Amazon now lets you log in with Apple's Face ID or Touch ID and Passkeys
Amazon users are now able to log in to their accounts with a Passkey, meaning biometric authentication such as Face ID or Touch ID.
Apple passkey registration
Apple introduced support for Passkeys in iOS 16, with the idea that you are already identified -- or identifiable -- with the iPhone and Apple Watch's biometric systems. Plus certain Mac keyboards can be unlocked with a Touch ID fingerprint reader, and that positively identifies a user.
"This is about giving customers ease-of-use and security simultaneously in their Amazon experience," said Dave Treadwell, senior vice president of ecommerce at Amazon, in a statement. "While passwords will still be around in the foreseeable future, this is an exciting step in the right direction."
"We are thrilled to be an early adopter of this new authentication method, helping to realize our vision for a more secure, passwordless internet," continued Treadwell.
While it's taken more than 16 months since Apple announced Passkeys at WWDC 2022, it is Apple that has popularized the idea. Passkeys were created by the FIDO Alliance and the World Wide Web Consortium, but Apple -- and from May 2023 also Google -- have brought support for it to people's devices.
"When a customer uses a passkey on Amazon, it proves they have access to their device and are able to unlock it," says Amazon. "Customers no longer need to worry about remembering unique passwords or using easy-to-guess identifiers, like names or birthdays."
The company says that Passkey support is available today for all Amazon users on browsers. It is "gradually rolling out on the iOS Amazon Shopping app with support coming soon on the Android Amazon Shopping app."
On a browser, users set up the Passkey by:
- Signing in to Amazon.com as normal
- Choosing Accounts & Lists in the top left
- From the dropdown, choosing Account under the heading Your Account
- Clicking on Login & Security
- Then under Passkey, clicking Setup
Amazon is a major firm to add Passkey support, but it has been beaten to it by a series of companies including shopping ones like Best Buy, Home Depot, and eBay.
Read on AppleInsider
Comments
1. There was no "Accounts and Lists" button on the top left. See item 3 below.
2. There was no dropdown with an "account" button. See item 3 below.
3. To find "Login and Security," when I was logged in, I had to press the icon of the face, then scroll up, then press the SEE ALL button in the YOUR ACCOUNT section. Why is my experience so different from the experience in this article?
4. After it said that passkeys was successfully set up, I logged out and logged back in. However it didn't log in using passkeys because I didn't notice there was a passkeys button and I had to logout again, attempt to login, find the passkeys button this time, and press it. And I have to do this each time I log in! In my opinion many users will not notice this button and will continue to login with passwords that were loaded into their iCloud keychain because the level of effort is identical.
In my opinion, the process really isn't complete until the user has deleted the password from their iCloud keychain, and the procedure in this article doesn't explain how to do that. The whole point to passkeys is to get rid of passwords, not to supplement passwords with a second system. This article fails to tell users to delete their passwords from their keychain.
Another omission is that there are several options to choose from when setting up passkeys, and this article doesn't describe them. I didn't want to spend 10 minutes researching them, so I just left the defaults as they were.
After setting it up, I was able to login using passkeys on my Mac, which is usually where I login to Amazon from. I'm happy and grateful that it's working. But I am surprised and disappointed that the Passkeys experience does not include informing me that I can use passkeys until I have entered my full username into the account login box. I was expecting the login screen to tell me that I can use passkeys to login to my account, including the name of my account. I thought passkeys would automate that part of the process, but it seems that it doesn't. I have to be honest, that's very disappointing. They didn't even use a cookie to pre-populate the account login field. Isn't this what cookies were invented for?
I'm still happy about Passkeys in general and plan to assist my friends and family use it as it rolls out, but most of them won't understand it. In fact, it takes slightly longer to login using passkeys because the FaceID process actually takes longer to complete than just populating the password field from your keychain. And I'm pretty sure using TouchID would also be slower than using the keychain.
In the Apple world at least you don't have to use iCloud Keychain you can store the passkey in anything which implements the correct bits of the autofill API. Right now I know that Strongbox can do this and store the passkey in a Keepass kdbx file. That at least you can access directly and store and more importantly backup wherever you like.
At that point the usage of the passkey is similar to a sequence of the same entropy stored in keepass except with the advantage that because the passkey relies on a cryptographic transaction it's secure against a bunch of attacks the password isn't.
EDIT: It is a bit daft that Apple hides the password field and offers a passkey option when signing on iCloud.com, even if your system doesn't support it. It seems quite a big dollop of encouragement — a hard sell — for something (superior) that might not be supported.
If they are backed up to the cloud, locally or synced to multiple devices, it's much less likely people will get locked out.
If someone has 100 different passwords for all the sites they use and writes them down or uses a password app, losing those backups would have the same effect and would be much worse to recover as you'd have to think up all new passwords x100. Passkeys can be renewed with a click.
This new system will make it much easier to setup secure logins, people don't have to think up a new minimum length password, capital letters, numbers, special character etc. Just add email address, signup, verify email, save passkey.