Passkey was ready in the mainstream ecosystem when Chrome pushed version 108 into everyone’s hands earlier this month. As a passwordless login standard initiated and promoted by the FIDO Alliance, Passkey was unveiled at WWDC back in June this year and came to everyone’s attention, but the “passwordless future” seems to have been all thunder and no rain – it seems that there is no concrete example of support for Passkey except for system support. It’s not.
In fact, it is not, so this article will start from what is the pass key, take a look at how the ecology of the pass key and how we can set the pass key.
How pass-through keys ‘replace’ passwords
Although we have a special article on how it works, here is a brief introduction to what passkeys do and how they do it.
In short, what Passcode Keymaster is trying to achieve is to find a simpler, more direct, but equally secure way to authenticate users outside of the original “username-password” security system. For example, if you are using an iPhone with a Face ID, unlocking the iPhone with your Face ID will prove that you are the one doing it – and it will be quicker and less invasive than entering your login information or even auto-populating it.
The idea behind this alternative means of authentication is specific to the principle, and in a way it really does “kill the password”. The pass-through key replaces the login information, which used to be stored in encryption on the server side, with a password in asymmetric encryption technology. Unlike traditional credential data containing usernames and passwords, in asymmetric encryption, the device registering the pass-through key becomes a “public key” and a “private key” and is given to the server providing the registration service.
We can analogize the public key to a traditional mailbox with a “security” lock, and the private key to the key of the lock of the mailbox. The letter delivered by the letter carrier is the message we want to encrypt, which is encrypted by delivering it to the mailbox, and then only the owner of the mailbox has the key to open the mailbox and read the contents of the letter. If a person does not have the key in hand, then it is necessary to use violence to open the security lock, and the whole process is not only time-consuming and labor-intensive, but also often there is no way to open that security lock in the end. In contrast, if some content is encrypted by a public key, that content can and only can be decrypted by a private key.
This is where the reliability of asymmetric encryption comes from – without a private key, we generally cannot factorize very large integers with limited computing power and limited time; if the encrypted content can be decrypted, then the other party has the private key.
So as long as the server encrypts a piece of authentication information with the public key and the private key on the user’s device can decrypt this authentication information, then it can prove that I am “I”, which is also the basis for the realization of the pass key, and the password authentication is completed through this indirect matching. The whole process does not require any effort to knock in the specific password, nor does it require the password to leave the local device, and it can prevent the password from being leaked due to the attack on the server and reduce the transmission risk.
However, the private key saved locally by the user also needs to be secured, otherwise malicious programs can break such indirect authentication mechanism by accessing it freely. Therefore, when using passkeys, the local “private key” is often further encrypted with the biometric system on the user’s device, such as TouchID/FaceID on iDevice, fingerprint recognition on Android devices, Windows Hello, and even simple PIN authentication can further enhance the security of accessing the private key, which is also an important part of passkeys. But it is an important part of the pass key.
Which platforms and services support passkeys
In the early days, this API could only be used with a physical key. But this year, Apple, Microsoft and Google are pushing hard to make physical keys available on their computers, tablets and phones via passkeys. By my count, the following platforms support passkeys.
Apple: iOS 16, iPadOS 16, macOS Ventura and tvOS 16 or more support, support iCloud keychain synchronization and support for sharing via AirDrop.
Google: Chrome version 108 and above, Google Play Services (Google autofill framework) is the latest version, supports syncing between Android and Android, Android and specific versions of Chrome.
Microsoft: Supported on Windows 11, version 22H2 and above, requires Windows Hello to be turned on and used, supports Chrome and Chromium-based Edge.
Of course, some people worry that if a platform doesn’t support passkeys yet, it means that you can’t use passkeys on that platform, for example, Linux doesn’t support passkeys and there are no plans to support them for the time being.
The solution to this problem is to turn cell phones and tablets with cameras into physical keys and pass the “answers” from the mobile devices to the software that supports passkeys via Bluetooth, NFC or USB cables through a secure channel. The process of cross-platform key transfer is just two steps from the user’s point of view: sweeping the code and scanning the fingerprint/face.
The future of passwordless logins is an exciting one, and password management services such as 1Password are working hard to embrace the technology of passkeys. The current plans for passcode key support from the leading password management software are as follows.
