Passkey: Which popular apps and services offer the new feature?

AppleInsiderAppleInsider
Posted:
in General Discussion edited March 3

Apple announced support for passkeys across its platforms in 2022, and many major apps and services have adopted the feature. Here's who uses the security feature.

Apple passkey registration
Apple passkey registration



Passkeys are a way to reach a passwordless future. With the security feature activated, users do not need to input their username or password when they log into a service or app.

To that end, the passkey standard was created by Apple, Google, and Microsoft in partnership with the FIDO Alliance and the World Wide Web Consortium. It is a cryptographic key directly associated with a specific device, which is used to confirm the user's identity.

There is a public and private pair, with the private information stored securely on the device. The public part is what is registered with the service or app.

With the secure element stored on the device, it must be confirmed via some kind of biometric security feature. On supported devices, this means either Touch ID or Face ID.

Here's how to use passkeys on your supported devices, with support starting with iOS 16 and macOS Ventura.

Passkeys also support multi-factor authentication built-in. This means users won't need to input a username and password, followed by a passcode.

Once the information is created, passkeys mean users can expect end-to-end encryption. It also means passkeys are automatically supported on other Apple devices linked with iCloud Keychain, and even non-Apple hardware.

Apps and services with passkey



The good news is that passkey adoption was relatively strong right out of the gate and continues to gain support in the months since Apple announced support. By the end of 2022, big names like Best Buy, eBay, and Google supported passkey, with more joining the list as time progressed.

Apps and services that support passkey as of March 3, 2024



Passkeys are already an industry standard, so support will continue to roll out. That includes better integration so users can simply expect better security when using their devices.

Kayak app with passkey support
Kayak app with passkey support



Apple, for instance, autogenerates Apple ID passkeys for iOS 17 and macOS Sonoma users. This means as users visit Apple's website or the iCloud website, they will be automatically logged in via a passkey.

Passkeys are a major step towards a passwordless future. But to get there, widespread adoption by the platforms, services, and apps is necessary. The trend is moving in the right direction, based on this list.

Updated March 3, 2024: More services supporting Passkey have been added to the list.



Read on AppleInsider

Comments

  • Reply 1 of 16
    22july201322july2013 Posts: 3,573member
    If Microsoft's site supports it, then hopefully when Microsoft closes the deal with Blizzard, (in October?) Blizzard's sites and services will also support it.
    watto_cobra
  • Reply 2 of 16
    jccjcc Posts: 326member
    So what happens when someone steals your phone and knows your phone’s pin? Won’t they be able to quickly lock you out of your account with these passkeys?
    sflagel
  • Reply 3 of 16
    sflagelsflagel Posts: 805member
    Why am I not getting this? How is Passkey different from the saved Usernames and Passwords saved on my iCloud Keychain, other than that the Passkey is hidden even from me? If I use Passkey on a site, how do I log-in on a third-person device, say a company computer at work? And what if I have different accounts for the same service on one device, say separate Amazon accounts? 
  • Reply 4 of 16
    beowulfschmidtbeowulfschmidt Posts: 2,141member
    sflagel said:
    Why am I not getting this? How is Passkey different from the saved Usernames and Passwords saved on my iCloud Keychain, other than that the Passkey is hidden even from me? If I use Passkey on a site, how do I log-in on a third-person device, say a company computer at work? And what if I have different accounts for the same service on one device, say separate Amazon accounts? 

    Depends on whether I can use the same passkey on, for instance, a Mac, an iPhone, a Windows PC, an Android tablet, and a Linux desktop.  If I set up a site with a passkey, can I then export that passkey to another (non-Apple) device or must I set up a new one?  Note that I do not know the answer to this question.

    I personally have that functionality because I use a password manager that works cross platform, and holds the passwords on my local network.  Passkeys sound like they are not portable, being machine specific, so I'd be less enthusiastic.
    sflagel
  • Reply 5 of 16
    sflagelsflagel Posts: 805member
    sflagel said:
    Why am I not getting this? How is Passkey different from the saved Usernames and Passwords saved on my iCloud Keychain, other than that the Passkey is hidden even from me? If I use Passkey on a site, how do I log-in on a third-person device, say a company computer at work? And what if I have different accounts for the same service on one device, say separate Amazon accounts? 

