Amazon now lets you log in with Apple's Face ID or Touch ID and Passkeys

Posted:
in General Discussion

Amazon users are now able to log in to their accounts with a Passkey, meaning biometric authentication such as Face ID or Touch ID.

Apple passkey registration
Apple passkey registration



Apple introduced support for Passkeys in iOS 16, with the idea that you are already identified -- or identifiable -- with the iPhone and Apple Watch's biometric systems. Plus certain Mac keyboards can be unlocked with a Touch ID fingerprint reader, and that positively identifies a user.

"This is about giving customers ease-of-use and security simultaneously in their Amazon experience," said Dave Treadwell, senior vice president of ecommerce at Amazon, in a statement. "While passwords will still be around in the foreseeable future, this is an exciting step in the right direction."

"We are thrilled to be an early adopter of this new authentication method, helping to realize our vision for a more secure, passwordless internet," continued Treadwell.

While it's taken more than 16 months since Apple announced Passkeys at WWDC 2022, it is Apple that has popularized the idea. Passkeys were created by the FIDO Alliance and the World Wide Web Consortium, but Apple -- and from May 2023 also Google -- have brought support for it to people's devices.

"When a customer uses a passkey on Amazon, it proves they have access to their device and are able to unlock it," says Amazon. "Customers no longer need to worry about remembering unique passwords or using easy-to-guess identifiers, like names or birthdays."

The company says that Passkey support is available today for all Amazon users on browsers. It is "gradually rolling out on the iOS Amazon Shopping app with support coming soon on the Android Amazon Shopping app."

On a browser, users set up the Passkey by:


  1. Signing in to Amazon.com as normal

  2. Choosing Accounts & Lists in the top left

  3. From the dropdown, choosing Account under the heading Your Account

  4. Clicking on Login & Security

  5. Then under Passkey, clicking Setup



Amazon is a major firm to add Passkey support, but it has been beaten to it by a series of companies including shopping ones like Best Buy, Home Depot, and eBay.

Read on AppleInsider

Comments

  • Reply 1 of 12
    22july201322july2013 Posts: 3,735member
    I was able to set it up, but there were three or four deviations from the instructions in this article. (In fact, documenting all my problems is longer than the entire article.)

    1. There was no "Accounts and Lists" button on the top left. See item 3 below.
    2. There was no dropdown with an "account" button. See item 3 below.
    3. To find "Login and Security," when I was logged in, I had to press the icon of the face, then scroll up, then press the SEE ALL button in the YOUR ACCOUNT section. Why is my experience so different from the experience in this article?
    4. After it said that passkeys was successfully set up, I logged out and logged back in. However it didn't log in using passkeys because I didn't notice there was a passkeys button and I had to logout again, attempt to login, find the passkeys button this time, and press it. And I have to do this each time I log in! In my opinion many users will not notice this button and will continue to login with passwords that were loaded into their iCloud keychain because the level of effort is identical.

    In my opinion, the process really isn't complete until the user has deleted the password from their iCloud keychain, and the procedure in this article doesn't explain how to do that. The whole point to passkeys is to get rid of passwords, not to supplement passwords with a second system. This article fails to tell users to delete their passwords from their keychain.

    Another omission is that there are several options to choose from when setting up passkeys, and this article doesn't describe them. I didn't want to spend 10 minutes researching them, so I just left the defaults as they were.

    After setting it up, I was able to login using passkeys on my Mac, which is usually where I login to Amazon from. I'm happy and grateful that it's working. But I am surprised and disappointed that the Passkeys experience does not include informing me that I can use passkeys until I have entered my full username into the account login box. I was expecting the login screen to tell me that I can use passkeys to login to my account, including the name of my account. I thought passkeys would automate that part of the process, but it seems that it doesn't. I have to be honest, that's very disappointing. They didn't even use a cookie to pre-populate the account login field. Isn't this what cookies were invented for?

    I'm still happy about Passkeys in general and plan to assist my friends and family use it as it rolls out, but most of them won't understand it. In fact, it takes slightly longer to login using passkeys because the FaceID process actually takes longer to complete than just populating the password field from your keychain. And I'm pretty sure using TouchID would also be slower than using the keychain.
    roundaboutnowwatto_cobra
  • Reply 2 of 12
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  🤷‍♂️ 
    williamlondonwatto_cobra
  • Reply 3 of 12
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  🤷‍♂️ 
    Stored the way Apple, Google and MS have implemented it I agree you essentially never have direct access to the private key. I can see why they designed it like this essentially to stop people handing over their credentials to all and sundry like they do with passwords.

    In the Apple world at least you don't have to use iCloud Keychain you can store the passkey in anything which implements the correct bits of the autofill API. Right now I know that Strongbox can do this and store the passkey in a Keepass kdbx file. That at least you can access directly and store and more importantly backup wherever you like.

