An easy introduction to Passkeys

It's all about the ability to identify you [to e.g. your bank]

This is all about identification of you, as a user, and the ability to tell you apart from others for the purposes of customising a website for you, protecting your data, or providing information to you that only you should receive. In other words, logins. Logins for your bank, your government apps, your news subscription and your online grocery shopping.

A recap of where we are today - passwords are really bad

Let's start with where we are today - we use passwords to try to ascertain identity. But passwords are compromised in so many ways by you, by your computer, by your bank or trusted websites, and by fast computers just taking thousands of guesses per second.

We wrote an article on how bad passwords are, and what you can do about it. Have a read to refresh yourself, and to learn about some ways to protect yourself.

Anyway, so what are these Passkeys?

Passkeys are something new, and they address a lot of the issues introduced by using passwords. They can be very secure MFA/2FA - but the real, industry-wide movement is that they can replace passwords altogether.

Developers have been using something similar since 1995, they are robust, proven technology. Passkeys themselves use the open webauthn API to exchange identy information. Passkeys are just one implementation, backed by Google, Apple and Microsoft, as an open collaboration - so it's going to catch on.

They're easy to use, there's nothing to remember

You will go to a site, where you "enroll" for your Passkey. You will be asked to identify yourself to your computer (with your face, your fingerprint, or your voice), and then that's it. Nothing to remember, nothing to lose, no rules to obey.

You might identify yourself to your computer with a password or PIN, but this isn't sent to the website in this scenario. It's the way to tell your computer you are you, not the website. The computer still does the rest - as below, no matter how you got this far.

The private bit never leaves your device, they are hard to lose

In terms of what they offer, the key difference is that websites don't have the strong end of the chain anymore. When you enroll, your computer or phone will make up a new, private and very long key that it keeps and never shares. This key lets it unencrypt (unlock) private items. The key is also impossibly long and stored on your computer in a secure manner, automatically.

Your computer then gives a special public key to the website. The public key only lets them encrypt (lock) items for your computer to privately unlock.

Websites identify you by asking your device a question only it can answer

Websites will lock something identifying you - perhaps a unique number and a random, one-time phrase - using your public, locking key, then send it to you. They know that only you (well, your computer/phone) can unlock the phrase with your private unlocking key, and identify yourself by it.

They did all this without ever knowing anything about you that you weren't willing to share or lose (like a password, which they'd have had to store in their database).

They're very fast, secure and easy

All of this happens in an instant, and you just need to trust your own computer to do it. You touched a fingerprint sensor, or looked at a 3D scanner to tell your computer to complete the transaction.

There's so many benefits here:

The thing you shared, the public key, is much safer to lose. If your bank, or the website you bought cheap sponges from, is compromised, fraudsters have access to something useless to them.
The private key, the poweful bit - is both kept by you and never shared, and is impossibly long (not 8-12 digits)
You're not trusting strangers and disgruntled employees with your safety and security.
The bit doing the work is safe in your house or in your hand. And every time you upgrade it, it gets safer.
Your computer can invent an endless stream of public and private keys, as many as it needs. You never need to worry about it.

You'll need a modern, secure computer or phone for it to work

Of course, for all of this to work, you will need to have a computer or phone that is relatively modern, and that you can trust it. In practice, that just means having a modern iPhone, Pixel or similar; a computer with Windows Hello, Apple TouchID, or other biometrics. It can work with a PIN or local password, but make sure that PIN or local password is long, random and known by ONLY you.

If you like jailbreaking/sideloading your phone, this is one reason to be very careful with what software or other changes you make. Devices ideally have physical encryption and identification systems that are very hard to compromise, and that you or others can't undermine - as your device is now the custodian of your identity.

You can start by trusting your password manager, it's probably built-in

We've covered the pros, but there are some downsides. Your identity is stronger, but you now have to own it rather than remember it. It needs to be kept safely.

If you are already using a password manager (which you are, because it's 2023 and you are already a fraud victim, you just didn't know otherwise) then all of this will be easy. It will most likely already have the features within it, and you'll start to be prompted as you visit various sites in a subtly different way.

If you don't have one, you'll need one, or to enable one. Apple, Microsoft and Google software and hardware all have them built in now, since about 2018. There's other options too - which we'll come to.

Do not share your password - only you should be able to grant access to your identity and Passkeys

You now need one password - the one to your device, security key or collection of Passkeys. Do not share it with anyone, family, authorities or nice old ladies who offer you chocolate. If people need access, log them in, share a guest account, or use the features provided to otherwise grant other people access using appropriate sharing tools. Just not by sharing your identity. There are so many reasons for this: do not share your password.

