Passwords are a big problem. Everyone uses the same weak passwords over and over, and even then we don’t remember them. Worst of all, long, unique and strong passwords with lots of special characters and random capital letters aren’t that secure: they’re vulnerable to phishing and other scams, and they’re especially easy to forget.
What is an access key?
Access Key is a new way to sign in to online accounts, services, and apps that’s designed to be faster, easier to use, and more secure than passwords.
Access keys rely on public key cryptography, not username and password, to verify your identity. This means you don’t have to remember anything, so you can’t forget it like a password, and your devices get a one-time login every time you sign in to your account, so your account details can’t be easily stolen by a hacker or phishing attack.
The access keys were created by an industry group called the FIDO Alliance, which includes companies such as Apple, Google, Microsoft, Amazon, 1Password, Dashlane, American Express, Intel, Mastercard, Meta, PayPal, Samsung, Visa and many others. Seriously, passwords are widely seen as a huge global problem, so there are many companies interested in better and more secure solutions.
How do access keys work?
Access keys are part of a new web standard called Web Authentication or WebAuthn. Instead of a username and password, WebAuthn uses a principle called public key cryptography to verify your identity. It’s the same solution used by secure messaging apps to encrypt your conversations and online payment processors to ensure your credit card details aren’t stolen, so it’s well understood and widely used.
When you create an account for a service that uses WebAuthn, instead of creating a password that matches some clumsily arbitrary criteria, your device creates a unique pair of mathematically related keys. One is called the public key and the other is called the private key.
-The public key is not a secret. It’s stored on the service’s servers, but it doesn’t really matter if hackers steal it or otherwise leak it. It can actually be public knowledge without affecting your security.
-On the other hand, the private key is stored securely on your device and must remain secret.
What accounts support access keys?
Access keys only work with accounts that support them. So far it’s really just a few big names like Google, Microsoft, Shopify Pay, PayPal, Adobe and TikTok, but wider support should be coming soon.
Unfortunately, because there are so many companies involved and passwords are so deeply ingrained in the online world, it took a while for the FIDO Alliance to get access keys to the point where you can actually use them. And to be honest, we’re only just getting there.
What devices support passkeys?
Right now, passkey support is still a bit messy. Because passkeys are created on a specific device, they cannot be shared as easily as passwords. Workarounds and workarounds are coming, but for now they are not as cross-platform as passwords or password managers.
Apple recently added passkey support to iOS and macOS devices, and Google added passkey support to Android devices (and it’s coming to ChromeOS as well). Microsoft has actually offered a limited version of passkeys in Edge for years, but will bring them more natively to Windows later this year.
