Digital security is more important than ever, but passwords as we know them are broken. It’s a flawed concept: passwords are fiddly to enter, difficult to remember, and easily stolen. Autofill and password managers help with some of that, but phishing scams still trick people into giving up passwords, and websites storing your login details can be hacked. Two-factor authentication improves security but makes the sign-in process even longer.
So with the release of iOS 16, Apple is presenting an alternative system: Passkeys.
(Remember: iOS 16 is set for release in September, but you can test the beta version right now if you can’t wait!)
What are Passkeys?
Passkeys are designed to make the login process more secure, with less friction. They use Face ID or Touch ID for authentication, removing the need for a password entirely. That means there’s nothing to leak or steal, and nobody but you can access your accounts. They utilize the existing Autofill functionality in Safari to keep things quick and easy for users. You can share Passkeys with trusted people, and you can authenticate via a QR code if you need to log in on a non-Apple device. How successful Apple will be at transitioning the world to Passkeys remains to be seen, but they’re a promising prospect.
As this is a new technology, don’t expect every website to be compatible right away. Early adopters include Ebay, PayPal, and Best Buy – but plenty more will be added as time goes by.
How to set up a Passkey
To create a new Passkey with a compatible app or website, you enter a username and authenticate with Touch ID or Face ID. Your Passkey is generated and synced to iCloud Keychain. That means you can login using your passkey from another Apple device running iOS 16, iPadOS 16, or macOS Ventura.
Signing in uses the autofill system you’re already familiar with, and there are no steps beyond confirming your username and authenticating. In other words, you tap and sign in. It’s a single step flow, with no need for additional security requirements like two-factor authentication.
You can also look through the user settings of an existing account on any compatible website, but it’s not always referred to as a passkeys. For example, we tested the functionality on eBay’s website and found a setting called Face/fingerprint/PIN sign in tucked away in the Sign in and Security section of the Account Settings. Other compatible websites will be similar. Also note that the eBay app doesn’t currently support passkeys – this is for the website only.
Given that your Passkeys are stored on iCloud Keychain, you might ask how you’d sign into a service or website on a PC or Android phone. Here, things do get a little more complex, but not onerously so. You’re asked to scan a QR code with your phone, which then securely connects to the target device over Bluetooth. You then authenticate as normal and you’re in.
You can also share a Passkey with someone you trust, so you can both more securely access shared accounts, such as for an online grocery store. In this case, proximity comes into play by way of AirDrop. At present, the main limitation is that Passkeys can only be shared one at a time.