“Passkey” is Apple’s name for a simplified website login process arriving in its full glory later this year with macOS 13 Ventura, iOS 16 and iPadOS 16. A passkey relies on widely supported industry standards to let you perform an encrypted login with almost no effort on your part after the initial installation.

You can try a passkey without installing the public betas of these upcoming operating systems, as Apple has previewed passkey support built into Safari for all of its operating systems in iOS 15, iPadOS 15, and Safari 15 with macOS 12 Monterey.

With the full release of passkeys in a few weeks or months, and Google and Microsoft’s announced support for compatible technology, you’ll see options to add a passkey on many websites this fall.

Here’s how the process works.

Register on a website

A passkey consists of a paired set of encryption keys, commonly known as public key cryptography. When you visit a server that supports WebAuthn (the technology needed to accept, store, and work with a password key), your browser will present the encryption pair’s public key. The public key cannot be used to login, but to prove your identity: you own the private key, which is created on your device and never leaves it to login.

To enroll, visit a website that supports passkeys. A site may state that it supports passkeys in general, say it has WebAuthn support, or declare it compatible with FIDO2, CTAP, or “multi-device FIDO credentials”. All of these terms should mean that you can use an Apple (or Google or Microsoft) passkey as your login credentials. (FIDO2 is the name given by the trade group FIDO Alliance, an important part of password creation and WebAuthn, and of which Apple, Microsoft and Google are members.)

The process works in the same way as if you enroll in a two-factor authentication (2FA) site or if you have previously used a hardware key for WebAuthn, such as Yubico’s:

Log in with your existing username and password. The site may ask you for additional verification. This could be a link sent via email, an SMS code or a prompt for a 2FA confirmation with a code, or through an app you already have installed on your iPhone or iPad. In the security section of the site, you can choose to use a password or one of the alternative names above. The web server sends a request to your browser to provide encryption information. You’ll be prompted to approve this request with Touch ID, Face ID, or your device password, depending on what’s available and enabled. If you successfully validate your identity, your device will generate the public/private key pair. The private key is stored on your device and never sent to the remote site. Your browser sends the public key along with a cryptographically signed message that the server can validate using the provided public key: only someone whose device has the private key can produce a verifiable message. The web server stores your public key for your future logins.

As part of the enrollment process, you validate that you want the website to be able to use Touch ID (or other authentication element).

Setting a password login may disable 2FA for your account or allow you to opt for a password login instead of a 2FA path. A password is proof of ownership of both a secret and the device it is stored on, basically two factors. (Some higher security sites and services may still require 2FA instead of or in addition to a passcode.)

You can see the password process at work with some of the underlying technical pieces revealed on Webauthn.me, a site created by Auth0, a provider of authentication services. Some production sites currently offer password-compatible logins, but there are very few at the moment. You can set up a Google or Dropbox account to use a “security key” and use a passkey instead. See below for my experience with it.

Login with a password

On a registered site, you can use a saved passkey the next time you log in. You may have noticed that many websites have started splitting the account username or email address from a password submission – that seems to be prepared for password keys.

With a site completely ready for passkeys, tap or click in a username or account email field and Safari will ask you to validate a password login. In some cases, Safari may first ask if you want to allow Touch ID or “security key” logins to the site; Click Allow Get on. You can then authenticate via Touch ID, Face ID, or your device password, just like you did during enrollment. That is it! Using the Webauthn.me site mentioned above, you can test this in step 4 of the process.

You may be asked to allow secure logins to a site before you can log in for the first time after registering with a password.

Passwords include passcodes from this fall’s operating system releases.

Some sites that have WebAuthn support but are not yet fully aligned with the simplified password process may ask you to log in with a regular username and password before the site will start the string asking your browser for a password.

I was able to sign up with a Dropbox passkey by choosing the Security Key option and following the directions in Safari for macOS. (While signed in to Dropbox via Safari, click your avatar in the top right corner, click the Safety link, and click To add next to “Security keys.” When asked if you have inserted the key, confirm.)

Subsequent logins worked in Safari for macOS, but not in Safari for iOS, likely due to a lack of iCloud Keychain sync support prior to the release of the new operating systems. In iOS 16, iPadOS 15, and Ventura, with iCloud Keychain enabled, passkeys sync and appear in Settings > Passwords in iOS/iPadOS and System settings > Passwords in Ventura.

Apple allows you to share passkeys with other Apple users by sending them securely via AirDrop. This will share both the public and private keys and give people the same level of account access as if you had given them the username, password, and dual token for your account.

Login from other devices

Some sites allow you to enter a passcode as your only method of access. So what if you’re trying to sign in from a device that doesn’t have your password saved, such as a community or family computer, a work device, or a device you can access while on the go? Or do you need to use a Windows system or Android phone to access a site due to features specific to those platforms? Apple demonstrated a smart approach in introducing passkeys at the 2022 Worldwide Developer Conference that require a QR code and Bluetooth.

The process works like this:

On a device with an operating system or browser that is new enough to support WebAuthn logins, when you enter your account name on a website that uses a passkey. The site will ask the browser for a password and the browser will find that it does not have one. You can then click to enter a passcode through a proxy, for example by clicking ‘Add a new phone’. The site sends a query that causes the browser to display a QR code. On your iPhone or iPad, scan the QR code and tap the “Sign in with a passkey” prompt. On your device, click Get on and then approve the login using Touch ID, Face ID, or your device password. The browser indicates that you are logged in.

On a device that doesn’t have your password, a QR code combined with Bluetooth provides a secure login that won’t reveal your secrets or allow phishing. Apple

During this process, the device displaying the QR code and your iPhone or iPad silently connect via Bluetooth and exchange important information. This gives your device the assurance that the login is taking place using a nearby device to prevent remote attacks, and the Bluetooth back channel is an encrypted channel that is separate from the browser connection, preventing phishing attacks that cause fake logins .

After you verify your login on that other device, your session will continue as usual. Make sure to log out when you are ready to clear the status.

The future is passwords

The simplicity of passwords hides the sophistication. For once we get both convenience, no overhead for managing the process, and the highest possible level of security. Each login is unique, stored for you and verified both ways – by your device and by the site – to ensure that only the person with access to your device can log in to the site.