Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Bye-Bye, Passwords? Why Passkeys Can Be the New Way to Log Into Apps, Sites

Companies look for high-tech ways to block criminals from our private information


generic-video-poster

A whopping 16 billion login credentials have been exposed across Apple, Facebook, Google and and other sites and services, according a Thursday report from researchers at the Cybernews tech security outlet.

Such reports of massive data breaches are sobering, but most of us agree passwords are a drag. At best, we’re indifferent to them even as we begrudgingly recognize their purpose.

The biggest tech companies share your frustration. Apple, Google and Microsoft, along with giant companies in other fields, are throwing their collective weight behind a password alternative called passkeys, which promise to be more secure than regular passwords and eliminate the associated hassles. 

The concept is hard to grasp initially, but a huge benefit to users is you will no longer need to remember passwords. Instead you can log iinto sites via your face, fingerprint or other biometrics tied to the device you're using.

Passkeys are based on a cryptographic standard developed by the Fast IDentity Online (FIDO) Alliance, an industry group, and the World Wide Web Consortium. FIDO Alliance members include Amazon, American Express, Bank of America, Chase, CVS Health, eBay, Lenovo, Mastercard, Meta, Netflix, PayPal, Samsung, Sony, Qualcomm, Target, TikTok, Visa and Wells Fargo.While passwords as we know them aren’t going to disappear anytime soon, the new passkey solution is beginning to gain traction.

More than 13 billion accounts were able to leverage passkeys for signing in as of last year, according to FIDO.

In 2023, Google began rolling out passkeys across all Google Accounts on all major platforms, meaning you now had the option to ditch passwords. Google even offered passkeys as the default option for signing into those accounts.

Passkeys leverage biometric login methods you may already be taking advantage of, such as facial recognition, fingerprint scanning or even a personal identification number that you probably know better as a PIN code.

Apple has also publicly embraced passkeys. At its latest Worldwide Developers Conference earlier this month, Apple demonstrated how upcoming major releases of software for iPhone, iPad, Mac, and Vision Pro can make it easier to securely import and export passkeys across competitive platforms, perhaps a Windows PC.. Apple has suggested that its future operating systems promise to replace passwords for good in the long term.

What’s the difference?

Passcode, a.k.a. personal identification number (PIN). A secret numeric code of at least four digits that a person uses to verify his or her identity

Password. A word or string of characters that an authorized user creates to log in to a computer system or service

Passphrase. A sentence-like set of words or characters, longer than a password but often easier to remember, that serves as a login to apps and websites

Passkey. A method of verifying an app or website user who is tied to both the app or site and the device trying to gain access. Both “keys” need to fit before a user is allowed in, but the process is done without entering a username or other proof of identification.

The problems with existing passwords

We’re all too familiar with the problems passkeys aim to solve. Most people ignore the advice of security experts and use the same or similar passwords across the board when signing in to apps and websites. Indeed, 2 in 3 Americans report reusing passwords for different online accounts, according to an Ipsos poll of 4,000 U.S. adults.

Making matters worse: We often choose passwords that are no more complex than the name of our pet or kindergarten teacher, not to mention “password” as a password or “12345.” In other words, soft credentials the bad guys can easily guess. 

A recent CNET survey found about half of U.S. adults have "risky password habits."

And when we do choose strong passwords that are way harder to crack — a long seemingly random string of upper- and lower-case letters, numbers and symbols — we often have a hard time remembering them.

Password managers that let you store and auto-generate complex passwords can ease some of the irritation folks feel, sometimes for a subscription price. But relatively few people take advantage of them.

Phishing attacks could become passé

The promise behind passkeys is they won’t force you to confront the usual trade-off between convenience and ease of use versus something far more bulletproof. At a conference in 2022, Garrett Davidson, an engineer in the authentication experience area at Apple, told developers that passkeys will eliminate not only problems with hacking passwords stored in companies’ computer systems but also phishing attacks where users are tricked into voluntarily surrendering their credentials.

Physical security tokens and sometimes the two-factor authentication codes that are meant to add another layer of protection by complementing passwords may no longer be required. While the “public key cryptography” technique behind passkeys is complex, FIDO’s CEO and executive director, Andrew Shikiar, says consumers using facial recognition or fingerprints to log in to sites and apps won’t see big changes from what they’re accustomed to today.

“The difference is there is no password there for a hacker to hack because even a strong password can be manipulated,” he says.

According to Google, you’ll need the following to sign in with a passkey:

  • A laptop or desktop that runs Windows 10, macOS Ventura or ChromeOS 109 or later 
  • A mobile device that runs iOS 16 or Android 9 or later 
  • A hardware security key that supports the FIDO2 protocol 

Google adds that your computer or mobile device will also need a supported browser, including Chrome 109, Edge 109 or Safari 16 or later. 

Devices must also have a screen lock, and Bluetooth if you wish to use a passkey on a phone to sign in to another computer. If you haven’t set up a passkey yet, tap Create a Passkey | Continue and follow the instructions. You will be prompted to create a passkey on any supported device that you use to sign in to your Google account. 

Do not create a passkey for a shared device if you don’t want other users to access your account, Google warns.

You can use a passkey to sign on to another device. The first time you sign in on a computer with a passkey, a QR code will appear on the computer screen for you to scan using your phone’s camera. This step won’t be required the next time you try to sign in with the same computer. Once you do sign in, you’ll be presented the option to create a passcode for that machine. Make sure this is your own device before doing so.

In Apple’s case, once a passkey is set up, which you can do in conjunction with Face ID facial recognition or the Touch ID fingerprint sensor on Apple devices, a unique digital key is created that works only for the site you intended. Since Apple securely syncs passkeys through what’s known as its iCloud Keychain, they are instantly available across the Apple product portfolio on Apple TVs, iPads, iPhones, Macs and Vision Pros.

How passkeys work

In layman’s terms, you have a pair of hidden keys that need to match. One is a public key that resides on a web server. The other is the corresponding private key, unique to your device, so someone would have to be in possession of your computer, phone or tablet for a security rupture to be possible. 

“If I steal your [standard] password and have your credential, I would go right away and try to stuff that into every major banking site, travel site, retail site,” Shikiar says. “I can do that for pennies [and] I’d probably have around a 5 percent success rate and take over those accounts.”

“But if I steal your public key, I can’t do anything with it. There’s no value to that public key,” he says. “[Since] the private key stays on your device safely, the only way for you to activate that private key is to verify yourself [on] your device.”

Will passwords ever die?

Despite tech giants’ very public push, passkeys won’t happen overnight. Your bank, broker and other companies you do business with are likely to be on their own timeline.

“Every service provider will have their own path for when they choose to implement this,” Shikiar says. Some regulatory issues also must be fleshed out.

But “all the platforms will have support for passkeys in the market [and],this will become more and more of a common login option or experience.,” he says.

Even so, suggesting passwords are on borrowed time is premature. Consider it highly unlikely that the companies you frequently encounter will tell you something along the lines of, “Sorry, we no longer accept passwords,” in the near term, if ever.

“We will always have passwords in some capacity,” says Christopher Budd, former senior manager of threat research at British-based Sophos. That means brushing up on good security practices and choosing passwords that are strong and not repeated elsewhere.

This story, originally published July 14, 2022, has been updated to reflect the latest developments.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?