close
close

Replace passwords with access keys for easier login.

Replace passwords with access keys for easier login.

LONDON (AP) — If you’re tired of remembering passwords, try passkeys.

You may have noticed that many online services now offer the ability to use passkeys, a digital authentication method touted as an easier and more secure way to log in. Google started accepting them about 18 months ago.

Access keys are considered as possible password replacementbut if you’re still not sure what they’re about, read on:

What are access keys? And how do they work?

Forget about remembering an optimized 14-character password consisting of letters, numbers and symbols. Passkeys will do away with that because you’ll never have to see them. Instead, you use existing biometrics, such as your face or fingerprints, digital patterns or PINs, to access your accounts.

Access keys are made up of two pieces of code that only make sense when they are combined, like a digital key and a lock. You keep half of the encrypted code, usually stored either in the cloud with a compatible password manager or on a physical security key. The other half is stored in participating apps, services or accounts that you want to access.

For example, when you want to log into your Gmail account, both pieces of code will directly communicate with each other and grant you access.

Do they provide better security?

The passkey will not work with any website other than the one for which it was created, eliminating the security risks associated with traditional passwords.

This means that phishing scams will not be able to trick you into entering your details into a fake login page for your bank. And because access keys use cryptographic security, they also can’t hack your account by trying or guessing passwords discovered in previous data breaches.

Where can I use access keys?

About 20% of the world’s 100 largest websites now accept access keys, said Andrew Shikiar, CEO of the FIDO Alliance, an industry group that developed the core authentication technology behind access keys.

Passkeys first came to public attention when Apple added the technology to iOS in 2022. Google launched using them in 2023. Many other companies now work with passkeys, including PayPal, Amazon, Microsoft and eBay. Eat list on the FIDO Alliance website.

However, some popular sites such as Facebook and Netflix have not yet started using them.

Passkey’s technology is still in the “early adoption” stage, but “it’s only a matter of time before more and more sites start offering it,” Shikiar said.

How to set a password

I tried setting up passwords for some of the main online services I use. For some it was quite easy, but for others it was confusing. Shikiar said his group is constantly working on ways to improve the user experience.

Google users can go to myaccount.google.com and under “How to sign in to Google,” click “Passcode and Security Keys.” Once I reached the setup screen, I was prompted to create a passkey, while my password manager’s browser plugin appeared prompting me to save it. I clicked the “Confirm” button and all the setup work was done automatically.

Pretty easy so far.

I then tried adding additional Google access keys to my work Windows laptop and Yubiko physical security key. This time, when I went to the Google setup screen, it asked for an existing passkey to verify my identity. But then for some reason it failed to authenticate through my password manager.

I tried again using other verification methods, including the Google authenticator app I already had on my iPhone, and it eventually worked.

Adding multiple access keys to my Microsoft account – one in my password manager, the other in my Yubico key – had to scratch my head over a few clues, but I figured it out eventually.

Settings LinkedIn access keys And Amazon it was much easier. And when I tried to add a password to my whatsapp account, I discovered that I had apparently already created it a month earlier when I activated the app lock feature that required a fingerprint scan.

Login

Once set up, logging into some of my accounts was as easy as one or two clicks. But there are some issues with my PayPal account because its passkeys don’t work in some browsers like Firefox.

When I tried to log in with my Amazon password, it asked for a one-time verification code from my authentication app, which confused me because I thought passkeys were supposed to eliminate the need for multi-factor authentication.

Shikiar said it depends on the site, but theoretically there is enough security built into the access key.

“When the primary factor is resistant to phishing, other factors are not needed,” he said.

What happens if I lose my passkey?

If you lose the device containing your passkey, it doesn’t necessarily mean it’s gone. This is because the typical method for storing passkeys on phones is through a cloud-based password manager from Apple, Google, or third-party providers. So just log into your password manager again from another phone or computer.

On the other hand, access keys stored on security keys are not synchronized with the cloud, so there is no way to recover them if they are lost. It would be a good idea to get a second hardware key and keep it as a backup.

And don’t forget that you can always combine cloud and hardware methods to store multiple access keys for added redundancy.

Should I add access keys to all my accounts?

In my experience, setting up a password can be simple or tedious and confusing, depending on the service and what other security technology you want to implement.

So I wouldn’t recommend doing all your accounts at once.

Instead, select a few of your most important and frequently used services or accounts and focus on setting them up correctly.

What about my passwords?

In theory, you can delete your old passwords. Some services, such as Microsoft, already offer this option. Shikiar says this should be a “personal preference” because “some people might be very nervous” about giving up a password.

“It’s okay to save your password, but make sure it’s also set up for multi-factor authentication,” he said.