    Depends on whether I can use the same passkey on, for instance, a Mac, an iPhone, a Windows PC, an Android tablet, and a Linux desktop.  If I set up a site with a passkey, can I then export that passkey to another (non-Apple) device or must I set up a new one?  Note that I do not know the answer to this question.

    I personally have that functionality because I use a password manager that works cross platform, and holds the passwords on my local network.  Passkeys sound like they are not portable, being machine specific, so I'd be less enthusiastic.
    Exactly. Apple devices have a built-in password manager, that holds all usernames and passwords across devices and uses them to log-in based on FaceID or TouchID. And even if I forget them, I can look up these usernames and passwords in the password manager and use them on any non-Apple device. And I can see which usernames and passwords I use for each account (e.g., I have two different Netflix accounts). I don't understand the benefits of "Passkey", hopefully someone on this forum can explain to Beowulfschmidt and me.
    edited March 4 muthuk_vanalingam
  • Reply 6 of 16
    StrangeDaysStrangeDays Posts: 12,886member
    sflagel said:
    sflagel said:
    Why am I not getting this? How is Passkey different from the saved Usernames and Passwords saved on my iCloud Keychain, other than that the Passkey is hidden even from me? If I use Passkey on a site, how do I log-in on a third-person device, say a company computer at work? And what if I have different accounts for the same service on one device, say separate Amazon accounts? 

    Depends on whether I can use the same passkey on, for instance, a Mac, an iPhone, a Windows PC, an Android tablet, and a Linux desktop.  If I set up a site with a passkey, can I then export that passkey to another (non-Apple) device or must I set up a new one?  Note that I do not know the answer to this question.

    I personally have that functionality because I use a password manager that works cross platform, and holds the passwords on my local network.  Passkeys sound like they are not portable, being machine specific, so I'd be less enthusiastic.
    Exactly. Apple devices have a built-in password manager, that holds all usernames and passwords across devices and uses them to log-in based on FaceID or TouchID. And even if I forget them, I can look up these usernames and passwords in the password manager and use them on any non-Apple device. And I can see which usernames and passwords I use for each account (e.g., I have two different Netflix accounts). I don't understand the benefits of "Passkey", hopefully someone on this forum can explain to Beowulfschmidt and me.
    While Keychain + biometrics is very similar to the experience of Passkeys, it’s because of an abstraction — there are still usernames & passwords that must be typed into a textbox in the browser/app, but iOS/Mac is doing it for you. With Passkeys, there is no password to be typed in or changed. It’s a key, not username + password. The key is useless by itself, eliminating an attack vector like when the website/company gets hacked and leaks your username + password. 

    TLDR Passkeys improve security even if they are used similarly to Keychain. 
    sflagel
  • Reply 7 of 16
    StrangeDaysStrangeDays Posts: 12,886member
    jcc said:
    So what happens when someone steals your phone and knows your phone’s pin? Won’t they be able to quickly lock you out of your account with these passkeys?
    You’ll have bigger problems in that scenario. Like being kicked out of your own Apple ID and bank accounts drained. 
  • Reply 8 of 16
    22july201322july2013 Posts: 3,573member
    jcc said:
    So what happens when someone steals your phone and knows your phone’s pin? Won’t they be able to quickly lock you out of your account with these passkeys?
    You’ll have bigger problems in that scenario. Like being kicked out of your own Apple ID and bank accounts drained. 
    Yes, in some situations, but not in others. For details, read this web page:

    https://newmoneyreview.com/index.php/2023/05/04/a-phone-grabber-could-drain-your-bank-account-in-minutes/


  • Reply 9 of 16
    MarvinMarvin Posts: 15,326moderator
    sflagel said:
    sflagel said:
    Why am I not getting this? How is Passkey different from the saved Usernames and Passwords saved on my iCloud Keychain, other than that the Passkey is hidden even from me? If I use Passkey on a site, how do I log-in on a third-person device, say a company computer at work? And what if I have different accounts for the same service on one device, say separate Amazon accounts? 

