For those who hate repeatedly entering usernames and passwords, some of the biggest online companies are pushing an alternative: passkeys.

Passkeys work by using a pair of unique mathematical values—a private key securely stored on the device you are using and a public key on the website or app you are connecting to. The site or app can determine whether you have the right private key, and if so, log you in. You authorize this exchange by entering a master password or PIN or by using your face or a fingerprint scan.

Passkeys can eliminate the hassle of creating and keeping track of several complex passwords. But passkeys themselves present new hassles, including syncing private keys across platforms, such an Android phone, an iPad and a PC. And passkeys can confuse users still trying to understand two-factor authentications, sign-ins with Google, Apple AAPL -0.10%decrease; red down pointing triangle and Facebook, and other login methods.

What follows are important questions users of passkeys might have:

Will my passkey work across platforms?
Passkeys are at their most convenient when used within a single company’s family of products and systems. Apple’s iCloud Keychain, for example, synchronizes passkeys on Macs, iPhones, iPads, Apple TV and Vision Pro headsets. It also works with Safari and most other browsers running on Apple’s computers and mobile devices. But there are no apps for syncing iCloud passkeys with Android- or Windows-based devices.

Leading password manager apps, which store and autofill usernames and passwords for use on the web, have made passkeys a part of their repertoire. Alphabet’s GOOGL -1.49%decrease; red down pointing triangle Google, for its part, has made Google Password Manager the default app for easily accessing sites and apps on Android phones, tablets and smartwatches, and on Chromebooks, as well as in Chrome browsers running on both Windows PCs and Macs. It can also be set as the default for all apps on Apple’s mobile devices (Go to Settings>General>AutoFill & Passwords and select Chrome), but so far, not on Apple computers.

A third-party password manager can help bridge compatibility issues for passkeys when straddling competing operating systems. Bitwarden, 1Password and Dashlane, for instance, operate on Android and Apple mobile devices and Macs. On Windows 11, you may use them in a browser or interact with them through an app called Hello. (Windows does not have a built-in passkey app.) Some password managers sell subscriptions: such as $35.88 a year for 1Password and $59.99 for Dashlane. Bitwarden’s free version supports passkeys.

Am I forever locked into a passkey manager?
Currently you can’t transfer passkeys across password manager apps. That means if you add an Android phone to your collection of Apple gadgets, for instance, you can’t move passkeys from iCloud Keychain to Google Password Manager. Password managers can typically transfer usernames and passwords, but not the passkeys themselves. The FIDO Alliance, the industry consortium for passkey technology, is developing an interoperable standard called Credential Exchange for secure, encrypted transfers of passwords, passkeys, and other info among manager apps. Apple will debut the tech in its new operating systems, expected in September, enabling its own and other password managers.

Do I have to install or update software to use passkeys?
Using passkeys with Google Password Manager requires at least Android 9; Apple’s Passwords app requires iOS or iPadOS 16 or macOS 13 Ventura. Using third-party password managers like 1Password requires Android 14, iOS or iPadOS 17, macOS 12 Monterey or Windows 11. You should install all OS updates and upgrade your web browsers for best results.

How do I set up a passkey on a site or app?
On sites or apps that let you use a passkey and that present that option up front, you will simply click through the screens provided. For other sites and apps, you might have to dig into the account security settings to initiate the process. Before you do, check listings of passkey-supporting sites maintained by 1Password, Bitwarden, Dashlane and the FIDO Alliance


Can I have multiple passkeys for one account?
You typically can, and doing so might get you around the rival operating-systems issue. If you have a Mac and an Android phone, for example, the passkey for the Mac could be stored in Apple Passwords, while the phone can have a second passkey in Google Password Manager. Major U.S. sites and apps supporting multiple passkeys include Amazon.com AMZN -1.46%decrease; red down pointing triangle, eBay, Google, LinkedIn, Microsoft, Walmart, X, Yahoo and YouTube (through Google). Facebook is still rolling out passkeys for its site and says it plans to allow only one per account.

Can I share passkeys with family, friends or colleagues?
People who use iCloud Keychain and are in each other’s contacts can AirDrop—or transfer wirelessly—passkeys, or set up a group for sharing in the Apple Passwords app. Users of Bitwarden and 1Password can also share passkeys. As for Google, “We don’t support passkey sharing at the moment,” says Chirag Desai, senior product manager for Chrome.


What if I set up my passkeys on a device like my phone and then lose it?
Take the same precautions as for other sensitive data. First, sync your passkeys with the respective online service (Bitwarden, iCloud Keychain, etc.) so you have copies.

To keep out snoops, lock the device with a long passcode (like six digits instead of four, or even a mix of letters and numbers). Perhaps set the phone to auto erase if the passcode is entered incorrectly a certain number of times. Also turn on tracking services and the ability to remotely wipe the device, available from Apple, Google and Microsoft.

What if I get locked out of my passkey manager?
This could happen if you forget or incorrectly record the all-important password that unlocks everything. Running it on multiple devices could help: It may still be open on one of them. Also enable biometrics such as your fingerprint or face as another way to log in.

Apple and Google offer many ways to restore access to your account. Third-party apps may provide a long recovery code you enter to regain access. Keep it someplace safe. Funny as it may sound, Bitwarden’s Chief Customer Officer Gary Orenstein says that some users store the app’s password in a second password manager.

How many sites take passkeys?
Currently, not many. We found 329 listed, in total, by 1Password, Bitwarden, Dashlane and the FIDO Alliance. Thirty-one appear on a list of 100 most-visited U.S. sites, compiled by analytics firm Similarweb. These include Home Depot, TikTok, Best Buy, CVS, Target and Wells Fargo, in addition to those shown above. Amazon, for its part, makes passkeys an option for many of its services, including Amazon Shopping, Audible and Kindle mobile apps.

What Is a passkey?
A passkey consists of two related values. A large, random number, called the private key, is generated and stored securely on your device. It is used to calculate a second value, called the public key, that is sent to (or “registered” with) the website or app.
When you try to log in, the site or app sends a long, random string of data, unique to each attempt, that your device has to transform mathematically, using its private key.
The answer is sent back to the site or app, which can determine if the answer and the public key in its possession were produced using the same private key, without needing (or being able) to know its exact value. If the math checks out, you are logged in.
You may initiate both passkey creation and each login process using biometrics. For instance, it may require a face scan on your smartphone or a fingerprint reader on your computer or phone. Other times, you can provide a PIN or password similar to (or sometimes the same as) what you use to unlock your phone or computer. This helps ensure that only you can use your passkey to log in.
Sean Captain is a writer in New York. He can be reached at reports@wsj.com.

LINK https://www.wsj.com/tech/perso...0a?mod=hp_listc_pos1

I must be missing something fundamental, as this has always seemed iffy to me. To distill the idea down, as I understand it:

a) for each passkey-aware software/site, you have a large, unique file created on your device that is needed to prove your identity to that particular software/site,
b) the software/sites know how to look for that file on your device, and how to do the proof of that file's legitimacy accurately (the private key/public key stuff).

Fine. I get all that.

If that's all, though, what that would seem to prove is that whoever is making the request of the software/site has access to the device with that passkey file on it.

I am fundamentally missing how this is better or more secure than having a unique, long, complex password for every site. (Which I do, using Dashlane to manage.)

But, I may be misinformed, underinformed, or confused. So I'm interested in hearing what other folks understand/know.

Yes, I got an email from my HSA provider a couple weeks ago saying that passwords are going away and passkeys are coming.

I don't understand this either and have been trying. The gist to me seems to be centralization which may not be a good thing if that one thing is hacked. Perhaps it's more difficult to hack but seems like hackers always find a way. So, they just need to break into one thing instead of many to access all your stuff.

Hope this is not the gist. But if so, not sure I trust this to the cloud.

That being said, it's become horrendous and untenable to manage all the passwords I have now.

Sounds a lot like PGP, which has been used for encryption for at least twenty years.
PGP is very secure, but you do have to deal with key rings and importing/exporting public keys.

quote:

For those who hate repeatedly entering usernames and passwords

With a good PW Manager it isn’t hard. The PW Manager apps on my iPhone and MacBook sync. Change an entry in one device and it’s almost immediately changed on the other device too.

quote:

Originally posted by WaterburyBob:
Sounds a lot like PGP, which has been used for encryption for at least twenty years.
PGP is very secure, but you do have to deal with key rings and importing/exporting public keys.

Yes, key management is the Achilles heel of private/public key encryption. I use both PGP and S/MIME, both defined standards for e-mail. They support non-repudiation and private communication based on the fact that you have not disclosed your private key. Unfortunately, this is not guaranteed. Stories abound about how people have unwittingly disclosed, or had the storage on which they keep their key compromised. Most also have an expiration date incorporated so you have to renew them periodically. Because this expiration is years or longer, when it comes time to do so, you've probably forgotten how to do it. The keys are long enough that it is inconvenient to write them down on paper, but the space used to store them on media is trivial. Encrypted local storage (with a password or passphrase) is probably sufficient. Most software password vaults I have used have this capability. Additionally, keeping the database on an encrypted file system affords an additional level of protection.

