May 15, 2023
I no longer need a password to sign into Google. From now on, it’s “Adios, passwords…Hello, passkeys!”
Sort of.
This new form of login is like a digital lock and key. Each website has a keyhole that only your passkey—an encrypted bit of software code that lives in a password manager—can unlock. If the key fits the lock, you’re in.
And since the key only lives on your device (a phone or laptop, for instance), it’s safer to use than a password. It’s also easier, because you don’t have to remember anything and it replaces those pesky two-factor authentication codes we all now need on our most important accounts.
You can’t use a passkey to log into a phishing website designed to trick you. You can’t blurt it out or share it online, and to work, it requires your physical presence.
That’s why more services are offering passkeys in lieu of passwords, including Google, which announced passkey support for billions of its users earlier this month.
Though it’s still early days, Google’s entry means the time is right to start talking about passkeys. The goal is for them to work seamlessly, as passwords do, in apps and third-party password managers. We’re not there yet, but here’s what you should know to get started.
Why do away with passwords?
Passwords are the weak link in the security system protecting you from hackers.
We tend to reuse the same passwords on different websites, so when one site is hacked, multiple accounts are vulnerable. We can fall for phishing scams and mistakenly give up our passwords. And sometimes, we just pick easily guessable ones, like 123456.
Services that are already pushing passkey logins will continue accepting passwords for the foreseeable future. But as you start using passkeys more, you’ll reduce the vulnerability that passwords carry.
How do you use passkeys?
To try out a passkey before messing with your most important accounts, go to WebAuthn.io, a site designed by the Cisco Systems-owned authentication app Duo to demonstrate passkeys in action.
Enter any username, and click Register. (Don’t worry, you don’t give it any real credentials.) You’ll see a pop-up asking if you want to save a passkey. Click Continue. To use the passkey, click Authenticate, then tap Continue. You may need to scan your fingerprint or face. It’s safe because this biometric authentication happens on your device—your data isn’t sent to a server. That’s it.
Passkeys already work with the password managers built into Apple and Android mobile devices, as well as Google Chrome and Safari desktop web browsers. If you use an iPhone and the Safari browser, that password manager is iCloud Keychain. If you use Android or Chrome (including Chromebooks), that’s Google Password Manager.
You can’t “forget” a passkey, like you can a password. But you can lose a device. That’s why passkeys can be synced to other devices where you’re logged into your Google or Apple account. And if a device is lost or stolen, make an attempt to wipe it remotely.
Using an iCloud-stored passkey in a Chrome or Microsoft Edge browser requires extra steps: You choose the option to log in using another device, then scan a QR code with your iPhone’s camera.
What about third-party password managers?
I’ve long recommended third-party password managers such as 1Password and Dashlane over free and simple built-in options, because they work across more apps and devices.
Plus, my colleague Joanna Stern and I have reported on thieves who steal users’ iPhones along with their device passcodes. If both are stolen, thieves can use the passcode to expose your passkeys in iCloud Keychain (for iPhones) or Google Password Manager (for Android). Third-party managers can’t be unlocked with the phone’s passcode.
Dashlane supports passkeys, and 1Password is launching support June 6. But the experience isn’t ready yet. Right now, they work on desktop, but not mobile. The Android 14 operating system, out this fall, will allow third-party managers to log in with passkeys. Apple doesn’t allow that on iOS devices, but that could change with iOS 17.
Where can you use passkeys?
For sites and apps run by financial institutions and other slower-moving, ultracareful services, the shift will take more time, said Andrew Shikiar. He’s executive director of the FIDO Alliance, which creates the standards for online authentication technology such as passkeys.
But there are already dozens of services where you can use passkeys to sign in. 1Password’s Passkeys.directory site keeps track of the latest.
• Google: Go to g.co/passkeys and sign in to your Google account. Press “Use passkeys” to activate it. (Google Workspace corporate accounts don’t have passkeys turned on yet.) Next time you go to Google’s sign-in page, enter your username. When you see a prompt to “Use your passkey,” click Continue.
• Kayak: You can set up passkeys in the Android or iOS app, as well as Chrome or Safari on the web. Go to Account settings, then click “Set up passkey.”
• eBay: You can sign in to the website on desktop or mobile with a passkey. (It’s not yet available on the eBay app.) You’ll see a “Tired of passwords?” prompt, then click “Turn on” to create one. You can also go to Account settings, then “Sign in and security.” Next to “Face/fingerprint/PIN sign in,” tap “Turn on.”
• Microsoft: You can use passkeys in Chrome or Edge browsers. Sign in to Microsoft.com or Outlook.com, then go to Security settings. Click “Add a new way to sign in,” then select “Use your Windows PC”—even if you’re using Chrome or Edge on a Mac—to set up a passkey. To use it, click “Sign in with Windows Hello” on the login page.
On Facebook and Dropbox, you still need to use a password, but you can use a passkey (or a physical security key) instead of fumbling with a two-factor authentication code. In the apps’ security settings, click “Add a security key.”
This article was originally published in The Wall Street Journal on May 15, 2023, and written by Nicole Nguyen. Image courtesy of Nicole Nguyen/WSJ.
Spectrum Wealth Management, LLC is an investment adviser registered with the U.S. Securities and Exchange Commission. Registration does not imply a certain level of skill or training. Additional information about Spectrum’s investment advisory services is found in Form ADV Part 2, which is available upon request. The information presented is for educational and illustrative purposes only and does not constitute tax, legal, or investment advice. Tax and legal counsel should be engaged before taking any action. The opinions expressed and material provided are for general information and should not be considered a solicitation for purchasing or selling any security.