Updated on 2022-11-21: Passkeys support directory
After it added support for passkeys in its password manager, 1Password has also created a web directory called Passkeys.directory listing all online services currently supporting passkey authentication. Read more: Passkeys & 1Password: The future of passwordless
Updated on 2022-10-27: : Ars on Passkeys
Ars Technica has an article explaining Passkeys, Microsoft, Apple and Google’s fledgling implementation of hardware-based secure logon. Passkeys promises to be both easier and more secure for users being resistant to phishing and credential stuffing attacks. We’ve celebrated the arrival of this standard before, but Ars examines how to practically use passkeys right now. Read more: Passkeys—Microsoft, Apple, and Google’s password killer—are finally here
Updated on 2022-10-26: PayPal to support passkeys
After announcements from all major browser vendors, PayPal said it would also add support for passkeys as a way to log into its service. Read more: PayPal Introduces More Secure Payments with Passkeys
“The new PayPal log in option will first be available to iPhone, iPad, or Mac users on PayPal.com and will expand to additional platforms as those platforms add support for passkeys.”
Updated on 2022-10-25: PayPal Adding Passkey Passwordless Login for Apple Devices
PayPal is introducing passkeys for passwordless account login on Apple devices running iOS 16, iPadOS 16.1 or macOS Ventura. PayPal plans to extend passkey availability as other platforms add support for the standard. Apple, Google, and Microsoft have said they plan to support passkeys by early next year.
- PayPal was one of the founding members of FIDO Alliance, will be good to see them urge their 200M+ users to move away from reusable passwords.
- At a bare minimum enable 2FA on your PayPal account. Better still, setup a PassKey, particularly if you’re using SMS for 2FA. If you’re wondering what FIDO authentication looks like to an end-user – here’s your opportunity.
- Keep in mind that webauthn is primarily a convenience feature, not a security measure. It aids security by making it easier to do the safe thing. Its widespread adoption by websites and their users may reduce use and leakage of passwords and their fraudulent reuse. From a security perspective, it substitutes beneficial use of a device, something one has and can use, for entry of a password. It resists the leaky browser problem as relates to credentials but use of browsers leaves users vulnerable to leakage of other data.
Read more in
- Passkeys—Microsoft, Apple, and Google’s password killer—are finally here
- PayPal ditches passwords, at least on Apple devices
- PayPal Introduces More Secure Payments with Passkeys
Updated on August 2022: 95% of iCloud users have 2FA
Actually some early good news here: Apple says 95% of iCloud users are protected with two-factor authentication. That news lands ahead of the wider rollout of Passkeys, which replace passwords with “digital keys” that are unique to your accounts and stay on your device, and authenticate using your face or fingerprint.
Updated on June 2022: iOS 16 lands with rapid security updates
MacRumors: The next version of iPhone software, iOS 16, comes with several new security features, including rapid security updates that can deliver fixes without having to download a full update. Also included is the new Passkeys feature that big tech giants announced a couple of weeks ago aimed at killing the password for good. Plus, a new safety check feature that can aid those in abusive relationships, which when activated can immediately reset an account and app access for all people at once.
Read more in
- Security Fixes Won’t Require Full iOS Update in iOS 16, Will Be Installed Automatically
- Apple Just Killed the Password—for Real This Time
- Apple, Google and Microsoft team up on passwordless logins
- The Safety Check feature in iOS 16 is intended to aid those in abusive relationships
Overview: Apple, Microsoft and Google Will Support Passwordless Authentication
Microsoft, Apple, and Google have announced that they will implement standards developed by the FIDO Alliance and World Wide Web Consortium (W3C) intended to eliminate passwords. The new standards will allow users to authenticate with PINs or biometric information.
- This is by far the most promising effort to solve the authentication challenge. In my opinion, the most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators. If you haven’t done so yet: Look into what it will take to integrate these standards with your web application.
- Great to see but most previous attempts at getting standards to be agreed upon and implemented by these “big three’ have failed. I think this has a much better chance of success. Fewer passwords in use are better than more, but important to see the protocols and implementations thoroughly pounded on by researchers before any releases.
- Adoption of new stronger authentication technology can be hastened by it being easier and faster than the old technology. The new standards from FIDO and W3C being implemented in Office, Azure, iPhones, Chrome, Gmail, and iCloud are intended to do just that, enabling access to existing passkeys, allowing mobile devices to be used for authentication on a nearby computer. It’s time to see where these activities lie on your IDP or service provider’s roadmap to build a path forward towards passwordless authentication for your users.