Passkeys aim to simplify online logins. But their rollout may require a lot of patience

 

By Rob Pegoraro

A tap of a fingerprint sensor on an Apple tablet logged me on to a website in a Google browser on a laptop running a Microsoft operating system—with no need to type in a password and then punch in a two-factor authentication code.

That blissfully simple login experience was peak passkeys, which confirm a login by sending a private cryptographic signal from a nearby biometrically secure device. And it was living up to the sales pitch that Apple, Google, and Microsoft laid out when they jointly announced support for this cross-platform authentication standard in May 2022.

But over the course of a few weeks as I tried out passkeys among the handful of services and platforms that support this standard, I also tripped over some pain points that weren’t in any slide deck from that trio of tech giants. As much as we love to hate passwords and as bad as we are at creating and tending them, passkeys aren’t close to letting us retire that technology.

Just finding services that support passkey authentication is less than obvious, since some of these sites don’t exactly trumpet their newest features. I relied on two third-party references: passkeys.directory, maintained by the password-manager service 1Password, and passkeys.io, via the open-source authentication firm Hanko.

Here’s how things worked out at three sites that currently support passkeys.

Google

Most people will get the introduction to passkeys from Google, which launched support for passkeys worldwide May 5 for standard Google accounts (though paid Workspace accounts have yet to get that upgrade).

As Google’s help page notes, Android users should already have the passkey function on their device, waiting to be activated. I did that by signing in to my Gmail, selecting “Manage Google Account,” and (after not seeing a prompt or link to set up passkey security) clicked “Security” and then “Start using passkeys” to activate the passkey lurking on my Pixel 5a phone.

Logging in to my Gmail in an incognito window in Apple’s Safari browser by providing my email address opened a Google dialog that said “Use your passkey to show that it’s really you.” A second dialog asked me to pick a passkey method, the first one listed being “iPhone, iPad or Android device”; choosing that surfaced a QR code in the browser that I scanned with my phone’s camera. A tap of my fingerprint on the 5a’s sensor completed this login, with browser and phone confirming their proximity with an invisible, back-channel Bluetooth exchange.

Microsoft

You could call this company’s passkey support “stealthy,” but “sneaky” would be closer to the truth: Microsoft’s documentation and dialogs did not use the word passkey during my initiation, instead falling back on the phrase “Windows Hello or a security key.”

I further complicated matters by using a press preview version of 1Password’s passkey system, due to open for public testing June 6. After installing a test release of 1Password’s extension in Chrome, I signed in to my Microsoft account in that browser, selected “Security,” then “Security Dashboard,” and then “Use your Windows PC: Sign in using your face, fingerprint, or a PIN.” Then a dialog for Microsoft’s Windows Hello biometric authentication popped up—to which the 1Password extension responded by offering to save the passkey now available.

 

To test that, I signed out of my account, then began signing back in. Selecting a smaller-print option to “Sign in with Windows Hello or a security key” got 1Password to supply the passkey safely encrypted on the computer, as confirmed with a tap of the fingerprint sensor on this laptop.

For now, Windows users will have to read “Windows Hello or security key” as Microsoft-ese for “passkey.” That goes against expert advice: Interface guidelines published Wednesday by the FIDO (Fast IDentity Online) Alliance, an industry group, emphasize the importance of clarity and not leaving the user guessing about how a login is being protected.

Kayak

The travel-booking site was among the first to support passkey logins, and it also provided one of the cleaner implementations of it. I signed in to my account in Safari on my Mac, selected “Account,” clicked the “Account” tab, and saw a “Set up passkey” link. Clicking that yielded a Mac system dialog to create a passkey that was then saved in iCloud.

Then I picked up my iPad, opened a tab to Kayak, tapped the login button, and only had to confirm my login with Touch ID—the encrypted passkey saved there encapsulated my identity and its authentication.

I completed the test by signing on to Kayak in Chrome on Mac and Windows machines; in each case, the login process followed the template of my Google tests. After telling the site that I would log in with “a different phone or tablet”—on the Windows laptop, I had to decline a system dialog inviting me to sign in with a security key—I scanned the resulting QR code with the iPad’s camera, which invoked a “Sign in with a passkey” dialog in the iPad camera app that I could confirm with a tap of the tablet’s Touch ID button.

Note that in every case, not having a device with a saved passkey would not have represented a problem—all of these sites still accept username and password logins.

The ones that got away

The biggest missing character in this saga is Apple, which has yet to follow up its passkey pledge by supporting this standard. The company’s WWDC conference next week may yield answers (Apple PR did not answer a request for comment), but for now this firm gets an incomplete grade.

PayPal earned the same rating in my field test; although it has announced passkeys support, limited to current Apple computers, phones, and tablets as well as most Android devices, that option did not surface in my account. The company says it’s “gradually ramping availability” to see how things work out.

And while Safari, Chrome, and Edge all offer passkey support, Mozilla Firefox does not; management at that open-source browser project says it’s coming by the end of the year. And yet every time I could log on to a site with a tap of a fingerprint on a separate device—a login method that can’t be fooled by a phishing site, since passkeys require domain names to match, and which is immune to password-stealing keystroke loggers—I felt like I’d unlocked a future that needs to happen sooner rather than later.

Fast Company

(23)