can’t even see their own PassKeys.
Apple’s implementation of PassKeys — launching this autumn with new versions of the company’s signature Mac and iPhone and iPad operating systems — aims to replace passwords with something much more secure.
On the user’s end, PassKeys will be both easier to use and more secure.
A PassKey-enabled website will ask if you want to create one as your login credentials. If you agree, you’ll punch in (or biometrically confirm) your computer’s/phone’s login credentials. The confirmation gives your device permission to create a unique PassKey for each site.
On your end, that’s all there is to it. Your PassKeys, once created, will work on any device that you’re signed into, provided they’ve also been protected by Two Factor Authorization (TFA).
ASIDE: TFA is that little annoying security step that, whenever you try to sign into a new device, you aren’t allowed to until you give your permission on another device that you’re already signed into. So no one can clone your phone and gain access to your PassKeys.
But all you’ll have to do to sign in securely, once your PassKey is created, is use Touch ID or Face ID for biometric verification. That’s for Apple users, almost all of whom already sign in to their Macs, iPhones, and iPad with a fingerprint or faceprint. Microsoft and Android users will enjoy the same PassKey ease and security benefits.
Also for our VIPs: Is Big Sister Watching You for ‘Hate’ in New York?
Behind the scenes, there’s a lot more going on:
The new PassKey system means no passwords are stored on any single website, instead linked to the “device in your hand”. An Apple device will act as an authenticator, generating a public-private key pair for each of the device user’s accounts.
The device retains the private key, and shares the public key with the server. They are “next-generation credentials that are more secure, easy to use, and designed to replace passwords,” Apple said in a statement.
Apple has been working with the tech sector’s major players, including Google and Microsoft, as part of the FIDO Alliance. Last month FIDO announced:
Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms.
These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality.
In other words, Apple’s Monday reveal of PassKeys is just their brand name and execution of an industry-wide standard.
You won’t have to give up your Android phone or your Windows computer to enjoy the benefits of passwordless sign-ins.
What you will have to do is wait.
It’s going to be a slow death, of course. Apple called the transition from passwords to PassKeys a “long journey,” as websites, developers, and those competing hardware manufacturers begin adopting the nascent technology.
Even though intellectually I know the transition will take years, I’m still very excited for it to happen.
