LONDON — If you’re tired of remembering passwords, try Passwords.

You may have noticed that many online services now offer the option to use passwords, a digital authentication method touted as an easier, more secure way to log in. Google started accepting them about 18 months ago.

Access keys are considered contingent password replacementsbut if you’re still not sure what it is, read on:

Forget about remembering an optimized 14-character password made up of letters, numbers and symbols. Access keys remove this because you never need to see them. Instead, you use existing biometric data such as your face or fingerprint, digital patterns or PINs to access your accounts.

Access keys are two parts of a code that only make sense when combined, much like a digital key and a padlock. You keep half of the code encrypted, usually stored either in the cloud with compatible media password manager or on a physical security dongle. The other half is stored on the participating apps, services, or accounts you want to access.

When you want to connect to your Gmail account for example, the two parts of the code will then communicate directly with each other and give you access.

A password will not work with any website except the one for which it was created, eliminating the security risks associated with traditional passwords.

This means bad actors running phishing scams won’t be able to trick you into entering your details on a copied login page from your bank. And because the passwords use cryptographic security, they also can’t force their way into your account by trying or guessing passwords exposed in previous data breaches.

About 20% of the world’s 100 largest websites now accept passkeys, said Andrew Shikiar, CEO of the FIDO Alliance, an industry group that developed the core authentication technology behind passkeys. .

Passkeys first gained public attention when Apple added the technology to iOS in 2022. They gained popularity after Google started use them in 2023. Now many other companies, including PayPal, Amazon, Microsoft and eBay, work with passwords. There is a list on the FIDO Alliance website.

However, some popular sites like Facebook and Netflix have not yet started using them.

Passkey’s technology is still in its “early adoption” phase, but “it’s only a matter of time until more and more sites start offering it,” Shikiar said.

I’ve been trying to set up passwords for some of the major online services I use. It was easy enough for some but confusing for others. Shikiar said his group is constantly working on ways to improve the user experience.

Google users can access myaccount.google.com and under “How to sign in to Google”, click Access keys and security keys. Upon reaching the setup screen, I received a prompt to create a password while simultaneously my password manager’s browser plugin appeared, offering to save it. I clicked to confirm and the configuration work was done automatically.

So far it’s pretty easy.

Then I tried adding more Google Access Keys to my Windows work laptop and a Yubico physical security key. This time, when I got to the Google setup screen, it asked for my existing password to confirm my identity. But then authentication through my password manager failed.

I tried again using other verification methods, including my Google authenticator app that I already had on my iPhone, and it was finally successful.

Adding multiple passwords to my Microsoft account – one on my password manager, another on my Yubico stick – involved some thinking about a few prompts, but I finally figured it out.

Set up passwords on LinkedIn And Amazon was much easier. And when I tried to add a password to my WhatsApp account, I discovered that I had apparently already created a month earlier when I activated the app lock feature requiring fingerprint scanning.

Once set up, it was a breeze to log into some of my accounts with just a click or two. But there was some friction with my PayPal account because its passwords didn’t work on some browsers, like Firefox.

When I tried to sign in with my Amazon passkey, it asked for a unique verification code from my authenticator app, which confused me because I thought passkeys were supposed to eliminate the need for multi-factor authentication.

Shikiar said it depends on the site, but, in theory, the password is already sufficiently protected.

“When the main factor cannot be phished, other factors are not necessary,” he said.

If you’ve lost the device containing your password, that doesn’t necessarily mean it’s gone. Indeed, the typical method for storing passkeys on phones is a cloud-based password manager from Apple, Google, or third-party providers. So all you have to do is log in to the password manager again from another phone or computer.

On the other hand, access keys stored on security dongles are not synchronized with the cloud, so there is no way to recover them if lost. It would be a good idea to obtain a second hardware key and keep it as a backup.

And remember, you can always mix cloud and hardware methods to maintain multiple access keys for additional redundancy.

In my experience, setting up a password can be easy, or tedious and confusing, depending on the service and other security technologies you want to integrate.

So I wouldn’t recommend doing all your accounts right away.

Instead, choose a few of your most important and frequently used services or accounts and focus on setting them up properly.

In theory, you could delete your old passwords. Some services like Microsoft already offer this option. Shikiar says this should be a “personal preference” because “some people may feel extremely nervous” about going passwordless.

It’s fine to save your password, but make sure you have multi-factor authentication set up for it too, he said.

___

Is there a technical challenge you need help solving? Email us at [email protected] with your questions.