The big providers of online services are fed up with passwords. Microsoft, Apple, Google and Co. have joined forces and want a passwordless future. The so-called passkeys are supposed to make this possible. What is already happening and what is still to come? c’t 3003 took a closer look at the password successor.
transcript of the video
(Note: This is bonus content for people who cannot or do not want to watch the video above. The video track information is not reflected in the transcript.)
Look here, this is me, coming up with a secure password. Well, there are also tools that do this for you and then save it, i.e. 1Password, Bitwarden, the built-in keychain from your mobile phone provider. But there is something even better. Passkeys! In contrast to conventional passwords, passkeys are much more convenient and also more secure, because while normal passwords are hashed on the servers, to put it simply, there are two crypto keys with the passkey. One that only you have and one that the provider also has. This not only protects you against phishing, but also makes you safer in general. Even if the server is hacked, nobody can reconstruct the passwords. And that’s not some kind of new invention that might come in a few years, it’s already possible today. At Google, Microsoft or Adobe, for example. And a lot will happen in the coming months.
In principle, passkeys are virtual keys that are stored on your smartphone, your computer or a special USB stick. And then all you have to do is use your fingerprint or Face ID and you’re logged in. Best of all, you’ll never have to remember a password or fall for phishing websites again. How this works exactly and how you can use it directly, stay tuned!
Dear hackers, dear internet surfers, welcome here at…
So the problem with passwords. They have been around longer than the Internet and are therefore not adapted to the reality of the Internet and cybercrime. The principle of using a username and a sequence of numbers, letters and special characters to identify oneself is not really secure. Because if someone has access to the provider’s servers or your password is somehow leaked, then criminals can do a lot of silly things with it. And that’s why two-factor authentication has been around for a long time. You know them when you do online banking, but Google, Apple and other large providers are now also basically forcing this on their users. This ensures that you need a second factor for the login in addition to your username and password. At Google, for example, this is solved by notifications via Google Play services on smartphones. With Apple you get a code on another Apple device with your Apple ID and have to click on “Confirm”. And even the supposedly old-fashioned SMS is definitely more secure than just registering with your name and password.
It is even safer to drive with passkeys. The technology behind it has been around for a long time. The authentication process is based on FIDO2, WebAuthn and CTAP2 and was developed by the FIDO Alliance. They have been around since 2012 and include Apple, Google, Intel, Microsoft, PayPal and the BSI, the Federal Office for Information Security. So basically all the important players who somehow have something to do with cybersecurity in their products and therefore also have an interest in people being protected as best as possible.
However, the problem with the previous FIDO standards that have emerged from it is that they are simply too complex for most people. You have to buy extra hardware or, in most cases, create an extra key for each device. And you probably know best yourself, you already have enough to do with explaining to most of the people in your own environment why they need their own password for every service and why it shouldn’t be “my daughter’s name 123”. It’s clear that there won’t be any euphoria when you arrive with such a small extra stick. But that could now change with passkeys, because in practice they can seriously compete with simple passwords in terms of convenience. Because passkeys deviate from the strict security requirements of the predecessors. Crypto keys can be synchronized or used on the PC via the smartphone via QR code and Bluetooth.
But what makes a passkey so different from a password? Yes, it basically works like this: If you want to log in to a provider online and you select Passkey, the web service gives your device a random data sequence, i.e. Challenge. Your device then signs this challenge with the private key, which is only stored on your device, and then the web service can use the public key to check whether the signature really comes from your private key. And if the procedure sounds familiar to you, it may well be, because it has been established for decades. Means public-key cryptography and is used, for example, for HTTPS or mail encryption or instant messaging. And in order to bring this procedure onto a mass basis now, the leading providers have decided to build it into their systems and market it as a passkey. And in contrast to the password, there is no shared secret with the Passkey – i.e. a sequence of characters that both the provider and the user know. The private key is only yours and therefore cannot be intercepted. So this is safer under the hood, but much more comfortable to use. This is what it looks like when you log in. Simply enter the login and then click on login with passkey, put on your finger or scan your face and you’re in. Depending on how the provider sets up the login procedure, in some cases you don’t even have to enter a login name at all, but can use the passkey directly.
