Passkeys: all the news and updates around passwordless sign-on

The latest iteration of Google’s Titan Security Key is here, ready to work alongside the new passwordless passkey technology that’s rolled out with support from Apple, Microsoft, Google, and many others. Two new versions of the key are available in the Google Store starting today with either a USB-C connection ($35) or USB-A connection ($30), and — like the previous versions released in 2021 — both also have NFC to connect wirelessly to phones and other mobile devices.

I’ve been using the USB-C version for a few days, and it works just as well as other keys I have, like the older Titan hardware and other FIDO2 keys from Yubico. Having NFC support on both versions is convenient so that you don’t have to choose, especially since when setting up keys, you’ll want to have at least two to maintain a backup.

Bitwarden, one of our top picks for free password managers, is adding support for passkeys in the latest version of its browser extensions. Passkeys can use your device’s pin, face, or fingerprint for authentication, and are a more secure and convenient alternative to traditional passwords that are also more resilient to phishing attacks.

Although the company has announced that passkey support is coming in the new 2023.10 release, the update appears to be in the process of rolling out — I’m still seeing the previous 2023.9.2 version listed on the Chrome Web Store as of this writing. But I’ve verified that it’s working on Safari with the latest version of Bitwarden’s Mac app and extension. The rollout of the feature follows support from Apple and Google’s built-in password managers, as well as competing third-party password managers like 1Password.

Android apps are about to get better built-in passkey support. Google announced in a developer blog post last week that Credential Manager, a new Android-specific API for storing credentials like username and password combinations and passkeys, is going public on November 1st. Credential Manager, which has been in developer preview for months, houses biometric authentication of passkeys, traditional passwords, and federated identity login under one roof in Android phones.

Ultimately, the change should allow apps to offer better authentication support in Android 14. Using Credential Manager, apps can offer users easy biometric logins through passkeys. That should mean a more friction-free sign-in experience since people who use that method wouldn’t have to worry about keeping login information in their heads. Third-party password managers like 1Password can also integrate the API for a more streamlined experience when defaulting to such an alternative instead of Google Password Manager.

Amazon’s rolling out passkey support for its online site and mobile shopping apps. Customers can log in to Amazon using just their devices’ biometrics and start shopping without the need to enter a password or follow through with two-factor authentication (2FA) through email or text.

Amazon dipped its toes into passkey support earlier this month for its web experience, but it wasn’t ready for primetime yet since the implementation still required a 2FA code and wasn’t enabled for the mobile apps. If you’re interested in enabling passkey support with Amazon, you can enroll by going to Amazon.com, visiting your account settings, clicking “Login & Security,” and using the “Set up” button next to “passkey.”

Google is making it easier for users to ditch passwords on their Google accounts in favor of passkeys — a fast, secure, and passwordless approach to logins that utilizes the pin, face, or fingerprint authentication built into your devices. Starting today, Google account users will be prompted to create a passkey for their account by default, sparing them from manually hunting through account settings for the setup process.

While the industry-wide goal is to eventually make passkeys the new login standard, Google says that passwords will “still remain part of our lives as we make the pivot.” As such, users can still choose to sign in to their Google account with traditional passwords and can opt out of using passkeys entirely by disabling the “skip password when possible” option for their account.

Microsoft’s incoming Windows 11 update will introduce public support for passkeys — a passwordless login technology that instead uses your face, fingerprint, or device PIN to sign into accounts. Announced at Microsoft’s AI and Surface launch event on Thursday, the latest Windows 11 update (available from September 26th) will allow users to create, manage, and store passkeys, and use them to access supported websites and services using their device’s own authentication systems.

Microsoft began testing passkey management in the Windows Insider developer channel back in June, so this Windows 11 update is bringing the technology into general availability.

Nintendo has added support for passkeys, a passwordless sign-in method that uses your fingerprint, face scan, or other methods to give you access to your online accounts. As spotted earlier by NintendoSoup (via 9to5Mac), Nintendo now lets you register and use a passkey to sign in to your account from a variety of different devices.

