Google, Apple and Microsoft: A password-free future is in the making (FIDO/Passkeys)

First post: Apple, Google and Microsoft announced their support back in May. That was only 5 months ago. It does not make any sense for any service to switch over to passkeys (as a replacement) until those big players have done their homework.

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year.

iOS 16 was released, iPadOS 16 and MacOS Ventura still will have to be released later this month. When the handling of passkeys will be integrated into every OS (including Windows and so on) and will work across platforms, it will take off. This is a process that is about to start - it will take time. When everything is up and running in a bigger scale, I am quite sure that we will see a broader adoption. Today, we are at the early beginning of this journey.

First things first: building the stuff into the operating systems is happening in these months. It will be put into use when everything is ready for primetime. I am not surprised that we have not seen much. Again, it only has been 5 months since the announcement. This will take time.

Well, Passkey is pretty much a new Name for the FIDO Standard, and that was developed starting back in 2012, as fas as I remember!

So plenty of time for the development and introduction, and still not available on a wider base as fas as I know.
If this will only start up, if “every OS incl. Windows and so on” have implanted it, PC´s will long be gone, until it will be available on a wider base for the “normal user”.

Therefore my question, if this observation is somewhat different in other Regions of the World?

For anyone that wants to try out Passkeys: Discourse (including this forum) already supports them, but only for 2FA.

If this article is correct we will have plenty of time to get used to passkeys

It’s already one year. Is there any major website that uses passkey? I tried to change my Apple ID password two days ago and it’s still the using username/password in appleid.apple.com. Considering Ricky Mondello, whom I followed in Mastodon, kept on talking about how good passkey is, it’s disappointing that Apple does not use it themselves, or, am I just not seeing it?

I also tried to change password in PayPal who recently announced support for passkey and nope, it’s the same old thing.

1 Like

Still early days… PayPal has not enabled passkeys globally. Only personal US accounts as far as I have read. They are planning to make it available in more countries this year.

A recent article about the RSA Conference (“massive gathering of the biggest names and companies in cybersecurity”) which happened a few days ago in SF:

An excerpt:

The biggest issue so far is adoption. Apple, Google, and Microsoft have thrown their weight behind Passkeys, integrating them into all their platforms, but very few sites and services are accepting them. There are more thorny challenges, however. For example, because Passkeys only sync within an ecosystem, so most people will probably end up with multiple valid Passkeys for the same site—one for Apple, for Microsoft, and so on. That could get confusing for users. “A lot of this stuff is still early days. This is kind of part of the ugly. We haven’t quite got this figured out as an industry,” said Google Product Manager Christiaan Brand.

This is a long process. 1Password has announced their support for this summer. Others have similar plans.

This has to work across platforms and it needs to be easy for users to really take off I think.

Passkey was introduced more than 2 years ago! :thinking:
Either it is working, or not, but after this rather long time for a system like that, I would assume, that it is not working, otherwise we would observe a widespread implementation of Passkey.

On the web development side, popular frameworks and authentication libraries are still implementing webauthn. After that, applications will have to update. I see progress but not urgency since very few users are refusing to log in any other way.

The FIDO alliance has been working on passkeys for several years but Apple, Google, and Microsoft didn’t announce their support until last May.

Companies are starting to sign up but it will likely take years for passkeys to become mainstream. Some studies suggest that two thirds of people still keep their passwords on handwritten notes. It’s . . .

1 Like

And while it was announced in May 2022, for instance Apple implemented the functionality in the fall updates in 2022 (half a year later). And we are still in “the coming year”.

Just in: Sixcolors / Dan Moren:

There’s no doubt for me that the entire technology industry will be shifting to passkeys over the next few years—the advantages are huge for both users and services—but it’s still likely to be a very slow transition, and there will no doubt be holdouts and laggards.

:wink:

1 Like

My biggest question remains how to deal with shared accounts. Unlike passwords, passkeys can’t easily be shard with others, which is more secure but also way less convenient.

Yes, I think that these solutions from password managers like 1Password or Bitwarden will be the starting point to really make it feasible. For those who are using password managers.

It really will get interesting for everybody when or if Apple, Microsoft and Google sync passkeys across ecosystems. And yes, I think this will happen eventually in some way (without the necessity of third-party solutions).

A big challenge, of course, is that most online accounts don’t have any sort of “delegated access” - and having things like 1PW shared vaults isn’t as accessible of a solution as most people would like.

I can’t count the number of times that what I basically need is access to somebody’s account to do something. Yes, sure, it’s theoretically possible to schedule a screen sharing session - but customers don’t want to sit there while I log in to their account and do the work I need to do. 2FA is enough of a headache - passkeys will be even more of a hassle.

Some sort of robust “give this person access” protocol that doesn’t rely on handing a bunch of money to a password management company would go a long way toward easing adoption, IMHO.

3 Likes

IMO, if passkeys are going to get wide adoption in business they will have to be cross-platform and shareable. Just a few minutes ago I opened the CVS app on my iPhone and it offered to create a passkey in keychain for me. I declined because I can’t use Keychain everywhere I have accounts.

This rollout is going to take everyone cooperating if it’s going to be successful. Silos aren’t going to work.

1 Like

Passkeys are in fact coming:

From what I’ve read this will be a huge sticking point. Making them unsharable eliminates phishing.

Eliminating phishing would be great but “Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing . . .”

About the security of passkeys

A fresh article with interesting quotes via mjtsai.com:

Jeff Johnson wrote:

One thing is painfully clear to me already: the BigCos are coming for our passwords, so passkeys can’t be ignored. (…) So what’s the problem? With passwords and ssh keys, I can look at them. I can copy and paste them. I can write them down on a piece of paper. I can import and export them. I can back them up to external hard storage. Whereas in my testing with macOS Ventura and Safari, none of this is possible with passkeys. In fact, Apple requires you to enable iCloud and iCloud Keychain in order to save a passkey on a macOS or iOS device.

This blog post apparently prompted an answer from Ricky Mondello, manager of the Authentication Experience team at Apple:

https://hachyderm.io/@rmondello/110329118270492669

Jeff Johnson was not 100% happy with this reply. More on that in Jeff Johnson’s blog post.

It will be interesting to see how everything is playing out, especially cross-platform. I guess that this will be the area where third party solutions like 1Password or Bitwarden could survive. If 3rd party “password” managers will have a use case for the regular user is depending on how well Google, Microsoft and Apple will work with each other in handling passkeys in everyday life, I guess. Again, early days. This is only getting started. I do not see passwords vanishing everywhere soon.

1 Like

Interesting articles, thanks for posting them.

IMO password managers will definitely have a business use case. So it will be interesting to see how quickly the “big tech companies” will implement the export/import of passkeys. The temptation to use them as another way to lock in users must be overwhelming.

Re: criminals “recovering” your ID. This has been and always will be a major vulnerability. If anyone can help me if I forget my password then my data is not as secure as possible.

I would normally expect financial institutions to welcome passkeys with open arms but I suspect they may be among the last to adopt them. Any institution that uses SMS for 2FA values customer service more than security.