Passkeys: all the news and updates around passwordless sign-ins

Microsoft is fully rolling out passkey support for all consumer accounts today. After enabling them in Windows 11 last year, Microsoft account owners can also now generate passkeys across Windows, Android, and iOS. This makes it effortless to sign in to a Microsoft account without having to type a password in every time.

You can create passkeys for your Microsoft account by following this link, and you can choose your face, fingerprint, PIN, or a security key to use a device to sign in with a passkey.

Google is kicking off World Password Day by updating us on its efforts to replace the often hacked, guessed, and stolen form of authentication with passkeys. Their passwordless approach relies on device-based authentication instead, making logging in faster and more secure.

In a blog post on Thursday, the company announced that over 400 million Google accounts (of the at least 1.5 billion reported since 2018) have used passkeys since rolling them out, logging over a billion authentications between them. The majority of users find them easier to use than passwords, according to Google, adding that “since launching, passkeys have proven to be faster than passwords, since they only require users to simply unlock their device using a fingerprint, face scan or pin to log in.”

One more app joins the passwordless future we’ve been promised. WhatsApp says it’s now rolling out support for passkeys in the iOS version of the app. With the feature enabled, users of Meta’s encrypted messaging app can use iPhone biometrics for login — that is, Face ID or Touch ID — or their phone’s passcode.

WhatsApp already supports unlocking its iOS app with one of these options, but this takes that a step further. Passkey support comes to the iPhone version several months after Meta started distributing it to Android WhatsApp users in October. WhatsApp spokesperson Zade Alsawah iOS users will see the app “in the coming weeks,” so if you don’t see it now, keep checking.

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

On this episode of The Vergecast, we bring in an expert: Anna Pobletts, the head of passwordless (best title ever?) at 1Password. She has been working on all things post-password for a long time and has seen every use case you can think of. She’s convinced that passkeys are the future but also has some ideas on the right (and not-so-right) way to get started.

X is now supporting passkey log-ins on iPhones and iPads, granting members access to the security feature regardless of their “Premium” status. Generating a passkey for X allows users to completely skip entering a password when they log in to their accounts and instead rely on the device’s security (with Face ID, Touch ID, or your device’s passcode). 

For now, passkeys are only available in the US, and X hasn’t revealed when it’s rolling out the login technology on Android, for desktop operating systems, or in other countries. Also, X’s rollout of passkeys doesn’t seem to be complete yet (some users reported still not having access as of Tuesday night on the East Coast), so don’t fret if the feature hasn’t popped up yet.

The latest iteration of Google’s Titan Security Key is here, ready to work alongside the new passwordless passkey technology that’s rolled out with support from Apple, Microsoft, Google, and many others. Two new versions of the key are available in the Google Store starting today with either a USB-C connection ($35) or USB-A connection ($30), and — like the previous versions released in 2021 — both also have NFC to connect wirelessly to phones and other mobile devices.

I’ve been using the USB-C version for a few days, and it works just as well as other keys I have, like the older Titan hardware and other FIDO2 keys from Yubico. Having NFC support on both versions is convenient so that you don’t have to choose, especially since when setting up keys, you’ll want to have at least two to maintain a backup.

Bitwarden, one of our top picks for free password managers, is adding support for passkeys in the latest version of its browser extensions. Passkeys can use your device’s pin, face, or fingerprint for authentication, and are a more secure and convenient alternative to traditional passwords that are also more resilient to phishing attacks.

Although the company has announced that passkey support is coming in the new 2023.10 release, the update appears to be in the process of rolling out — I’m still seeing the previous 2023.9.2 version listed on the Chrome Web Store as of this writing. But I’ve verified that it’s working on Safari with the latest version of Bitwarden’s Mac app and extension. The rollout of the feature follows support from Apple and Google’s built-in password managers, as well as competing third-party password managers like 1Password.

Android apps are about to get better built-in passkey support. Google announced in a developer blog post last week that Credential Manager, a new Android-specific API for storing credentials like username and password combinations and passkeys, is going public on November 1st. Credential Manager, which has been in developer preview for months, houses biometric authentication of passkeys, traditional passwords, and federated identity login under one roof in Android phones.

