Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Bye-Bye, Passwords? Why Passkeys Can Be the New Way to Log Into Apps, Sites

Companies look for high-tech ways to block criminals from our private information

a usb marked passkey on a keyboard
GETTY IMAGES

Most of us agree passwords are a drag. At best, we’re indifferent to them even as we begrudgingly recognize their purpose.

The biggest tech companies share your frustration. Apple, Google and Microsoft, along with giant companies in other fields, are throwing their collective weight behind a password alternative called passkeys, which promise to be more secure than regular passwords and eliminate the associated hassles.

member card

AARP Membership — $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine.

Join Now

Passkeys are based on an emerging standard developed by the Fast IDentity Online (FIDO) Alliance, an industry group, and the World Wide Web Consortium. FIDO Alliance members include Amazon, American Express, Bank of America, Chase, CVS Health, eBay, Intel, Lenovo, Mastercard, Meta, Netflix, Samsung, Sony, Qualcomm, Verizon, Visa and Wells Fargo.

While passwords as we know them aren’t going to disappear anytime soon, the new passkey solution could start showing up before you know it. Passkeys leverage biometric login methods you may already be taking advantage of, such as facial recognition, fingerprint scanning or even a personal identification number that you probably know better as a PIN code.

At its Worldwide Developers Conference in June, Apple went all in on passkeys, which it says will be available to developers as part of its upcoming macOS Ventura and iOS 16 operating system software for Mac computers and iPhones. Apple’s future operating systems promise to replace passwords for good in the long term.

Changes are possible starting in 2023

Apple’s very public embrace of passkeys came about a month after Google heralded the solution at its own developer conference.

Google expects to have an Android and Chrome version of passkeys for software developers by the end of this year. Android and Chrome users should expect them to be available sometime during the first three months of 2023, according to Google executive Sam Srinivas, who is also president of the FIDO Alliance.

What’s the difference?

Passcode, aka personal identification number (PIN). A secret numeric code of at least four digits that a person uses to verify his or her identity

Password. A word or string of characters that an authorized user creates to log into a computer system or service

Passphrase. A sentence-like set of words or characters, longer than a password but often easier to remember, that serves as a login to apps and websites

Passkey. A method of verifying an app or website user that is tied to both the app or site and the device trying to gain access. Both “keys” need to fit before a user is allowed in, but the process is done without entering a username or other proof of identification.

Microsoft is on board, too, and expects people to be able to use passkeys across Microsoft platforms “over the course of the coming year.” In May, the three normally fierce rivals issued a joint press release with FIDO.

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives,” Alex Simons, a Microsoft corporate vice president for identity program management, said in the release. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today. By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords.”

“In the near future, you’ll be able to sign in to your Microsoft account with a passkey from an Apple or Google device,” Simons said in a separate blog post.

For now, people who want to remove the password from their Microsoft accounts can use the Microsoft Authenticator app to log in. It works in tandem with two-factor authentication, such as a mobile phone you’ve logged into with your face, fingerprint or PIN.

The problems with existing passwords

We’re all too familiar with the problems passkeys aim to solve. Most people ignore the advice of security experts and use the same or similar passwords across the board when signing into apps and websites. Indeed, 2 in 3 Americans report reusing passwords for different online accounts, according to a recent Ipsos poll of 4,000 U.S. adults.

membership-card-w-shadow-192x134

AARP Membership — $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine.

Making matters worse: We often choose passwords that are no more complex than the name of our pet or kindergarten teacher, not to mention “password” as a password or “12345.” In other words, soft credentials the bad guys can easily guess.

And when we do choose strong passwords that are way harder to crack — a long seemingly random string of upper- and lower-case letters, numbers and symbols — we often have a hard time remembering them.

Password managers that let you store and auto-generate complex passwords can ease some of the irritation folks feel, sometimes for a subscription price. But relatively few people take advantage of them.

Phishing attacks could become passé

The promise behind passkeys is they won’t force you to confront the usual trade-off between convenience and ease of use versus something far more bulletproof. Garrett Davidson, who works in the authentication experience area at Apple, told developers that passkeys will eliminate not only problems with hacking passwords stored in companies’ computer systems but also phishing attacks where users are tricked into voluntarily surrendering their credentials.

Technology & Wireless

The UPS Store® Online Printing Services

Members save 20% with promo code SAVE

See more Technology & Wireless offers >

Physical security tokens and sometimes the two-factor authentication codes that are meant to add another layer of protection by complementing passwords may no longer be required. While the “public key cryptography” technique behind passkeys is complex, FIDO’s executive director and chief marketing officer, Andrew Shikiar, says consumers using facial recognition or fingerprints to log into sites and apps won’t see big changes from what they’re accustomed to today.

“The difference is there is no password there for a hacker to hack because even a strong password can be manipulated,” he says.

In Apple’s case, once a passkey is set up, which you can do in conjunction with Face ID facial recognition or the Touch ID fingerprint sensor on Apple devices, a unique digital key is created that works only for the site you intended. Since Apple securely syncs passkeys through what’s known as its iCloud Keychain, they are instantly available across the Apple product portfolio on Apple TVs, iPads, iPhones and Macs.

membership-card-w-shadow-192x134

AARP Membership — $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine.

How passkeys work

In layman’s terms, you have a cryptographic key pair that needs to match. One half of this key pair is a public key that resides on a web server. The other is the corresponding private key, unique to your device, meaning someone would have to be in possession of your phone, tablet or computer for a security rupture to even come about.

“If I steal your [standard] password and have your credential, I would go right away and try to stuff that into every major banking site, travel site, retail site,” Shikiar says. “I can do that for pennies [and] I’d probably have around a 5 percent success rate and take over those accounts.”

“But if I steal your public key, I can’t do anything with it. There’s no value to that public key,” he says. “[Since] the private key stays on your device safely, the only way for you to activate that private key is to verify yourself [on] your device.”

Will passwords ever die?

Despite tech giants’ very public push, passkeys won’t happen overnight. Your bank, broker and other companies you do business with are likely to be on their own timeline.

“Every service provider will have their own path for when they choose to implement this,” Shikiar says. Some regulatory issues also must be fleshed out.

But “by this point next year, all the platforms will have support for passkeys in the market,” he says. “In late 2023, 2024, this will become more and more of a common login option or experience.”

Even so, suggesting passwords are on borrowed time is premature. Consider it highly unlikely that the companies you frequently encounter will tell you something along the lines of, “Sorry, we no longer accept passwords” in the near term, if ever.

“We will always have passwords in some capacity,” says Christopher Budd, senior manager of threat research at British-based Sophos. That means brushing up on good security practices and choosing passwords that are strong and not repeated elsewhere.

membership-card-w-shadow-192x134

AARP Membership — $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine.