No more passwords scribbled on a piece of paper? Apple, Microsoft and Google intend to replace them with “passkeys” (which can be translated as “access keys”), a system that has been in the making for years.
iPhones open to passkeys on Monday, September 12, with the release of their new iOS 16 core software, and Apple computers will follow in October, with the arrival of the new Mac OS Ventura core software. . Windows is for its part already ready to exchange “passkeys” with iOS, while its publisher Microsoft shows its intention to add all the additional functionalities of passkeys soon. As for Google, the company wants “allow developers to use” this technology on Android by the end of 2022. The stakes are high for users, the software of these three companies equipping the overwhelming majority of computers and smartphones in circulation.
The weaknesses of the password are now known: many users choose too simple passwords that specialized software manages to guess, use the same keywords for many services, or inadvertently give them to hackers by being trap by phishing campaigns. The access keys, which everyone will therefore be offered more and more often instead of the traditional password when creating an account on a site or an application, are supposed to solve these problems. Explanations.
How do passkeys work?
With passkeys, to register on a service, an application or a site (merchant, for example), you must use a device that belongs to you: a smartphone, a computer or a tablet. At the time of registration, the smartphone then creates two encrypted keys, unique and specific for each service. On one side the private key, which remains on the smartphone, on the other, the public key, held by the site or application in question.
The service will pose a sort of riddle to the smartphone, a “challenge”
Subsequently, with each connection attempt, the service will pose a kind of riddle to the smartphone, a “challenge” that only it can solve thanks to its private key. Once this “challenge” has been resolved, to finalize the connection, the user must then mark his approval and prove that he is indeed the owner of the smartphone, for example by placing his finger on the fingerprint reader, presenting his face , typing a PIN or drawing a picture on the screen.
Once the account is initialized, the private key joins a keychain including all the passkeys created for each service used, housed in the smartphone and, this is one of the great novelties, in an online storage space: Google Drive, Apple’s iCloud, or Microsoft’s OneDrive, depending on the software that equips the device. The passkeys will therefore be accessible to all devices sharing the same ecosystem, for example a user’s iPhone, iPad and Macbook. They will be housed in an encrypted online space that no one except the user can open.
Can passkeys be shared between Google, Microsoft, and Apple?
Yes. Passkeys can travel across ecosystems but, unfortunately, they don’t sync automatically between Apple, Microsoft, and Google clouds. You have to transfer each of them manually.
Consider the scenario of someone who has signed up for a new service on their iPhone, which now stores the corresponding passkey. This individual cannot connect to the same service on his Windows computer, since it does not belong to the same ecosystem: he cannot receive this passkey via iCloud. Moreover, he cannot connect to this service from a loved one’s Macbook either, even if it belongs to the same ecosystem, since this computer is connected to another iCloud than his.
The user can scan this QR code with his smartphone, in which the passkey is stored
However, by opening the service’s website on one of these computers, the user is offered to display a QR code, which constitutes a sort of connection request. He can then scan this QR code with his smartphone, in which the passkey is stored. This smartphone automatically checks the presence of the computer nearby, via a Bluetooth wireless connection, to ensure that the request does not come from a hacker operating remotely. It only remains for the individual to approve the authentication, as in the procedure described previously, for example by placing his finger on the fingerprint reader.
The scenario with QR code will be similar each time the user needs to connect with two different ecosystems, for example to a Windows computer with an Android phone, or to an Android phone with a Mac computer.
For convenience, at the end of this procedure, many services offer to create a new passkey for the computer that did not have one, to avoid repeating this laborious procedure with each new connection. Contacted by The world, Google and Microsoft also confirm that they are working to open up passkey management to third-party players, such as password manager publishers, such as LastPass or Dashlane, for example. These could store the passkeys in their own cloud and make them accessible under different ecosystems.
What happens if I lose, break, or have my smartphone stolen?
Unlike passwords, passkeys cannot be jotted down on a piece of paper, memorized in the corner of your head, or grouped together in a password manager. They are locked in the encrypted memory of the smartphone, which is an additional incentive to keep this device with you at all times.
The only solution: request new passkeys from dozens of customer services (…). An obstacle course
This can be inconvenient, for example when you want to replace an Apple smartphone with an Android model (or vice versa). It is imperative to wait before reselling the old smartphone to be able to copy its passkeys manually into the new phone, one by one, which promises to be complex and laborious. The inconvenience can be even greater in the event of theft or breakage of the smartphone: if you have no other device belonging to the same ecosystem as the lost device, you will not be able to recover the passkeys stored in the cloud. The only solution: request new passkeys from dozens of customer services, proving your identity each time. An obstacle course.
Things would be easier if you could copy your entire set of passkeys from one ecosystem to another. “It’s a very active discussion at the moment,” recognizes Andrew Shikiar, executive director of the FIDO Alliance, which coordinates this technology. But to achieve this, we will have to find a secure way to do it, explains Arnaud Jumelet, security expert at Microsoft France:
“One of the mechanisms-keys security of passkeys is that the user gives his consent for each transfer, key by key. We want to prevent a virus from sucking up all the passkeys at once, and it will not be easy to find a technology that guarantees this, while allowing the migration of an entire keychain. »
Finally, some services will nevertheless continue to collect our emails and telephone numbers, in particular to be able to identify us in the event that we lose our passkeys. According to Srinivasan Sampath, who leads various IT security projects at Google, many services will even continue to use passwords for years to come. “But the more users use their passkeys as a priority to identify themselves, the more passwords will be reserved for rare cases, systematically attracting the attention of service managers. » They will be able to devote all their attention to these particular cases.