Why this tech is better than passwords, and how to switch

There’s a safer way to log in to apps and websites that removes the need to use passwords. It’s called a passkey, and companies such as Microsoft, Amazon, Apple and Google, among many others, have already adopted the new technology.

Unlike a password, a passkey relies on a string of encrypted data stored in your phone or laptop and verification from you, through a face scan, a fingerprint scan or a PIN code, to access a website or app. There’s no exchange of a password at all.

“A passkey is a FIDO credential stored on your computer or phone, and it is used to unlock your online accounts,” Google wrote in an October blog post, referring to the new standard developed by the Fast IDentity Online, or FIDO, Alliance. “It works using public key cryptography and proof that you own the credential is only shown to your online account when you unlock your phone.”

The move toward passkeys comes as our digital privacy gets harder to protect, particularly as people need to remember more and more passwords. A recent Pew Research survey showed that almost 70% of Americans are stressed about the number of passwords they need to remember.

Companies also have an incentive to adopt passkeys. When their customers fall victim to cyberattacks, companies can face expensive bills, or sometimes millions of dollars in fines if customer data is affected, to clean up the mess. Passkeys can cut the odds of that happening.

“The main thing they’re about is preventing somebody over the internet from stealing your passwords through phishing,” Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation, told CNBC.

Hoffman-Andrews said passkeys are better than passwords even if you use a password manager, which helps you keep track of all your logins, because those apps often let you copy/paste a password. “If a phisher can trick you into copy/pasting, game over. With the passkey, it won’t let you copy/paste it.”

Phishing is a fraud in which attackers try to trick people into giving out personal information, often through phone calls or emails, and then use that information to access an account.

“Password-based attacks are becoming easier and easier and more and more common,” said Steve Won, chief product officer at 1Password, which has adopted passkeys.

Bottom line: Passkeys are better than passwords at protecting your personal information.

I set up passkeys for myself on Google, Amazon and Apple in just a few steps, so I’ll show you how to do the same. Make sure you own the device on which you’re setting up a passkey. I created the passkeys using my iPhone, but you can do it from a computer or Android phone by following similar steps.

• Open your browser, navigate to https://myaccount.google.com/ and log in.
• Choose “Security.”
• Select “Passkeys” under the section “You can add more sign-in options.”
• Type in your password to verify that it is your account.
• It will take you to a page that says “Create a passkey.”
• You’ll get an overview of passkeys, and Google will ask if you want to use a face scan (Google says there are also fingerprint and PIN options).
• If you choose a face scan — as I did, since I was using my phone — press “Continue” and look into the camera.
• Once it scans your face, it will say “Passkey created.”
• The next time you log in, Google will ask if you want to use your passkey. Press continue to scan your face and then you’ll be logged in.

• Go to Amazon’s website and log in as usual.
• Tap your name on the top-right of the page to open a drop-down menu.
• Go to “Your Account” and choose “See all account.”
• Then go to “Account Settings” and select “Login & security.”
• Press “Set up” on the bar that says “Passkey.”
• Press the yellow bar that reads “Set up.”
• I was again using my phone, so it prompted me to use a face scan to create the passkey. Press “Continue.”
• Next time you sign in to Amazon, it will ask if you want to sign in with a passkey.

• You need to have a device running iOS 17 or Sonoma software to set up a passkey with your Apple ID. You can check whether you need to update by going to General > Settings > About.
• Then visit https://appleid.apple.com/
• Press “Sign in” and then enter your email or phone number. Hit the arrow on the right side.
• You will see a bar that says “Sign in with Passkey.” Press that.
• You can choose how you want to access that passkey. I chose Face ID. Press continue.
• Once it scans your face, you are all set with a passkey you can use for the future.
• Apple devices store your passkeys in your iCloud Keychain with your passwords.

If you lose your device with your passkeys, you can still recover your account and, in many cases, delete the passkeys on the lost device. Here’s what you do:

• Follow the same steps to get back to the passkey section of your account for whatever website you want to remove them from.
• The sites have a prompt within the passkeys that you can press to delete them.
• Repeat the steps to make a new passkey on your new device.

Lots of other websites and apps support passkeys for logins too, including Microsoft, Uber, Nvidia, Nintendo and TikTok, so dig around and turn that option on if you want a safer alternative to using a password.