This story is part of, CNET’s collection of news, tips and advice around Apple’s most popular product.
Apple’s new iPhone 14 models come with technology called passkeys designed to be as easy to use as passwords but much more secure. They work on all iPhones with iOS 16, but Google is building passkeys into Android and Chrome, too.
Why it matters
Passwords have long been plagued with problems, but starting with iPhones, tech giants have cooperated to design a practical alternative that reduces vulnerabilities and hacking risks.
Passkeys will arrive on Macs with MacOS Ventura later in 2022, but support on websites and apps will be more gradual.
Withand now available, you can try out a new login technology called passkeys. High-powered allies including Google and Microsoft argue that passkeys are more secure than passwords at guarding access to websites, email and other online services, but still easy enough to use that they’ll become mainstream.
coming to Google’s Android and to its Chrome web browser later this year, too.at its Worldwide Developers Conference in June. After their debut in , they’ll arrive on this fall. They’re
Passkeys replace the riot of keystrokes needed for passwords with a biometric check on our phones or computers. They also stop phishing attacks and banish the complications of two-factor authentication, like SMS codes, that are tied to the password system’s weaknesses.
Once you set up a passkey for a site or app, it’s stored on the phone or personal computer you used to set it up. Services like Apple’s iCloud Keychain or Google’s Chrome password manager can synchronize passkeys across your devices. Dozens of tech companies developed the open standards behind passkeys in a group called the FIDO Alliance, which announced passkeys in May.
“Now is the time to adopt them,” Garrett Davidson, an authentication technology engineer at Apple, said in a WWDC talk about passkeys. “With passkeys, not only is the user experience better than with passwords, but entire categories of security — like weak and reused credentials, credential leaks, and phishing — are just not possible anymore.”
You’ll have to spend a little time on the learning curve before passkeys meet their potential. You’ll also have to decide whether Apple, Microsoft or Google is the best option for you.
Here’s a look at the technology.
What’s a passkey?
It’s a new type of login credential consisting of a little bit of digital data your PC or phone uses when logging onto a server. You approve each use of that data with an authentication step, such as fingerprint check, face recognition, a PIN code or the login swipe pattern familiar to Android phone owners.
Here’s the catch: You’ll have to have your phone or computer with you to use passkeys. You can’t log onto a passkey-secured account from a friend’s computer without a device of your own.
Passkeys are synchronized and backed up. If you get a new Android phone or iPhone, Google and Apple can restore your passkeys. With end-to-end encryption, Google and Apple can’t see or alter the passkeys. Apple has designed its system to keep passkeys secure even if an attacker or Apple employee compromises your iCloud account.
How does setting up a passkey work?
It’s pretty simple. Use your fingerprint, face or another mechanism to authenticate a passkey when a website or app prompts you to set one up. That’s it.
How do I use a passkey to log in?
When using a phone, a passkey authentication option will appear when you try to log on to an app. Tap that option, use the authentication technique you’ve chosen, and you’re in.
For websites, you should see a passkey option by the username field. After that, the process is the same.
Once you have a passkey on your phone, you can use it to facilitate a login on another nearby device, like your laptop. Once you’re logged in, that website can offer to create a new passkey linked to the new device.
What if I need to log in to a website while using someone else’s computer?
You can use a passkey stored on your phone to log onto another nearby device, like a laptop you’re borrowing. The login screen on the borrowed laptop will have an option to present a QR code you can scan with your phone. You’ll use Bluetooth to ensure your phone and the computer are close by, then let you use a fingerprint or face ID check on your own phone. Your phone then will communicate with the computer over a secure connection to complete the authentication process.
Why are passkeys more secure than passwords?
Passkeys employ a time-tested security foundation called public key cryptography for login operation. That’s the same technology that protects your credit card number when you type it into a website. The beauty of the system is that a website only has to base its passkey record on your public key, data that’s designed to be openly visible. The private key used to set up a passkey is stored only on your own device. There’s no database of password data that a hacker can steal.
Another big benefit is that passkeys block phishing attempts. “Passkeys are intrinsically linked to the website or app they were set up for, so users can never be tricked into using their passkey on the wrong website,” Ricky Mondello, who oversees authentication technology at Apple, said in a WWDC video.
Using passkeys requires that you have your device handy and be able to unlock it, a combination that offers the protection of two-factor authentication but with less bother than SMS codes. And with passkeys, nobody can snoop over your shoulder to watch you type your password.
When will I see passkeys?
Passkeys have begun emerging this year.
Passkeys are in iOS 16 now and will arrive in Google will bring passkey support to Android software by the end of 2022 for developer testing, Google authentication leader Mark Risher said in May. Passkey support should arrive in Chrome and Chrome OS at the same time. Microsoft plans support in Windows in 2022.and when Apple releases that software later this fall.
That’s just enabling technology, though. Websites and apps also must be updated to support passkeys. Some developers will be eager to take advantage of the security benefits, but many will move more slowly. Even if passkeys catch on fast, don’t expect passwords to disappear.
Will websites and apps require me to use passkeys?
It’s unlikely you’ll be forced to use passkeys while the technology is new and unfamiliar. Websites and apps you already use will likely add passkey support alongside existing password methods.
When you sign up for a new service, passkeys may be presented as the preferred option. Eventually, they may become the only option.
Will passkeys lock me into Apple or Google ecosystems?
Not exactly. Although passkeys are anchored to one company’s technology suite, you’ll be able to bridge out of, say, Apple’s world to use passkeys with Microsoft’s or Google’s.
“Users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device,” Vasu Jakkal, a Microsoft leader of security and identity technology, said in a May blog post.
Passkey advocates also are working on technology to let people migrate their passkeys from one tech domain to another, Apple and Google said.
How are password managers involved with passkeys?
Password managers play an increasingly important role in generating, storing and synchronizing passwords. But passkeys will likely be anchored to your phone or personal computer, not your password manager, at least in the eyes of tech giants like Google and Apple.
That could change, though.
“We expect a natural evolution to an architecture that allows third-party passkey managers to plug in, and for portability among ecosystems,” Google’s Risher said.
He anticipates that passkeys will evolve to lower barriers between ecosystems and to accommodate third-party passkey managers. “This has been a discussion point since early in this industry push.”
Indeed, password manager Dashlane is testing passkey support and plans to release it broadly in coming weeks. “Users can store their passkeys for multiple sites and benefit from the same convenience and security they already have with their passwords,” the company said in an Aug. 31 blog post.