Last May, Futura explained that MicrosoftGoogle and Apple had agreed to put an end to the password (see article below) and replace it with a universal solution, such as a PIN, or sensors biometric present on the devices (digital print, facial recognition, etc.). Apple will be the first to draw by integrating this capacity with the deployment ofiOS 16 today, then within a month with macOS Ventura. At Apple, the process that will be implemented is called Passkey. This new sesame can easily connect you to appsweb services and even create new accounts, without having to generate password complex and memorize it. In other words, it is the beginning of the end of passwords and, ultimately, may also be that of essential password managers.

The famous sesame is replaced by a pair of keys from encryption that will be synced to iCloud Keychain. If you already have an account with credentials for a service or application, you will first need to log in with these credentials. Only then can you use the Passkey to replace it. On the other hand, if you create a new user account, you can generate this Passkey directly.

Reinforcing biometrics

No more history of ridiculously simple passwords such as the famous 12345678, but the principle will remain the same. The Passkey rests on the protocol FIDO which was developed by the alliance resulting from the agreement between the tech giants, and in particular Apple, Microsoft and Google. It will therefore not be specific to the apple brand and will also work for other services, such as Meta, or Amazon, for example. Until Futura can test iOS 16 and this specific function, Apple’s demonstrations show that a message is displayed and asks if you want to save a password. From then on, the device prompts you to use Face IDTouch ID or another method ofauthentication to generate the Passkey.

According to a report by cybersecurity specialist Verizon, in 80% of cases, the hacking of an account comes from a password low and easy to find. There are good password managers which reinforce security by memorizing complex, but impossible to remember passwords. But, soon, we will be able to rely on the fruit ofan alliance quite unexpected between Apple, Google and Microsoft to strengthen security.

The three giants of high-tech have joined forces to integrate together a secure and passwordless identification whether on mobiles, computers or via the browsers. They are going to make their products support the Fido Alliance (Fast IDentity Online) and World Wide Web Consortium passwordless login standard. Digital printface scan, or pin code will be the new universal sesame to unlock your device and find your data.

An alliance of convenience to strengthen security

The system will be all the more practical, if you change smart phone, for example, you will not need to log in the first time using your password and username. It’s been a while since the three companies integrated the components to support the Fido2 standard but, for now, it’s still mandatory to log in to accounts at least once by entering credentials.

With the new system and its identifier unique activated by the biometrics, for example, it will now be very difficult for hackers to take over a user’s account. According to the trio, the implementation of this passwordless standard will be implemented within a year and will work indifferently on macOS and its Safari browser, Android with Chromium Where Windows and Edge.

No more passwords? The “passkeys” explained in three questions

No more passwords scribbled on a piece of paper? Apple, Microsoft and Google intend to replace them with “passkeys” (which can be translated as “access keys”), a system that has been in the making for years.

iPhones open to passkeys on Monday, September 12, with the release of their new iOS 16 core software, and Apple computers will follow in October, with the arrival of the new Mac OS Ventura core software. . Windows is for its part already ready to exchange “passkeys” with iOS, while its publisher Microsoft shows its intention to add all the additional functionalities of passkeys soon. As for Google, the company wants to “allow developers to use” this technology on Android by the end of 2022. The stakes are high for users, the software of these three companies equipping the overwhelming majority of computers and smartphones in circulation.

The weaknesses of the password are now known: many users choose too simple passwords that specialized software manages to guess, use the same keywords for many services, or inadvertently give them to hackers by being trap by phishing campaigns. The access keys, which everyone will therefore be offered more and more often instead of the traditional password when creating an account on a site or an application, are supposed to solve these problems. Explanations.

How do passkeys work?

With passkeys, to register on a service, an application or a site (merchant, for example), you must use a device that belongs to you: a smartphone, a computer or a tablet. At the time of registration, the smartphone then creates two encrypted keys, unique and specific for each service. On one side the private key, which remains on the smartphone, on the other, the public key, held by the site or application in question.

Subsequently, with each connection attempt, the service will pose a kind of riddle to the smartphone, a “challenge” that only it can solve thanks to its private key. Once this “challenge” has been resolved, to finalize the connection, the user must then mark his approval and prove that he is indeed the owner of the smartphone, for example by placing his finger on the fingerprint reader, presenting his face , typing a PIN or drawing a picture on the screen.

Once the account is initialized, the private key joins a keychain including all the passkeys created for each service used, housed in the smartphone and, this is one of the great novelties, in an online storage space: Google Drive, Apple’s iCloud, or Microsoft’s OneDrive, depending on the software that equips the device. The passkeys will therefore be accessible to all devices sharing the same ecosystem, for example a user’s iPhone, iPad and Macbook. They will be housed in an encrypted online space that no one except the user can open.

Can passkeys be shared between Google, Microsoft, and Apple?

Yes. Passkeys can travel across ecosystems but, unfortunately, they don’t sync automatically between Apple, Microsoft, and Google clouds. You have to transfer each of them manually.

Consider the scenario of someone who has signed up for a new service on their iPhone, which now stores the corresponding passkey. This individual cannot connect to the same service on his Windows computer, since it does not belong to the same ecosystem: he cannot receive this passkey via iCloud. Moreover, he cannot connect to this service from a loved one’s Macbook either, even if it belongs to the same ecosystem, since this computer is connected to another iCloud than his.

However, by opening the service’s website on one of these computers, the user is offered to display a QR code, which constitutes a sort of connection request. He can then scan this QR code with his smartphone, in which the passkey is stored. This smartphone automatically checks the presence of the computer nearby, via a Bluetooth wireless connection, to ensure that the request does not come from a hacker operating remotely. It only remains for the individual to approve the authentication, as in the procedure described previously, for example by placing his finger on the fingerprint reader.

The scenario with QR code will be similar each time the user needs to connect with two different ecosystems, for example to a Windows computer with an Android phone, or to an Android phone with a Mac computer.

For convenience, at the end of this procedure, many services offer to create a new passkey for the computer that did not have one, to avoid repeating this laborious procedure with each new connection. Contacted by Le Monde, Google and Microsoft also confirm that they are working to open up the management of passkeys to third-party players, such as publishers of password managers, such as LastPass or Dashlane for example. These could store the passkeys in their own cloud and make them accessible under different ecosystems.

Categorized in: