We know the problems with passwords: They’re easy for you to forget, and easy for hackers to guess or brute force or download from a public data leak. That’s why tech companies are rushing to replace them with something more secure, which in most cases means the biometric data that you use to unlock your phone.
While it’s not technically impossible for a determined third party to get around any security measure, you can’t mistakenly type your fingerprint into a spoof banking website, and you’re unlikely to find your face available to download on the dark web. The risk of being hacked goes down considerably.
There are several approaches to making systems passwordless, and in the latest iOS 16 and iOS 16.1 updates, a technology called passkeys has been added. These passkeys are cryptographic elements that involve a key pairing: One key is public, registered with the app or site you’re logging into, and the other key is private and stored on your devices.
This is by no means an approach that’s exclusive to Apple devices, and pretty much everyone is getting on board with passkey technology (or something like it). Google is at a slightly different stage in implementing these systems than Apple, although support is also required from apps and websites too.
This article will walk you through the new features available on iPhone, plus also explain what’s coming to Android phones.
Passkeys on iOS
When it comes to iOS, passkeys work through the iCloud Keychain, so you need to have this enabled on your iPhone (for syncing passwords and other data between devices). You also need to be using two-factor authentication for your Apple ID, which you absolutely should enable anyway if you haven’t already. With those steps completed, and the latest iOS software installed, you’re ready for passkeys.
To actually use passkeys, you need to be signing into (or creating a new account for) a service with passkey support. The choice is pretty limited for now, but apps including PayPal, eBay and travel app Kayak are already offering a passkey option — when you create new accounts or sign into existing accounts on an iPhone using these apps, you’ll be asked if you want to create a passkey.
All you need to do when the passkey prompt appears is tap Continue (the other option, Save on Another Device, is for when you’re using a public or shared device). You’ll be asked to provide Face ID or Touch ID confirmation, and once that’s done, you’re all set — your passkey is created. When you need to sign into this app in the future, you’ll need to confirm you want to use a passkey, then use your face or fingerprint again.
As iCloud Keychain handles the syncing of passkeys between different devices, you can get your credentials back if you lose access to one of them. There’s also a recovery process in place to help you get your information back should you lose access to all of your devices at the same time. In theory, at least, the new system should be both more convenient and more secure for end users.
Passkeys on Android
Over on Android, Google is slightly behind Apple with passkey support, but not by much. As on iOS, it’s going to be a while before all of your favourite apps, sites and digital services have been upgraded to work with passkeys, but Google says that both Android and the Chrome web browser are now compatible with the feature in beta form. By the end of 2022, it should arrive in the stable software most of us are using.
When it does get here, it’s going to work in the same way that it does on iOS. Load up a passkey-ready app or website, attempt to log in or create a new account, and you’ll see a prompt asking if you want to use a passkey. Say yes, confirm your identity using whatever tech your phone has to protect its lock screen (typically a fingerprint sensor if you’re on Android), and you’re good to go.
Signing in will work in a very similar way. You can also sign into apps and sites on other devices using passkeys and your Android phone: Those apps and sites will display a QR code, which you’ll then be able to scan on your smartphone. The same verification process is initiated, and when your phone has confirmed that you are who you say you are, that will be communicated back to the other device.
Google Password Manager is in the process of adding passkey support as well, which means your encrypted logins will be synced everywhere that your Google account is used. As is the case today, how often you need to verify your identity will depend on the app and site: Probably every time you open up your banking app, for example, but not so much when you’re just browsing through social media.