To add a passkey to your account, head to accounts.nintendo.com from the device you want to use the passkey. Once you sign in to your Nintendo account, hit Sign-in and security settings > Passkeys > Edit. Then, select Register a new passkey and follow the steps to complete the setup process on the device you’re using.

Following months of teasing, 1Password has announced that support for passkeys — a new login technology that replaces passwords with authentication systems built into a user’s own device — is now generally available across the password managers’ mobile apps and web browser extensions. From today, 1Password users can create, manage, and sign in to supported websites with passkeys via the 1Password iOS and Android mobile apps and its browser extensions for “all major web browsers on Mac, Windows, and Linux.”

This update doesn’t include the ability to replace your 1Password account’s master password with a passkey, however, which has been teased by the company since February. That’s set to arrive “later this fall,” when the company says it’ll deliver its first “end-to-end passkey experience” across all platforms and devices.

Today, I’m talking with Jameeka Green Aaron. She’s the chief information security officer, customer identity at Okta. Okta is a big company, a Wall Street software as a service darling, and also just the thing a lot of us have to log into at work 50 times a week to get anything done. So I was very curious to dig into the business of Okta’s business.

But Okta’s point of view, Jameeka told us, is that it’s not just a security company; it’s an identity company. So we talked at length about what the whole concept of “identity” even really means in 2023. Is it your whole actual self? Is it a digital replica of your vital stats and permissions? How do you define what it means to be you in the 21st century, and how does that relate to the way you use technology, tools, and systems? How is an identity-based approach to systems more or less secure than other approaches?

The next TikTok trend is passkeys on iPhones. The social media app is announcing support for the logins that try to make password-stealing phishing attacks impossible by allowing users to sign in with either Touch ID or Face ID instead of entering passwords. The initial launch includes iOS device support and uses Apple’s native implementation of passkeys that saves them to the iCloud Keychain so that once it’s set up, it will also work on your other Apple devices.

Once the feature is available, TikTok users can enable a passkey for their account by going to the app’s settings and selecting the new passkey menu item. Then users can follow a couple of steps: tap Set up, hit Continue on the iOS system prompt to save a passkey, and you're done!

Microsoft is improving Windows 11’s support for the new passkey standard that aims to replace passwords with a more secure and convenient way of logging in. A recent Insider Preview Build (23486) now lets you use Windows Hello natively to create and sign in to supported applications and websites using passkeys, where you’ll be asked to prove your identity using a PIN, fingerprint, or face scan. 

According to Microsoft, you can set up the feature by going to a website that’s added passkey support, creating a passkey in its settings, and then logging out to get the option to sign in with the new security method. On Edge or Chrome, the option to sign in with a passkey should be under the “Windows Hello or external security key” option. Saved passkeys can be managed by going to Accounts and then Passkeys in Windows’ settings. 

It appears that passkeys are now supported for Apple IDs, but only if you have the first beta for iOS 17 (or iPadOS 17 or macOS Sonoma). Beta users of Apple’s operating systems then have the ability to sign in anywhere that supports signing in with your Apple ID — covering not only Apple.com and icloud.com, but also anywhere else your Apple account is linked to — sans passwords, using just the biometrics on their iPhone or MacBook and a dream.

It works anywhere that supports signing in with your Apple ID. For example, if I want to sign in to Reddit and look at my favorite John Oliver-themed subreddits, I can tap the “Continue with Apple” button on the sign-in screen, and I’ll be given the option to sign in by scanning a QR code with my iPhone.

Google Chrome’s password manager will soon support biometric authentication on PCs and Macs. The feature, which was previously only available on mobile, uses facial recognition or your fingerprint to verify your identity before Chrome automatically fills your passwords.

This is ideal if you share a computer with someone else and don’t want Chrome to autofill your account passwords for anyone but yourself. You’ll still need a PC or Mac that comes with a fingerprint sensor or supports facial recognition to actually take advantage of the feature, though. Google says this feature is “coming soon” on desktop.

After several months of teasing, password manager 1Password has now launched its public beta for passkeys — a new login technology that allows users to replace passwords with authentication systems built into their devices. From today, 1Password users can now create, store, and share passkeys for supported websites by installing the 1Password beta browser extension for Chrome, Edge, Safari, Firefox, or Brave.

