It’s not much of an insight to say that passwords are a security risk and that most of us use ones that are far too weak. While we tend to begrudgingly acknowledge that, actually putting things right – going through your accounts and changing every password to something unique and memorable – is both difficult and tedious. We’re using a lousy solution for a critical problem.
Recently, though, there have been rumblings of a better alternative, one that’s been sneaking quietly under the radar. If you watched Apple’s WWDC show last year, you’ll have seen Craig Federighi and friends talk about passkeys and how they’re a password replacement that is not only more secure, but easier to use too. But what exactly are passkeys and how do you use them?
To find out, we sat down with Jeff Shiner and Steve Won, 1Password’s CEO and Chief Product Officer, respectively, to hear how the popular password manager is implementing passkeys and why it thinks they’ll soon help you secure your logins without even having to think about it.
What are passkeys?
In layman’s terms, a passkey lets you log in without a password. That may sound unsecure at first, but we’re not talking about simply leaving the front door unlocked. Instead, you can use your own biometric information instead of a password. You know when you unlock your iPhone 14 Pro or confirm a purchase using Face ID or Touch ID? A passkey can harness that biometric security and convenience to log into your apps and online accounts. By nature, passkeys are both quick and secure.
Instead of having to remember a complicated set of unique, hard-to-crack passwords for the hundreds of accounts you use, you just log in with your face or your fingerprint. Not only do you avoid the risk of reusing passwords for different websites, but only your own biometric data will be accepted for logging in. There’s nothing to phish and nothing to leak.
That could be a game-changer. As Shiner puts it, “One of the things that’s exciting for us is I think we’re going to start to see in 2023 passkeys really take off.” He continues, “I think when we look at it in terms of where passkeys are at, some of the releases that we’ve seen from other platforms, and obviously what we’re doing ourselves, 2023 is going to be a year where passkeys start to take off.”
1Password’s passkey beta
To make that happen, 1Password will start supporting passkeys in an open beta around the early summer, but we’ve had advance access for a couple of weeks.
1Password’s passkey beta is extremely easy to use – creating a passkey on a compatible website basically involves clicking “create passkey,” with no need to dream up a complicated password at any point. Then when you next go to sign in, you’ll be prompted for your biometric info and 1Password will fill in the passkey for you. It couldn’t be simpler.
At the time of writing, there are around 50 websites that support passkeys, including Google, eBay and Best Buy, and 1Password has created a handy website at passkeys.directory for you to see which sites are compatible. You can also upvote any sites you want to implement passkeys.
The process is so straightforward that it almost feels too simple, and that’s something 1Password is aware of. As Won says, “there’s still the human psychology of ‘man, that was a little too easy. Are you sure it’s secure?’” But 1Password has earned a trustworthy reputation, Won says, and that can help ease people into using passkeys. Besides, so many of us use Face ID or Touch ID every day knowing they’re safe, and that could help reduce the friction.
Removing the phishers’ reward
It’s easy enough to remember, say, five different passwords. But these days, we all have way more accounts than that. Won remembers that when he first started working for 1Password over a decade ago, he had just under 100 items saved in his password manager. “Now, if I open it up, I have like 890 items,” he says.
Remembering that many unique passwords simply isn’t feasible, so we cut corners and reuse passwords. But if one of the websites you use gets hacked and bad actors make off with your login details, and you’ve reused those details elsewhere, suddenly the hackers can get into as many accounts as you’ve reused the password for.
With a passkey, there’s no repeated password to be stolen. That’s important because, in the words of Shiner, “if we can remove the credentials with something like a passkey, then we remove the reward that the phishers are going after.” In other words, your risk drastically diminishes.
The Apple ‘bullhorn’
Both Shiner and Won seem confident that 2023 will see a breakthrough moment for passkeys, although it could take many years until they’re as widespread as passwords.
That breakthrough could arrive thanks in part to the public adoption of passkeys by industry titans with wide, loyal followings. Apple, Microsoft and Google have all either flirted with passkeys or fully implemented them, and Shiner says that if these big names act as a “bullhorn” to promote passkeys, they could become a part of everyday life for billions of users.
It’s no good having your passkeys work on your iPhone but not on your Windows PC, though. To make passkeys really work, they have to be interoperable and extendable. While insisting he has no secret knowledge, that’s something Won is hoping Apple will announce at WWDC this June. If it comes to pass, it might mean the feature opens up “step by step for third parties to push into.”
With WWDC 2023 rapidly approaching, the turning point could be almost upon us. With it, we may finally see the beginning of the end for vulnerable passwords. As Won puts it, passkeys could help us move past a world “where we increasingly put more sophisticated locks on our doors, but the bad actors are just breaking the window to get in.”