1Password: Support for passcode keys is expected to be available in browser plug-ins and on the desktop by early 2023, with the mobile version of the App coming a bit later. 1Password currently has a technology showcase site to help 1Password users get an early taste of passkeys.
Bitwarden: Clearly in development, but launch date unknown.
Dashlane: In Beta testing, the latest version of the browser plugin already supports passkeys, and the mobile version of the app is currently in development.
In addition to system and software support, I believe we are most interested in which sites support passkeys. 1Password currently maintains a list of sites, applications and other services that support passkeys, detailing whether the site supports login with a passkey or is used for two-step authentication only, and giving details of where to set it up.
In addition to the list, there are vendors who are adding support for passkeys to their account services, such as Github, Cloudflare, and Fastmail, all of which offer the option to bind passkeys to existing accounts in various forms and names, and all of which generally support the WebAuthn API earlier, so support for passkeys is a natural fit. You can find most of the sites and services that already support the WebAuthn API here, and in theory most of them also support passkeys.
How to set a passkey
Although passkeys can be used for both login and two-step authentication, they are based on the WebAuthn API technology, so most of the passkey settings are usually located in the “two-step authentication” – “hardware key”, “NFC key” or “USB authenticator” options, and the process of adding passkeys to existing accounts has been quite senseless.
Take Nvidia’s website account1 for example, at the bottom of the account management page, under “Security Settings”, you can see a section called “Hardware Security Device” where you can add multiple browser, Android or iOS devices that support passkeys.
There are some other things to keep in mind when adding, first of all one account can be tied to multiple passcodes, but if these passcodes are stored on platforms that support syncing, different devices on the same platform will be considered the same device and the addition will be rejected. For example, if I add an Nvidia passcode to Safari on macOS, and then click on the Add Passcode screen and scan another QR code for the same Nvidia account on my iPhone, it will report an error on my iPhone when I add it.
Secondly, when you add a passkey via Bluetooth on your Android phone, both the Android phone and the corresponding computer need to be in the correct Internet posture, otherwise the passkey will not be added correctly. Lastly, Nvidia has a special feature after adding the pass key. Nvidia can use the pass key directly when logging in after setting up the pass key, which is the only website that I have tested so far that can achieve the “use pass key directly to log in to your account” that Apple demonstrated at WWDC.
Github, Cloudflare, Fastmail and other services mentioned at the door also have a very similar process to Nvidia’s process of adding here will not be expanded. Here are two exceptions, one is the Microsoft account, and the other is the Google account.
The first is the Microsoft account, which is special because currently you can only add passcodes to Chrome or Chromium-based Edge on Windows 11 22H2, there is no entry point for adding passcodes to other browsers or operating systems. After logging into your Microsoft account, select “Security” – “Advanced Security Options “Get Started Now”” – “Add a new login or authentication method” – “Set up a security key” – “USB device” – “Next” to start adding passkeys. However, as with Setup, the Microsoft account passkey currently only works on Windows 11 22H2.
The other exception is Google accounts, which are set up in two ways. One is that if you have a Pixel device with a built-in Titan security chip2, Google will automatically add that device by default as the passkey device used for two-step authentication when signing in.
To sign in to your Google account on the web, simply pull out your Pixel device, grant access to nearby devices, and complete the two-step authentication with biometric verification on your device.
If you don’t have a Pixel device with a Titan security chip built in, but do have a device running iOS 16/iPadOS 16, then you can also find the hidden entry point for adding a passkey.
First login to your Google account in Safari on iOS 16/iPadOS 16, then click on your avatar in the top right corner – “Manage your Google account” – “Security” – “Two-step verification” – “Enter password again” – “Security key” – “Add security key” – “Entity” – “Continue” and you will find the familiar portal of adding a passkey appearing in front of you. Scan the QR code that appears on the screen with another device running iOS 16/iPadOS 16/Android 13 to complete the addition of your Google account passkey. Once added, you can also use the corresponding Passkey on other platforms, but I don’t understand why this interface is only open for iOS/iPadOS.
The above is the entire content of this article, you can see that there are already a number of services support the pass key, although the vast majority of services are currently only as a substitute for two-step authentication, but is still a good start.