    Depends on whether I can use the same passkey on, for instance, a Mac, an iPhone, a Windows PC, an Android tablet, and a Linux desktop.  If I set up a site with a passkey, can I then export that passkey to another (non-Apple) device or must I set up a new one?  Note that I do not know the answer to this question.

    I personally have that functionality because I use a password manager that works cross platform, and holds the passwords on my local network.  Passkeys sound like they are not portable, being machine specific, so I'd be less enthusiastic.
    I don't understand the benefits of "Passkey", hopefully someone on this forum can explain to Beowulfschmidt and me.
    Passwords are stored server-side and can be brute-forced or stolen, they can be stolen client-side by key loggers. People often use simple passwords and reuse passwords across multiple services.

    https://arstechnica.com/security/2024/01/71-million-passwords-for-facebook-coinbase-and-others-found-for-sale/

    Passkeys are encrypted keys that don't require typing and aren't stored server-side. Users don't have to think up new ones or remember them or additional security questions.

    If a phone and passcode is stolen, a user could be locked out (iOS 17.3+ provides added protection for stolen devices) but the same would be true for password managers. The same account recovery methods would be used for both.

    For accessing an account on another computer, you'd need the security device with you or sync from a cloud keychain. Different services can provide their own login techniques but can be similar to online banking where you put in a username then get a token from a phone or scan QR code and this would allow logging in on a 3rd party device.

    Different devices can setup their own passkeys, a single account can have multiple keys, they just need to be verified against an account.

    https://blog.google/inside-google/googlers/ask-a-techspert/how-passkeys-work/
    sflagelbeowulfschmidtjony0
  • Reply 10 of 16
    StrangeDaysStrangeDays Posts: 12,886member
    jcc said:
    So what happens when someone steals your phone and knows your phone’s pin? Won’t they be able to quickly lock you out of your account with these passkeys?
    You’ll have bigger problems in that scenario. Like being kicked out of your own Apple ID and bank accounts drained. 
    Yes, in some situations, but not in others. For details, read this web page:

    https://newmoneyreview.com/index.php/2023/05/04/a-phone-grabber-could-drain-your-bank-account-in-minutes/


    Their chart is largely inconsequential, if the attacker has your phone and Passcode, they can likely change your FaceID/TouchID biometric scans (Apple released a new security update to help reduce this chance) and many if not most banks will allow transfers with the biometric authentication alone. That some have added measures is not anything to count on. So again — answering the OP’s question of “But what if they have your phone & PIN!” the answer remains: in that scenario you have bigger problems than them having access to your Passkeys, because your Apple ID is now theirs and banking apps allow transfer of funds.
    edited March 4
  • Reply 11 of 16
    Alan1Alan1 Posts: 3member
    I wonder why none of the big financial players are on the list...
    (PayPal is on the list, but it did not offer me the option of using passkeys.)
  • Reply 12 of 16
    MarvinMarvin Posts: 15,326moderator
    Alan1 said:
    I wonder why none of the big financial players are on the list...
    (PayPal is on the list, but it did not offer me the option of using passkeys.)
    Banks generally don't want any 3rd party authentication involved and they already have secure password-less logins via their own apps.

    Paypal's guide for setting up passkeys is here:

    https://www.paypal.com/us/cshelp/article/how-to-log-in-to-paypal-with-a-passkey-help997

    That says it will be available for eligible accounts, maybe they are rolling it out gradually.
  • Reply 13 of 16
    22july201322july2013 Posts: 3,573member
    jcc said:
    So what happens when someone steals your phone and knows your phone’s pin? Won’t they be able to quickly lock you out of your account with these passkeys?
    You’ll have bigger problems in that scenario. Like being kicked out of your own Apple ID and bank accounts drained. 
    Yes, in some situations, but not in others. For details, read this web page:

    https://newmoneyreview.com/index.php/2023/05/04/a-phone-grabber-could-drain-your-bank-account-in-minutes/