    At that point the usage of the passkey is similar to a sequence of the same entropy stored in keepass except with the advantage that because the passkey relies on a cryptographic transaction it's secure against a bunch of attacks the password isn't.
    appleinsideruserdewmewatto_cobra
  • Reply 4 of 12
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  🤷‍♂️ 
    That's not accurate. With Apple operating systems, you can use their new feature for sharing your Passkeys with family or friends. A story on AppleInsider from 4 days ago covers this. It's called "How to Share Passwords [and Passkeys]."
    watto_cobra
  • Reply 5 of 12
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  ߤ禺wj;♂️ 
    That's not accurate. With Apple operating systems, you can use their new feature for sharing your Passkeys with family or friends. A story on AppleInsider from 4 days ago covers this. It's called "How to Share Passwords [and Passkeys]."
    Indeed, yes. And I've seen the extra button when logging into iCloud.com. But there's still something that feels wrong about trusting it. It's a perception thing. I'm all for tech, but as I say, this one just makes me uneasy for some reason. 

    EDIT: It is a bit daft that Apple hides the password field and offers a passkey option when signing on iCloud.com, even if your system doesn't support it. It seems quite a big dollop of encouragement — a hard sell — for something (superior) that might not be supported. 
    edited October 2023 williamlondonwatto_cobra
  • Reply 6 of 12
    22july201322july2013 Posts: 3,735member
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  ߤ禺wj;♂️ 
    That's not accurate. With Apple operating systems, you can use their new feature for sharing your Passkeys with family or friends. A story on AppleInsider from 4 days ago covers this. It's called "How to Share Passwords [and Passkeys]."
    Indeed, yes. And I've seen the extra button when logging into iCloud.com. But there's still something that feels wrong about trusting it. It's a perception thing. I'm all for tech, but as I say, this one just makes me uneasy for some reason. 

    EDIT: It is a bit daft that Apple hides the password field and offers a passkey option when signing on iCloud.com, even if your system doesn't support it. It seems quite a big dollop of encouragement — a hard sell — for something (superior) that might not be supported. 
    Thanks for kinda agreeing. And I will kinda agree that there are some issues with storing passkeys on hardware tokens. As you say, they are easy to lose, and even easier to forget to keep up to date if you have token backups. When it comes to I&A, I have as many questions as I have answers. A lot of the issues come down to trust. Do you trust your family? Do you trust the government? Do you trust yourself to maintain your data? Look at how many people use cryptokey brokers instead of managing their own cryptokey accounts. They don't trust themselves to secure their own cryptocoin. If we can't manage our own cryptocoin, how can we manage our own passwords? Conversely, there are probably many people who want to secure their own passwords but don't mind other people securing their cryptocoin. Are you one of those people?
    watto_cobra
  • Reply 7 of 12
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  ߤ禺wj;♂️ 
    That's not accurate. With Apple operating systems, you can use their new feature for sharing your Passkeys with family or friends. A story on AppleInsider from 4 days ago covers this. It's called "How to Share Passwords [and Passkeys]."
    Indeed, yes. And I've seen the extra button when logging into iCloud.com. But there's still something that feels wrong about trusting it. It's a perception thing. I'm all for tech, but as I say, this one just makes me uneasy for some reason. 

    EDIT: It is a bit daft that Apple hides the password field and offers a passkey option when signing on iCloud.com, even if your system doesn't support it. It seems quite a big dollop of encouragement — a hard sell — for something (superior) that might not be supported. 
    Thanks for kinda agreeing. And I will kinda agree that there are some issues with storing passkeys on hardware tokens. As you say, they are easy to lose, and even easier to forget to keep up to date if you have token backups. When it comes to I&A, I have as many questions as I have answers. A lot of the issues come down to trust. Do you trust your family? Do you trust the government? Do you trust yourself to maintain your data? Look at how many people use cryptokey brokers instead of managing their own cryptokey accounts. They don't trust themselves to secure their own cryptocoin. If we can't manage our own cryptocoin, how can we manage our own passwords? Conversely, there are probably many people who want to secure their own passwords but don't mind other people securing their cryptocoin. Are you one of those people?
    I'm firmly in the trust myself and as few others as possible camp. I agree, again, it'll be good to see how this topic plays out...
    watto_cobra
  • Reply 8 of 12
    MarvinMarvin Posts: 15,493moderator
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  🤷‍♂️ 
    There will be account recovery methods, just like forgotten passwords. If someone loses a device and hasn't backed up passkeys to the cloud, they'd have to recover their accounts with the registered sites. This can be done with emails, SMS.

    If they are backed up to the cloud, locally or synced to multiple devices, it's much less likely people will get locked out.

    If someone has 100 different passwords for all the sites they use and writes them down or uses a password app, losing those backups would have the same effect and would be much worse to recover as you'd have to think up all new passwords x100. Passkeys can be renewed with a click.

