A password sign is seen on a keyboard in Ankara, Turkey on October 26, 2017.
Aytac Unal | Anadolu Agency | Getty Images
There’s a safer way to log in to apps and websites that removes the need to use passwords. It’s called a passkey, and companies such as Microsoft, Amazon, Apple and Google, among many others, have already adopted the new technology.
Unlike a password, a passkey relies on a string of encrypted data stored in your phone or laptop and verification from you, through a face scan, a fingerprint scan or a PIN code, to access a website or app. There’s no exchange of a password at all.
“A passkey is a FIDO credential stored on your computer or phone, and it is used to unlock your online accounts,” Google wrote in an October blog post, referring to the new standard developed by the Fast IDentity Online, or FIDO, Alliance. “It works using public key cryptography and proof that you own the credential is only shown to your online account when you unlock your phone.”
The move toward passkeys comes as our digital privacy gets harder to protect, particularly as people need to remember more and more passwords. A recent Pew Research survey showed that almost 70% of Americans are stressed about the number of passwords they need to remember.
Companies also have an incentive to adopt passkeys. When their customers fall victim to cyberattacks, companies can face expensive bills, or sometimes millions of dollars in fines if customer data is affected, to clean up the mess. Passkeys can cut the odds of that happening.
“The main thing they’re about is preventing somebody over the internet from stealing your passwords through phishing,” Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation, told CNBC.
Hoffman-Andrews said passkeys are better than passwords even if you use a password manager, which helps you keep track of all your logins, because those apps often let you copy/paste a password. “If a phisher can trick you into copy/pasting, game over. With the passkey, it won’t let you copy/paste it.”
Phishing is a fraud in which attackers try to trick people into giving out personal information, often through phone calls or emails, and then use that information to access an account.
“Password-based attacks are becoming easier and easier and more and more common,” said Steve Won, chief product officer at 1Password, which has adopted passkeys.
Bottom line: Passkeys are better than passwords at protecting your personal information.
I set up passkeys for myself on Google, Amazon and Apple in just a few steps, so I’ll show you how to do the same. Make sure you own the device on which you’re setting up a passkey. I created the passkeys using my iPhone, but you can do it from a computer or Android phone by following similar steps.
If you lose your device with your passkeys, you can still recover your account and, in many cases, delete the passkeys on the lost device. Here’s what you do:
- Follow the same steps to get back to the passkey section of your account for whatever website you want to remove them from.
- The sites have a prompt within the passkeys that you can press to delete them.
- Repeat the steps to make a new passkey on your new device.
Lots of other websites and apps support passkeys for logins too, including Microsoft, Uber, Nvidia, Nintendo and TikTok, so dig around and turn that option on if you want a safer alternative to using a password.