I rarely have occasion to actually communicate using PGP (Pretty Good Privacy) or S/MIME Secure/Multi-Media Mail Extension) since relatively few people have chosen to implement it. Until a critical mass develops, I doubt that this will change. So it remains the exclusive territory of the ultra-geeks among us (somehow we get little respect for this). I do digitally sign important messages, this proves that it was me who sent it, and by doing so, the recipient obtains a copy of my public key which enables them to reply securely (assuming they have installed the required software). PGP is somewhat easier to install and use than S/MIME.

PGP and/or GPG (the GNU project implementing the protocol) is available as an add-on module for most popular mailers, OS's, and browsers. Once installed, it isn't that difficult to figure out. The OpenPGP project maintains a database of opt-in users and provides their public keys fully integrated with the software.

The technical details involve the mathematical difficulty of deriving the two large prime numbers used to generate the keys. However, as computers get faster, and techniques improve, this barrier is not going to last forever. It is already probably unsuitable for keeping secrets that must remain secret for long times (centuries and millennia).

If anyone on SF wants to try this out, I am happy to act as a correspondent (e-mail in profile).

quote:

Originally posted by Pipe Smoker:

quote:

For those who hate repeatedly entering usernames and passwords

With a good PW Manager it isn’t hard. The PW Manager apps on my iPhone and MacBook sync. Change an entry in one device and it’s almost immediately changed on the other device too.

That's my position. I'm paying for a password manager to keep my passwords complex. I'm with joel9507, I'm not convinced pass keys are more secure.

So, Not ! A Polish donut?

The main advantage of a passkey vs a password it it is a form of multi factor authentication that you do not need to do anything for.

In the simplest terms Multi factor authentication (MFA) is something you know and something you have.

Anyone with enough time can hack a username/password.

With a passkey even if they have your username and password, they still can't get in.

It is a more complicated but this is the basic idea.

quote:

Originally posted by sig2392:
<snip>
Anyone with enough time can hack a username/password.
<snip>

Bogus. Not “anyone” regardless of how much time they have.
Joe Biden, for instance.

SOME people with enough time could. But with a long multi-character-set password generated by a good PW Manager “enough time” would be dozens of years, at least, with current technology. Probably much more if the target site requires a time interval between successive tries.

quote:

Originally posted by Pipe Smoker:

quote:

Originally posted by sig2392:
<snip>
Anyone with enough time can hack a username/password.
<snip>

Bogus. Not “anyone” regardless of how much time they have.
Joe Biden, for instance.

I suspect he means those who are not mentally impaired.

quote:

SOME people with enough time could. But with a long multi-character-set password generated by a good PW Manager “enough time” would be dozens of years, at least, with current technology. Probably much more if the target site requires a time interval between successive tries.

These people number in tens of millions at least. Don't forget, one only has to set up a computer, or computer farm to do the breaking for you, you don't have to spend more time on it than that.

Most brute force attacks begin by using a dictionary of common passwords (and the usual dictionary sources). Then these are combined and altered in various ways, like substituting 3 for E, zero for O, etc. I think you'd be surprised by how many people have very weak passwords that quickly fall to these techniques. Even back in the 90's, when I was doing a fair amount of penetration testing for a Govt. agency, I'd get maybe 30% of passwords on the first pass. "Pa55w0rd" anyone?

The "science" has progressed markedly since then. An unencrypted password store is poor practice at best, perhaps even foolish carelessness. Storing even decryptable passwords in a publicly-readable database has long been deprecated as well.

Besides, there are many ways to snarf a password other than brute force guessing, simple shoulder surfing is still a productive technique, sniffing network traffic has pretty much been defeated by the ubiquity of SSL/TLS, but can still be useful, fake websites, and malware embedded in apps are probably the most common methods these days.

It's a lot easier than most people think. Security experts know this, and it is why 2FA is so widely promoted.

^^^^^^^
I’ll stick with my previous comment:
“But with a long multi-character-set password generated by a good PW Manager “enough time” would be dozens of years, at least, with current technology. Probably much more if the target site requires a time interval between successive tries.“

Passkeys are great. I don't care at that point about unique passwords, time to crack them and so on. And it handles MFA as part of the sign in, so no text messages or the like.

There's nothing to compromise in the network traffic. If the site is hacked, there's no loss of passwords in the data dump. The public certificate associated with your username is just that... public. You can put it on a billboard if you want, it isn't useful without the private key in your passkey store. The passkey is protected by my fingerprint, so if you have my laptop and my finger... I don't really care if you use my Amazon account to order stainless steel taco holders.