    This new system will make it much easier to setup secure logins, people don't have to think up a new minimum length password, capital letters, numbers, special character etc. Just add email address, signup, verify email, save passkey.
    appleinsideruserwatto_cobra
  • Reply 9 of 12
    Marvin said:
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  🤷‍♂️ 
    There will be account recovery methods, just like forgotten passwords. If someone loses a device and hasn't backed up passkeys to the cloud, they'd have to recover their accounts with the registered sites. This can be done with emails, SMS.

    If they are backed up to the cloud, locally or synced to multiple devices, it's much less likely people will get locked out.

    If someone has 100 different passwords for all the sites they use and writes them down or uses a password app, losing those backups would have the same effect and would be much worse to recover as you'd have to think up all new passwords x100. Passkeys can be renewed with a click.

    This new system will make it much easier to setup secure logins, people don't have to think up a new minimum length password, capital letters, numbers, special character etc. Just add email address, signup, verify email, save passkey.
    Does Hide My Email for with Passkeys, or do you reveal your email address to the site? Google and my fave AI, fail to say: https://www.perplexity.ai/search/92d05095-088f-4dde-9cf6-d683a8253d30?s=u
  • Reply 10 of 12
    MarvinMarvin Posts: 15,493moderator
    Marvin said:
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  🤷‍♂️ 
    There will be account recovery methods, just like forgotten passwords. If someone loses a device and hasn't backed up passkeys to the cloud, they'd have to recover their accounts with the registered sites. This can be done with emails, SMS.

    If they are backed up to the cloud, locally or synced to multiple devices, it's much less likely people will get locked out.

    If someone has 100 different passwords for all the sites they use and writes them down or uses a password app, losing those backups would have the same effect and would be much worse to recover as you'd have to think up all new passwords x100. Passkeys can be renewed with a click.

    This new system will make it much easier to setup secure logins, people don't have to think up a new minimum length password, capital letters, numbers, special character etc. Just add email address, signup, verify email, save passkey.
    Does Hide My Email for with Passkeys, or do you reveal your email address to the site?
    There wouldn't be a need to use the original email address, Passkeys is just a file key instead of a password, everything else works the same.
    watto_cobra
  • Reply 11 of 12
    Marvin said:
    Marvin said:
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  🤷‍♂️ 
    There will be account recovery methods, just like forgotten passwords. If someone loses a device and hasn't backed up passkeys to the cloud, they'd have to recover their accounts with the registered sites. This can be done with emails, SMS.

    If they are backed up to the cloud, locally or synced to multiple devices, it's much less likely people will get locked out.

    If someone has 100 different passwords for all the sites they use and writes them down or uses a password app, losing those backups would have the same effect and would be much worse to recover as you'd have to think up all new passwords x100. Passkeys can be renewed with a click.

    This new system will make it much easier to setup secure logins, people don't have to think up a new minimum length password, capital letters, numbers, special character etc. Just add email address, signup, verify email, save passkey.
    Does Hide My Email for with Passkeys, or do you reveal your email address to the site?
    There wouldn't be a need to use the original email address, Passkeys is just a file key instead of a password, everything else works the same.
    As you said, “Just add email address, signup, verify email, save passkey.” I assumed you still needed an email. I guess it all might make sense if I tried it. 🙄
    watto_cobra
  • Reply 12 of 12
    MarvinMarvin Posts: 15,493moderator
    Marvin said:
    Marvin said:
    Not contradicting your post 22, but passkeys make me uneasy. Give me a password that is strong that I store in keychain and I’m in charge of my own destiny (and access to the resource). 

    Loose a device or an invisible crypto passkey and you’re buggered. #luddite  🤷‍♂️ 
    There will be account recovery methods, just like forgotten passwords. If someone loses a device and hasn't backed up passkeys to the cloud, they'd have to recover their accounts with the registered sites. This can be done with emails, SMS.

    If they are backed up to the cloud, locally or synced to multiple devices, it's much less likely people will get locked out.

    If someone has 100 different passwords for all the sites they use and writes them down or uses a password app, losing those backups would have the same effect and would be much worse to recover as you'd have to think up all new passwords x100. Passkeys can be renewed with a click.

    This new system will make it much easier to setup secure logins, people don't have to think up a new minimum length password, capital letters, numbers, special character etc. Just add email address, signup, verify email, save passkey.
    Does Hide My Email for with Passkeys, or do you reveal your email address to the site?
    There wouldn't be a need to use the original email address, Passkeys is just a file key instead of a password, everything else works the same.
    As you said, “Just add email address, signup, verify email, save passkey.” I assumed you still needed an email. I guess it all might make sense if I tried it. 🙄
    Hide My Email gives you an email alias so when you sign up to a service you'd use the alias, not the original address. Then verify the account via the alias.
    watto_cobraappleinsideruser
Sign In or Register to comment.