From The Wall Street Journal: Google and Apple Want You to Log In With Passkeys. Here’s What That Means.

Nov 1, 2023
By Nicole Nguyen
October 23, 2023

The biggest tech companies want you to ditch passwords for passkeys. You’re probably wondering: What even is a passkey? And do I have to use it?

iStock image

It’s a new type of login that uses cryptographic magic on your phone or laptop. Passkeys are safer than typing “password123,” and more convenient, since all you do is scan your face or fingerprint, or click a button. After decades of basic passwords, this may sound intimidating, but the passkey era has arrived. More and more sites and apps will start pushing you to set them up.

Earlier this month, Google started to make passkey logins default. You may have already seen a prompt to “Create a passkey” after signing in to Gmail or YouTube. (If not, you soon will.) On Apple devices, if you’re running the latest software, you’ll see a new passkey option for logging into websites with your Apple ID. This past week, Amazon quietly enabled a passkey option for web logins.

What’s great is that third-party password managers from Dashlane, 1Password and others now support passkeys on mobile devices as well as desktop browsers. I’ve long encouraged people to use these managers, and have myself for over a decade.

The new passkey availability and compatibility mean it’s a good time to set up a few. Passwords—and all their failings—will be here for a while, but the long-term goal is to eliminate them in favor of more secure logins.

What is a passkey?

Using a passkey is like unlocking a door. There’s a bit of software code that lives on your device (the key), and another bit of code provided by the website (the keyhole). Each website has a keyhole that only your passkey can unlock.

Passkeys are easier to use because:

  • You don’t have to remember or type in complicated passwords.
  • Passkeys can replace passwords and two-factor authentication codes that often come via text as 6-digit numbers.

Many people reuse passwords with multiple sites. Businesses hate this. Genetic-testing company 23andMe said hackers stole customer data by trying usernames and passwords from compromised websites. It’s human nature to keep logins simple and memorable, especially when you have to type them in all the time.

The passkey approach doesn’t play into this weakness:

  • Each passkey is unique. There’s no risk of reuse.
  • Passkeys won’t fall for fake websites designed to trick us.
  • Hackers can’t steal them from company servers—they’d need access to your personal device.Passkeys are designed to automatically sync everywhere your password manager is installed (though in some instances, you need a separate passkey for each device). It’s good to make sure you can access your passkeys from several devices (phone, laptop, tablet, etc.) in case you lose one.

Passkeys and password managers

Passkeys have to be stored in password managers.

You can set up passkeys using your device’s built-in iCloud Keychain or Google Password Manager for Android. However, we don’t recommend those because they can be an access point for criminals who steal your phone and your phone’s passcode.

The safer bet is a third-party password manager like 1Password and Dashlane. Make sure it’s set as your default for auto-filling passwords on your laptop and iOS or Android device. Just remember, if you later decide to get a third-party password manager, you’ll have to create new passkeys.

Setting up in Google

If Google didn’t prompt you to create a passkey already, go to your account security settings in a web browser. In a Google app, tap your profile picture, then “Manage your account,” then Security.

In the “How you sign in to Google” section, tap Passkeys, then “Create a passkey.” A pop-up from your password manager will ask you to confirm.

Next time you sign in with a Google account on that device, your password manager should prompt you to use that passkey. If you see a password field, click “Try another way” to use your passkey.

You will need to go through this passkey setup on each device you use. The upside: Once each device is covered, signing in will be a breeze.

To sign in to your Google account on a device you don’t own, enter your username then click “Use another phone or tablet” when prompted. A QR code should pop up. Scan that with your phone and your password manager should do the rest.

Passkeys on other platforms

You can sign up for passkeys on other services, including DocuSign, GitHub and Uber. You might encounter some quirks. For instance, I couldn’t get Uber passkeys to work in the app but they did work on the website. 1Password has a list of other passkey-eligible services.

Amazon’s passkeys only work on its websites for now—not on its shopping or streaming apps. To set one up, go to your account settings, then Login & security. Where you see Passkey, click Edit. Tap “Add a passkey.” Once set up, you can sign in with a passkey. If you have two-factor authentication turned on, Amazon may still ask you for a code.

Passkeys for Apple IDs are automatically set up. As long as you’re running iOS 17, iPadOS 17 and MacOS Sonoma, just click the “Sign In with iPhone” option instead of entering your password on Apple sites such as icloud.com. Just be aware that Apple ID passkeys can’t be saved in third-party password managers. If Face ID fails on your phone, the site will ask for your device passcode.

Don’t forget about your passwords

“The Achilles’ heel of current passwordless technology is that many services still rely on traditional passwords,” warned Trevor Hilligoss, director of security research at cybercrime analytics firm SpyCloud.

Even if you have passkeys set up, your old passwords can still open your services’ front doors. If you have passwords that are short, easily guessed or reused, hackers could exploit them.

Until passkeys completely take over, make sure your passwords are long, complicated and, of course, unique to each and every app, site and service.

This article was originally published in The Wall Street Journal on October 21, 2023, and written by Nicole Nguyen/Photo: iStock image

  1. https://www.wsj.com/tech/personal-tech/google-and-apple-want-you-to-log-in-with-passkeys-heres-what-that-means-907532aa

Spectrum Wealth Management, LLC is an investment adviser registered with the U.S. Securities and Exchange Commission. Registration does not imply a certain level of skill or training. Additional information about Spectrum’s investment advisory services is found in Form ADV Part 2, which is available upon request. The information presented is for educational and illustrative purposes only and does not constitute tax, legal, or investment advice. Tax and legal counsel should be engaged before taking any action. The opinions expressed and material provided are for general information and should not be considered a solicitation for purchasing or selling any security.