Ultimately, the change should allow apps to offer better authentication support in Android 14. Using Credential Manager, apps can offer users easy biometric logins through passkeys. That should mean a more friction-free sign-in experience since people who use that method wouldn’t have to worry about keeping login information in their heads. Third-party password managers like 1Password can also integrate the API for a more streamlined experience when defaulting to such an alternative instead of Google Password Manager.

Amazon’s rolling out passkey support for its online site and mobile shopping apps. Customers can log in to Amazon using just their devices’ biometrics and start shopping without the need to enter a password or follow through with two-factor authentication (2FA) through email or text.

Amazon dipped its toes into passkey support earlier this month for its web experience, but it wasn’t ready for primetime yet since the implementation still required a 2FA code and wasn’t enabled for the mobile apps. If you’re interested in enabling passkey support with Amazon, you can enroll by going to Amazon.com, visiting your account settings, clicking “Login & Security,” and using the “Set up” button next to “passkey.”

Google is making it easier for users to ditch passwords on their Google accounts in favor of passkeys — a fast, secure, and passwordless approach to logins that utilizes the pin, face, or fingerprint authentication built into your devices. Starting today, Google account users will be prompted to create a passkey for their account by default, sparing them from manually hunting through account settings for the setup process.

While the industry-wide goal is to eventually make passkeys the new login standard, Google says that passwords will “still remain part of our lives as we make the pivot.” As such, users can still choose to sign in to their Google account with traditional passwords and can opt out of using passkeys entirely by disabling the “skip password when possible” option for their account.

Microsoft’s incoming Windows 11 update will introduce public support for passkeys — a passwordless login technology that instead uses your face, fingerprint, or device PIN to sign into accounts. Announced at Microsoft’s AI and Surface launch event on Thursday, the latest Windows 11 update (available from September 26th) will allow users to create, manage, and store passkeys, and use them to access supported websites and services using their device’s own authentication systems.

Microsoft began testing passkey management in the Windows Insider developer channel back in June, so this Windows 11 update is bringing the technology into general availability.

Nintendo has added support for passkeys, a passwordless sign-in method that uses your fingerprint, face scan, or other methods to give you access to your online accounts. As spotted earlier by NintendoSoup (via 9to5Mac), Nintendo now lets you register and use a passkey to sign in to your account from a variety of different devices.

To add a passkey to your account, head to accounts.nintendo.com from the device you want to use the passkey. Once you sign in to your Nintendo account, hit Sign-in and security settings > Passkeys > Edit. Then, select Register a new passkey and follow the steps to complete the setup process on the device you’re using.

Following months of teasing, 1Password has announced that support for passkeys — a new login technology that replaces passwords with authentication systems built into a user’s own device — is now generally available across the password managers’ mobile apps and web browser extensions. From today, 1Password users can create, manage, and sign in to supported websites with passkeys via the 1Password iOS and Android mobile apps and its browser extensions for “all major web browsers on Mac, Windows, and Linux.”

This update doesn’t include the ability to replace your 1Password account’s master password with a passkey, however, which has been teased by the company since February. That’s set to arrive “later this fall,” when the company says it’ll deliver its first “end-to-end passkey experience” across all platforms and devices.

Today, I’m talking with Jameeka Green Aaron. She’s the chief information security officer, customer identity at Okta. Okta is a big company, a Wall Street software as a service darling, and also just the thing a lot of us have to log into at work 50 times a week to get anything done. So I was very curious to dig into the business of Okta’s business.

But Okta’s point of view, Jameeka told us, is that it’s not just a security company; it’s an identity company. So we talked at length about what the whole concept of “identity” even really means in 2023. Is it your whole actual self? Is it a digital replica of your vital stats and permissions? How do you define what it means to be you in the 21st century, and how does that relate to the way you use technology, tools, and systems? How is an identity-based approach to systems more or less secure than other approaches?