Google, Amazon and others have it implemented already. The login page comes up, Apple presents me with the "Use fingerprint to enable passkey" window and it's done. There you are, built in multi-factor authentication (private key + fingerprint).

The article does bring up the existing lack of standards for multi-platform synchronization. I know some password managers like 1Password also include passkeys, but I don't have experience with them and using passkeys. Years ago I knew people who had tiny USB Yubikeys with tiny fingerprint readers on their keychain to manage their passkeys. They were a bit more cutting edge since wide adoption wasn't around then. Passkeys can also be incorporated into SSH and other remote access protocols, so, that was neat.

Sure, you can manage 25 character complex pass phrases in a password manager and hope the other side hasn't already lost their user database, and wait for text messages to show with 6 numbers. Or, you can just use your finger.

^^^^^

quote:

Sure, you can manage 25 character complex pass phrases in a password manager and hope the other side hasn't already lost their user database, and wait for text messages to show with 6 numbers.

BTW – the “other side” doesn’t store your password (if it’s a reputable site). Instead, they store an MD5 or SHAx hash of your password. The hash can be generated from the password, but the password can’t be generated from the hash.

When you login, they generate a hash from the password that you’ve just provided, then compare that with the stored hash associated with your username. If they match, you’re in. Otherwise, not.

It will be interesting to see how public key cryptography fares over time as the field of computing advances. Regarding passwords, they won't be able to hold up over time, and at some point will need to be abandoned for more secure methods of authentication. I don't know how quantum computing fits into breaking cryptographic mathematics or if quantum computing will ever reach the point of practical viability at scale, but if it does and is able to defeat better cryptography schemes there's gonna be a lot of hurt to go around.

quote:

Originally posted by Pipe Smoker:
^^^^^

quote:

Sure, you can manage 25 character complex pass phrases in a password manager and hope the other side hasn't already lost their user database, and wait for text messages to show with 6 numbers.

BTW – the “other side” doesn’t store your password (if it’s a reputable site). Instead, they store an MD5 or SHAx hash of your password. The hash can be generated from the password, but the password can’t be generated from the hash.

When you login, they generate a hash from the password that you’ve just provided, then compare that with the stored hash associated with your username. If they match, you’re in. Otherwise, not.

I'm very familiar with the various schemes, good or bad (I've seen both). Even if you have a hash, you can throw computing power and time at it to get what you want. Rainbow tables were a shortcut for awhile. State sponsored orgs can throw a stack of GPUs at it. Non gov criminal organizations can slice it up across distributed botnets.

Honestly, the sites that prompt "Use your Google login to sign in" are probably the smarter, because then they avoid the issue completely. Let someone else be the arbiter of identity, if you don't really care (like a news site, etc).

quote:

Originally posted by wrightd:
It will be interesting to see how public key cryptography fares over time as the field of computing advances. Regarding passwords, they won't be able to hold up over time, and at some point will need to be abandoned for more secure methods of authentication. I don't know how quantum computing fits into breaking cryptographic mathematics or if quantum computing will ever reach the point of practical viability at scale, but if it does and is able to defeat better cryptography schemes there's gonna be a lot of hurt to go around.

Michio Kaku predicts that whoever wins quantum computing wins the crypto race. Right or wrong, things constantly change.
https://www.foxbusiness.com/video/6369111266112

I am a computer user, not a geek.
I have tried understanding this concept, even searched for more information but it didn't help me.
I use 3 different laptops, 2 desktops, and 2 tablets in my home/out building. Different floors, rooms, ect.
Would I be able to use the same passkey on these 7 devices or would each one be different?

quote:

Originally posted by Pipe Smoker:
^^^^^

quote:

Sure, you can manage 25 character complex pass phrases in a password manager and hope the other side hasn't already lost their user database, and wait for text messages to show with 6 numbers.

BTW – the “other side” doesn’t store your password (if it’s a reputable site). Instead, they store an MD5 or SHAx hash of your password. The hash can be generated from the password, but the password can’t be generated from the hash.

When you login, they generate a hash from the password that you’ve just provided, then compare that with the stored hash associated with your username. If they match, you’re in. Otherwise, not.

The Achilles heel of a hash-based authentication store is that the challenge must be presented "in the clear" so their is an additional attack surface that has to be addressed. The main thing that it provides is some protection against the detrimental effects of disclosure of the hash file.

Security is not simple, true multi-factor authentication (where what you have, what you know, and who you are are assured) is pretty much the best that we've been able to design, and even then, flawed implementations are common.