Passkeys support directory

Updated on 2022-12-12: Chrome passkeys support

Google has added formal support for the passkeys authentication mechanism to its Chrome web browser through an update released last week. Passkeys are an industry standard that allows users to log into apps or websites without entering a password and using a cryptographic token instead. Passkeys support is now available for Chrome running on Android, macOS, and Windows 11. Users can view and manage passkeys via the following Chrome settings URL.

chrome://settings/passkeys

Read more:

• Introducing passkeys in Chrome
• Passwordless login with passkeys

Upated on 2022-12-08: Google is Now Rolling Out Passkey Support

Google has started rolling out support for passkeys to the stable version of its Chrome browser, Chrome Stable M108, which is available for Windows, macOS, and Android. Google introduced passkeys in Chrome beta in October.

Note

• Passkey is important not just as a more secure authentication scheme, but also as a more usable one. Having multiple popular browsers provide a similar user experience will make it much easier to support Passkeys. Now we just need to make it easy enough to implement for your average web app developers.
• Apple, Google and Microsoft all adding walk to the talk about strong authentication and Passkeys had turned the first tumbler on the “lock” that has been stymying progress in moving beyond reusable passwords. The app dev/DevOps infrastructure embracing and enabling Passkeys being built in as the default choice needs to be next, followed by interoperability testing across iOS, Android, Linux and Windows platforms to identify and fix bugs/vulnerabilities in early implementations.
• Having built-in support for authentication techniques, such as Passkeys, can make or break the use of them. If you’re uncertain, ask your colleagues about which browsers work best with smart card enabled applications, possibly saving questions about mobile devices for later. Not only is Google making this native to the desktop app, but they are also including support in Mobile, which is a big win for a successful rollout. As you enable applications to support passkeys and other strong authentication mechanisms, make sure the users have a low-friction way of using those authenticators as well as fall back to other equivalent mechanisms, not passwords.
• Wonderful news. That said, don’t count out the ability of the password to survive for several more years. There are still a billion or so Windows 10 users that will need to transition to Windows 11.
• Passkeys have the potential to revolutionize authentication for people as it’s both very simple (from the human perspective there is no memorization and is biometrics based) and extremely strong (think ‘phishing resistant MFA’). In this announcement Google is not stating that Google websites support passkeys but Google Chrome browser now supports using Chrome to authenticate with passkeys. While exciting, passkeys are not fully baked yet in the full Internet ecosystem. So if you are an early adopter, go for it! However, this is not something I would be training my workforce yet for their personal use. Hoping to see all the bugs worked out and full ‘ecosystem’ adoption in 2023. For more on Passkeys and phishing resistant MFA – www.sans.org: What is Phishing Resistant MFA?
• This addresses the user side; we need implementation on the application side.

Read more in

• Introducing passkeys in Chrome
• RIP Passwords? Passkey support rolls out to Chrome stable
• Google Adds Passkey Support to Chrome for Windows, macOS and Android

Updated on 2022-11-21: Passkeys support directory

After it added support for passkeys in its password manager, 1Password has also created a web directory called Passkeys.directory listing all online services currently supporting passkey authentication. Read more: Passkeys & 1Password: The future of passwordless

Updated on 2022-10-27: : Ars on Passkeys

Ars Technica has an article explaining Passkeys, Microsoft, Apple and Google’s fledgling implementation of hardware-based secure logon. Passkeys promises to be both easier and more secure for users being resistant to phishing and credential stuffing attacks. We’ve celebrated the arrival of this standard before, but Ars examines how to practically use passkeys right now. Read more: Passkeys—Microsoft, Apple, and Google’s password killer—are finally here

Updated on 2022-10-26: PayPal to support passkeys

After announcements from all major browser vendors, PayPal said it would also add support for passkeys as a way to log into its service. Read more: PayPal Introduces More Secure Payments with Passkeys

“The new PayPal log in option will first be available to iPhone, iPad, or Mac users on PayPal.com and will expand to additional platforms as those platforms add support for passkeys.”

Updated on 2022-10-25: PayPal Adding Passkey Passwordless Login for Apple Devices

PayPal is introducing passkeys for passwordless account login on Apple devices running iOS 16, iPadOS 16.1 or macOS Ventura. PayPal plans to extend passkey availability as other platforms add support for the standard. Apple, Google, and Microsoft have said they plan to support passkeys by early next year.

Note

• PayPal was one of the founding members of FIDO Alliance, will be good to see them urge their 200M+ users to move away from reusable passwords.
• At a bare minimum enable 2FA on your PayPal account. Better still, setup a PassKey, particularly if you’re using SMS for 2FA. If you’re wondering what FIDO authentication looks like to an end-user – here’s your opportunity.
• Keep in mind that webauthn is primarily a convenience feature, not a security measure. It aids security by making it easier to do the safe thing. Its widespread adoption by websites and their users may reduce use and leakage of passwords and their fraudulent reuse. From a security perspective, it substitutes beneficial use of a device, something one has and can use, for entry of a password. It resists the leaky browser problem as relates to credentials but use of browsers leaves users vulnerable to leakage of other data.

Read more in

• Passkeys—Microsoft, Apple, and Google’s password killer—are finally here
• PayPal ditches passwords, at least on Apple devices
• PayPal Introduces More Secure Payments with Passkeys

Updated on August 2022: 95% of iCloud users have 2FA

Actually some early good news here: Apple says 95% of iCloud users are protected with two-factor authentication. That news lands ahead of the wider rollout of Passkeys, which replace passwords with “digital keys” that are unique to your accounts and stay on your device, and authenticate using your face or fingerprint.

Updated on June 2022: iOS 16 lands with rapid security updates

MacRumors: The next version of iPhone software, iOS 16, comes with several new security features, including rapid security updates that can deliver fixes without having to download a full update. Also included is the new Passkeys feature that big tech giants announced a couple of weeks ago aimed at killing the password for good. Plus, a new safety check feature that can aid those in abusive relationships, which when activated can immediately reset an account and app access for all people at once.

Read more in

• Security Fixes Won’t Require Full iOS Update in iOS 16, Will Be Installed Automatically
• Apple Just Killed the Password—for Real This Time
• Apple, Google and Microsoft team up on passwordless logins
• The Safety Check feature in iOS 16 is intended to aid those in abusive relationships

Overview: Apple, Microsoft and Google Will Support Passwordless Authentication

Microsoft, Apple, and Google have announced that they will implement standards developed by the FIDO Alliance and World Wide Web Consortium (W3C) intended to eliminate passwords. The new standards will allow users to authenticate with PINs or biometric information.

Note

• This is by far the most promising effort to solve the authentication challenge. In my opinion, the most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators. If you haven’t done so yet: Look into what it will take to integrate these standards with your web application.
• Great to see but most previous attempts at getting standards to be agreed upon and implemented by these “big three’ have failed. I think this has a much better chance of success. Fewer passwords in use are better than more, but important to see the protocols and implementations thoroughly pounded on by researchers before any releases.
• Adoption of new stronger authentication technology can be hastened by it being easier and faster than the old technology. The new standards from FIDO and W3C being implemented in Office, Azure, iPhones, Chrome, Gmail, and iCloud are intended to do just that, enabling access to existing passkeys, allowing mobile devices to be used for authentication on a nearby computer. It’s time to see where these activities lie on your IDP or service provider’s roadmap to build a path forward towards passwordless authentication for your users.

Read more in

• Microsoft, Apple, Google accelerate push to eliminate passwords
• Google, Apple, Microsoft make a new commitment for a “passwordless future”
• Microsoft, Apple, and Google to support FIDO passwordless logins