Passkeys can only be created for websites and services that have rolled out their own support. 1Password is keeping a directory of platforms where passkeys can already be used, in addition to a new tab where users can vote on which sites and services they’d like to see passkey support. This doesn’t guarantee that those platforms will actually add passkey support, but perhaps it’ll motivate some companies to develop the feature if they see enough demand. Alternatively, 1Password also has a feature called Watchtower that keeps tabs on your existing accounts and notifies you when passkey support becomes available.

Google has taken a significant step toward a passwordless future with the start of an open beta for passkeys on Workspace accounts. Starting today, June 5th, over 9 million organizations can allow their users to sign in to a Google Workspace or Google Cloud account using a passkey instead of their usual passwords.

Passkeys are a new form of passwordless sign-in tech developed by the FIDO Alliance, whose members include industry giants like Google, Apple, and Microsoft. Passkeys allow users to log in to websites and apps using their device’s own authentication, such as a laptop with Windows Hello, an Android phone with a fingerprint sensor, or an iPhone with Face ID, instead of traditional passwords and other sign-in systems like 2FA or SMS verification. Because passkeys are based on public key cryptographic protocols, there’s no fixed “sequence” that can be stolen or leaked in phishing attacks.

1Password customers are finally gaining partial access to the passwordless future we’ve been promised. Starting from June 6th this year, anyone with a 1Password account will be able to use it to save and manage their passkeys — a biometric-based login technology that allows users to ditch passwords in favor of their device’s own authentication. To access the open beta, you’ll need to download the 1Password beta browser extension for Safari, Firefox, or Chromium-based browsers (which include Chrome, Edge, Arc, and Brave). Support for passkeys on mobile is still in development and unavailable at this time.

You won’t be able to replace your 1Password master password with a passkey right away, either; Steve Won, 1Password’s chief product officer has informed The Verge that this feature will arrive sometime in July 2023.

Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or one obscure enough to be secure but complicated enough to require a password manager.

Until now, the best way to keep your accounts secure was to partner a password with two-factor authorization (2FA). But now, Google is offering another choice: using a passkey — a secure credential tied to the PIN or biometric authentication your device already uses. The passkey only exists on your device, not in the cloud, making it even safer.

Password manager company Dashlane is replacing the master password with a new device-based / biometric “Passwordless Login” solution to better protect users’ password vaults. That means Dashlane users will no longer have to create and remember a single password that must be guarded from the world — lest it succumbs to a dastardly phishing scheme that compromises your whole digital life (and probably your identity).

Dashlane’s Passwordless Login follows the company’s early support for the rising cryptographic keys solution known as passkeys. However, while Dashlane’s new master password replacement solution also uses cryptographic keys, it's not the same as passkeys, which is the password-free authentication solution developed by FIDO Alliance. Passkeys are backed by all the major tech players, including Apple, Microsoft, and Google, which just added support for passkey protection on Google accounts this morning.

Google’s next step into a passwordless future is here with the announcement that passkeys — a new cryptographic keys solution that requires a preauthenticated device — are coming to Google accounts on all major platforms. Starting today, Google users can switch to passkeys and ditch their passwords and two-step verification codes entirely when signing in.

Passkeys are a safer, more convenient alternative to passwords being pushed by Google, Apple, Microsoft, and other tech companies aligned with the FIDO Alliance. They can replace traditional passwords and other sign-in systems like 2FA or SMS verification with a local PIN or a device’s own biometric authentication — such as a fingerprint or Face ID. This biometric data isn’t shared with Google (or any other third party), and passkeys only exist on your devices, which provides greater security and protection since there’s no password that could be stolen in a phishing attack.

Android users should soon be able to log in to PayPal’s website using passkeys, the password-free login system that’s being pushed by Apple, Google, Microsoft, the FIDO alliance, and more. According to an announcement post, the feature is currently rolling out, and will be “more widely available over the coming year.”

PayPal says that the rollout will start on its website, rather than its app, and that you have to be running Chrome on Android 9 or up to access passkeys. If it’s available for your account, you may get a prompt asking if you want to create a passkey, which you can authenticate using the biometric system or passcode that you use to unlock your phone.