And phishing is no longer a problem with passkeys either, because you can only use the passkey on the website you created it for. So the PayPal passkey only works on PayPal.com and not on PayPal-FakeAccount-sonstwas.org or something. You are therefore automatically protected against phishing. And as I just said, passkeys can already be used today, for example here on Google. After this video you can go directly to the account settings and then click here on security and then on passkeys and create a passkey here. And you already have a passkey.
If you want to try it out first, you can go to passkey.org. There you simply enter a login name and then create a passkey for it. Then you go to another device, in our example from a Macbook to the iPhone and then enter the login name here and you can then simply see that the synchronization of the passkey worked. Apple saves the passkeys in the encrypted iCloud backup and synchronizes them on all Apple devices that you are logged into. This means that if your iPhone breaks and you buy a new one, all the passkeys are saved directly on it. And if you use several Apple devices, your passkeys are automatically stored on all devices. Google also offers this synchronization, i.e. between several Android devices. As of today, this is not possible across platforms. This means you can save passkeys individually on your Windows computers, Android smartphones or iPad, but you cannot use the same passkeys.
However, some providers of password managers have already announced that they will soon be offering versions with passkey functions. And with this, the passkeys can also be synchronized between Windows, Linux, Android and Apple devices. 1Password even integrated passkeys into the beta version. And almost all other well-known providers of password managers want to do the same in a timely manner. And then at the latest, all people will have the opportunity to synchronize passkeys across all their devices. But you don’t necessarily have to have passkeys saved on all devices. Actually, the smartphone is enough as a digital key. This is the easiest way today to use passkeys in everyday life. Because you can choose to use your smartphone for services that support passkeys. Then you simply open the camera app, scan the QR code and log in using the same technology.
By the way, the requirements for passkeys are not that high. A more recent iPhone with iOS 16 is sufficient, i.e. iPhone 8 or higher. Or, as I said, an Android smartphone from version 9 or higher, a Mac with at least macOS Ventura. On Windows, passkeys work on Windows 10 and 11 via the built-in Windows Hello authentication service. If you want to use your smartphone here, you must currently use Chromium-based browsers, such as Chrome, Edge or Opera One. This function should only be properly integrated into the system with a future update. Hopefully Microsoft will follow suit here soon.
What you should do if possible after you have switched to passkeys from a provider, remove the password there. Unfortunately, this is by far not the case with all providers who already support passkeys today. Microsoft is one of the few providers where you can already remove passwords today. The NAS manufacturer Synology even goes one step further and automatically removes the password after a warning after you have set up a passkey there. But if you really no longer have access to the passkeys, for example if your mobile phone was run over by a tractor, you can use the recovery functions to regain access to the account in the services as before. Classically via email or SMS code. That’s why it’s also important, regardless of whether I use Passkey or not, that the account information is kept up to date.
A list of all services that already support passkeys can be found at www.passkeys.directory. And if you are now wondering how I can actually integrate passkeys into my web apps myself, then take a look at this c’t article. It is explained in detail there and there is also a c’t interview with the Executive Director of the FIDO Alliance. We have linked both articles below in the description.
My conclusion: Passkeys are already a real alternative to existing passwords, where they are already offered. Sure, not everyone is going along with it yet, and that means there is currently no way around a password manager and as much two-factor authentication as possible. But that could change quickly: Apple, Microsoft and Google have agreed on a passwordless future and that could have a major impact on development. After all, Apple and Google could simply say: “All apps that we offer here in the App Store or Google Play Store must support passkeys!” And then very many services would support passkeys in a short time. Yes, what do you think? Do you already use passkeys? And what are your experiences in dealing with secure passwords? Have you ever heard of Passkeys before? Feel free to write it in the comments and of course like to subscribe.
c’t 3003 is c’t’s YouTube channel. The videos on c’t 3003 are independent content and independent of the articles in c’t magazin. The editors Jan-Keno Janssen and Lukas Rumpler and the video producers Şahin Erengil and Pascal Schewe publish a video every week.
Go to home page