Ideally, you'll further secure your devices, for example by requiring first-logins on new devices with your password to be authorised from previously confirmed devices (yes, that's why you're asked to do that on your iPhone). You'll also have a way to get back in if you forget your password - either by securely backing up the data, or keeping a Recovery Key in your safe.

It only works if your devices can share those private keys between themselves

The problem is that this collection of data, and the computer-based safe it's kept in now needs to be both wherever you are when you want to sign it, and transported between devices when you retire old ones, buy new ones or are away from your desk and using your phone.

To use multiple devices, you'll need synchronisation or portability

So now you'll need a good way to syncronise data between active devices. Again, your password manager probably has this built in, and the right choice will come down to the collection of devices and browers that you want to use.

This is a little harder when you move between ecosystems. The other way is to use Cross Device Authentication. Basically, you'd use your iPhone or Android phone to help you sign in at computer you're using, or a guest device.

To add new devices, you may need to synchronise, you may need to migrate, or use a security key

When you have a suit of products from one manufacturer, or compatible manufacturers (i.e. not Windows), adding a new one will be as easy as synchronising it, testing it works, and then securely deleting the data off the old one.

If you don't want to Apple/Android synchronisation, or you use Windows, you may prefer to use a third party app or a Security Key (a special USB stick). This will be the same if you want to move from one ecosystem to a new one.

Third party options and security keys are preferable when offerings from independent companies that integrate with all browsers, phones and computers offer you less performance, a little less security, but much more portability are more important to you.

You'll have to decide which is right for you. It won't be a big deal for most people - sign up on what you're used to, and let your new phone/computer do the work.

If you switch to a whole new ecosystem, and weren't using an independent password manager, you'll probably have to enroll them one-by-one before letting go of your old device.

What should I do then?

First of all, adopt them in a progressive way

Let the ecosystem evolve and go with it, don't switch to Passkey-only authentication until you're happy you know how they work and how to back them up. For this reason, most websites will still offer passwords for some time, even as a backup to a Passkey.

Apple users should use iCloud Keychain

It works in Safari and apps on your Apple devices, and securely synchronises between your devices for you. It also works in browsers on Windows by adding an extension from Apple to Edge or Chrome, or installing iCloud, and/or cross-authenticating from your iPhone. Here's a guide to get you going.

Apple's system doesn't allow Apple to access this data. Make sure you set up a recovery key, because you will not be able to access the Passkeys (or actually any other information you stored on iCloud) if you forget your password.

You will be able to sign into websites on Windows & Ubuntu, using Cross Device Authentication from your iPhone.

Google Chrome users have many options

Google Chrome (and the underpinning Chromium browser) support Passkeys, and will store them in Keychain (macOS, iOS, ipadOS), Microsoft Hello (Windows) or in Android 9.0 or above(mobiles). You can also store them on an external Security Key, which are portable, secure, but not backed up by default.

Keys stored by Chrome, however, are not shared or shareable outside of Chrome.

Android users should probably use Android (unless they have a Mac)

If you use an Android phone and prefer it to be the guardian of your keys, it can act as an authenticator for Chrome and Edge clients on macOS, Windows, and Ubuntu.

Microsoft Windows users should use their phone or security key

Windows allows you to store Passkeys on your device, or on a Security Key. They cannot be syncronised (yet, it is reportedly coming this year). If you want to syncronise your Passkeys, use one of the third party systems available below.

Microsoft Edge does not allow keys stored to be used outside of Edge. You can, however, sign into websites and apps on your Windows computer / Edge browser on all platforms from Apple or Android phone.

Ubuntu users should use their phone or security key

Ubuntu users can install Edge or Chrome, and benefit from their Cross Device Authentication from iPhones and Android. Other browsers support security keys. And of course, it's Linux, there's a thousand ways to "technically make it work". Those people aren't reading this article, and will be able to make that happen in a way that suits them.

Firefox isn't really ready

Firefox: passkeys are not currently supported in Firefox, as although the basic protocol is supported, Firefox has no way to store keys securely (yet).

Great third-party options

There are some great options for stepping outside your ecosystem and benefiting from using cross-device, cross-brower functionality. They vary in quality, features and frustrations, so read up on them before getting started. A few well known ones are 1Password, LastPass, DashLane, PassBolt, and BitWarden.