Passkeys. The word will become increasingly important in the coming months. To offer context, passwords, as many of you may be aware, are unsafe and difficult to remember. We end up using the same two or three passwords for everything. Second, phishing attacks keep happening, which mimics legitimate websites to steal passwords. Third, we tend to reuse passwords. Sorry, if the account with the password “54321hello” got breached; it was an easy target. What’s coming up are Passkeys and with it you will also hear of FIDO.

Apple demonstrated Passkeys at its Worldwide Developer Conference a few days ago and said it will be coming to iOS 16 and MacOS Ventura this fall. Passkeys will replace keystrokes that are associated with passwords. At the heart of Passkeys is biometric check. Based on Web Authentication API (WebAuthn), Passkeys are stored on-device rather on a web server. So, nobody can hack a server to get passwords. The password replacement uses Touch ID or Face ID for biometric verification. An app or website you are logging into will need to request your phone to authenticate you.

Passkeys are perhaps easier to use than passwords and it does away with complications of two-factor authentication, like SMS codes which simply give passwords a layer of security. The technology generates unique Passkeys for each browser-based service, so there is no fear of overlapping. If it really becomes the standard then hackers getting access to servers won’t find any Passkeys to steal and phishing won’t be possible because there is no password you can share.

At WWDC, Apple’s vice-president of Internet technologies, Darin Adler, called passkeys a “next generation credential that’s more secure, easier to use, and aims to replace passwords for good”, which is a simple but solid explanation.

A deeper look at the technology shows that WebAuthentication standard uses a cryptographic principle called public-key cryptography to secure your accounts. Instead of a password for an account, the device can create a unique pair of related keys — a public key and a private key, both of them working together will allow a website or app to verify your account. The private key is not required to be shared with the server; your device can authenticate without revealing it.

The Passkeys will be synced between your devices using the end-to-end encrypted iCloud Keychain. Even Apple won’t have access to your private keys. And rouge players can’t access the codes or hack the iCloud Keychain servers.

The other word is an acronym — FIDO. On May 5, or World Password Day, this year, Apple, Google and Microsoft had announced that they have committed to building support for password-less sign-in across all platforms. The cross-platform functionality is being made possible by a standard called FIDO or Fast IDentity Online. A user’s phone can store a unique FIDO-compliant passkey and will share it with a website for authentication only when the phone is unlocked.

Of course, there are plenty of questions that remain unanswered, like how does one give family members access to the accounts that come with Passkey and how does one leave behind the access in case of death.

What is more important is that Passkeys have a chance at giving online security a giant leap. This will also be important for non-tech savvy users who simply don’t want technology that’s difficult to handle.