    Their chart is largely inconsequential, if the attacker has your phone and Passcode, they can likely change your FaceID/TouchID biometric scans (Apple released a new security update to help reduce this chance) and many if not most banks will allow transfers with the biometric authentication alone. That some have added measures is not anything to count on. So again — answering the OP’s question of “But what if they have your phone & PIN!” the answer remains: in that scenario you have bigger problems than them having access to your Passkeys, because your Apple ID is now theirs and banking apps allow transfer of funds.
    In six of the ten scenarios documented in that webpage, there were no vulnerabilities when it came to money transfers if "the criminal has the iPhone and knows its PIN." I guess you didn't read the webpage at all.
  • Reply 14 of 16
    beowulfschmidtbeowulfschmidt Posts: 2,141member
    Marvin said:
    sflagel said:
    sflagel said:
    Why am I not getting this? How is Passkey different from the saved Usernames and Passwords saved on my iCloud Keychain, other than that the Passkey is hidden even from me? If I use Passkey on a site, how do I log-in on a third-person device, say a company computer at work? And what if I have different accounts for the same service on one device, say separate Amazon accounts? 

    Depends on whether I can use the same passkey on, for instance, a Mac, an iPhone, a Windows PC, an Android tablet, and a Linux desktop.  If I set up a site with a passkey, can I then export that passkey to another (non-Apple) device or must I set up a new one?  Note that I do not know the answer to this question.

    I personally have that functionality because I use a password manager that works cross platform, and holds the passwords on my local network.  Passkeys sound like they are not portable, being machine specific, so I'd be less enthusiastic.
    I don't understand the benefits of "Passkey", hopefully someone on this forum can explain to Beowulfschmidt and me.
    Passwords are stored server-side and can be brute-forced or stolen, they can be stolen client-side by key loggers. People often use simple passwords and reuse passwords across multiple services.

    https://arstechnica.com/security/2024/01/71-million-passwords-for-facebook-coinbase-and-others-found-for-sale/

    Passkeys are encrypted keys that don't require typing and aren't stored server-side. Users don't have to think up new ones or remember them or additional security questions.

    If a phone and passcode is stolen, a user could be locked out (iOS 17.3+ provides added protection for stolen devices) but the same would be true for password managers. The same account recovery methods would be used for both.

    For accessing an account on another computer, you'd need the security device with you or sync from a cloud keychain. Different services can provide their own login techniques but can be similar to online banking where you put in a username then get a token from a phone or scan QR code and this would allow logging in on a 3rd party device.

    Different devices can setup their own passkeys, a single account can have multiple keys, they just need to be verified against an account.

    https://blog.google/inside-google/googlers/ask-a-techspert/how-passkeys-work/

    The google link went a long ways towards answering my questions; thanks for that.  However, there must be something stored server side so that an incoming passkey can be matched to an account.  The (justifiably) paranoid IT guy that's been sitting in my head for the last 50 years thinks there is still the possibility that someone could somehow get access anyway.  It's probably safe for now, and honestly for the foreseeable future, but somewhere, there is some bright kid who just sees the new shiny as a challenge.

    Still way better than passwords, if the google blog is accurate, and not just marketing speak.
  • Reply 15 of 16
    MarvinMarvin Posts: 15,326moderator
    there must be something stored server side so that an incoming passkey can be matched to an account.  The (justifiably) paranoid IT guy that's been sitting in my head for the last 50 years thinks there is still the possibility that someone could somehow get access anyway.
    It uses public key cryptography. The server has a public key, the client has a private key:

    https://support.apple.com/en-us/102195

    For authentication the server can encrypt a message using the public key, the client decrypts it and it's authenticated.

    There are reports that standard encryption techniques will have issues with future quantum computing but they are working on solutions and it's highly unlikely an average person will have a quantum computer.

    https://www.scientificamerican.com/article/tomorrows-quantum-computers-threaten-todays-secrets-heres-how-to-protect-them/
    beowulfschmidt
  • Reply 16 of 16
    twolf2919twolf2919 Posts: 112member
    The list included GoDaddy - I have an account there and tried to find out how to enable Passkey - but didn't see anything related to it.  Did the article make a mistake or am I just missing it?  I checked under GoDaddy's Login & Pin page.
    Actually, I just went into the WhatsApp app on iOS and it doesn't seem to have Passkey support either.
    edited April 9
Sign In or Register to comment.