Amazon Adds Support for Passkeys, Allowing for More Secure Logins

[MacRumors]

Amazon today announced that it has added passkey support to its desktop sites and mobile apps, allowing customers to sign in to their accounts without the need for a password.

Passkeys are a more secure alternative to passwords because a passkey cannot be shared with another person through a phishing attempt or leaked online through a database hack. Passkeys do not require customers to remember a password or add a two-factor authentication code, but they do require a verified device.

Passkeys can be set up in the Amazon settings, and on an iPhone, iPad, or Mac, logging in to an Amazon account can be done with a Face ID or Touch ID scan once the feature is turned on. To enable it, go to Your Account > Login and Security, and choose the Set up option next to Passkeys.

Apple implemented support for passkeys with iOS 16 and macOS Ventura. Passkeys work through a public key that's stored on a website server and paired with a private key that's kept on a specific device. On Apple's devices, passkeys are authenticated with Face ID or Touch ID, and two keys must match to allow for a user to log in.

Passkeys rely on iCloud Keychain, which in turn requires two-factor authentication for further protection. Passkeys sync across all of a user's iPhone, iPad, and Mac devices, but they can also be used on non-Apple devices through a QR code system.

Amazon says that passkey support is available today for all Amazon customers using browsers, and that it will be rolling out to the Amazon app for iOS devices in the near future.

Article Link: Amazon Adds Support for Passkeys, Allowing for More Secure Logins

 

[sleeptodream]

I'm about to do the same after spending 10 minutes looking through this damn Amazon app on my iPhone trying to find Passkeys...FFS!

from the article it doesn’t sound like it’s been added to the app yet. “in the near future”

edit: others are saying it’s available?

 

[Mylodon]

Found nothing.

 

[SmokyT18]

I’m seeing Passkey as an option in the iPad app already. I’d set it up on the website a few weeks ago though using Enpass so I don’t need to create a new passkey for Apple and Google since I occasionally switch between them.

 

[ItsGavinC]

from the article it doesn’t sound like it’s been added to the app yet. “in the near future”

I was able to set mine up about 15 minutes ago.

 

[senttoschool]

Does using Passkeys vendor lock you into Apple, Microsoft, or Google? Are the passwords stored on the cloud in the big 3's servers?

Can you sign up for an account in 3rd party sites using only passkeys and no password? If so, what happens if Apple or Google bans your iCloud/Gmail account that contains all of those passwords? Are you forever not able to log back into those 3rd party sites?

What happens if you use Passkeys on Apple devices and then switch to Android? How does it work?

 

[ikramerica]

Face ID is hardly secure. Anyone can take your phone by force, hold you by force and open everything. Ask Hamas.

 

[Michael Scrip]

Face ID is hardly secure. Anyone can take your phone by force, hold you by force and open everything. Ask Hamas.

The same can be said for TouchID and plain ol' passwords, too.

If the bad guy is holding you and your phone hostage... and plans to use violence... you're gonna have a bad time.

Reminds me of this:

Hint: the wrench will win.

But what's more likely to happen is someone from far away trying to get into your accounts remotely. They could be in another state or another country. It happens all the time.

It's those hackers who will be stopped by these new protective measures since they don't have your phone in their hands.

In short... there are more hackers online than people in the real world following me around with a wrench.

 

[Tofupunch]

I've always wondered, but never researched, what would happen if you lost the authenticating device? How would you access your accounts? Is there a password fallback option?

 

[jchap]

Face ID is hardly secure. Anyone can take your phone by force, hold you by force and open everything. Ask Hamas.

In that scenario, they can also force you at gunpoint to reveal your passwords under threat of death, or force you to unlock your device with your fingerprint. Your comment has nothing to do with the security of Face ID as a general measure under normal circumstances to securely access your device and passwords.

 

[Polinsky]

I'm about to do the same after spending 10 minutes looking through this damn Amazon app on my iPhone trying to find Passkeys...FFS!

Might I suggest you read the article before threatening to leave Amazon because you can't find a setting.

 

[jaytv111]

Does using Passkeys vendor lock you into Apple, Microsoft, or Google? Are the passwords stored on the cloud in the big 3's servers?

Can you sign up for an account in 3rd party sites using only passkeys and no password? If so, what happens if Apple or Google bans your iCloud/Gmail account that contains all of those passwords? Are you forever not able to log back into those 3rd party sites?

What happens if you use Passkeys on Apple devices and then switch to Android? How does it work?

Google, Apple, and Microsoft all support passkeys, aka the FIDO standard. The passkeys are not stored in the cloud, they are stored on device. Exception: on iCloud it can store backups of passkeys, with end-to-end encryption enabled no one but you has access to the backups.

A website or app can theoretically let you use a passkey with no password if they chose to allow it. It’s up to each individual website or app to do this, and pretty much none have so far.

Your passkeys are on device, so my guess (I don’t have a way to confirm this without trying to get banned myself) is even without iCloud your passkeys are accessible by you on your device, you just can’t use your backups and you have to migrate your accounts. Not many people get banned from iCloud without straight up fraud happening with their account.

Most websites will be kind enough to let you recover your account through email or text messages even if you lost your passkey. So you will be able to migrate your account off passkeys if you had to.

If you switch to Android, as long as you can sign in with some method or another, you can add another passkey to your account. Android supports passkeys (with certain devices) so you can add them to your account, you can also use a USB key to sign in. You’re not restricted to one device forever on the FIDO standard.

 

[tcatsninfan]

One thing I still don't understand about this whole Passkeys situation is how it will continue to work in the event of some problems. Hope for the best, plan for the worst. What happens if your device is stolen?

I mean I understand that you could still log in to another one of your devices, but say you're on vacation. Say you're traveling abroad with one device and it gets stolen. If this whole Passkeys thing revolves around "authenticated devices," would you not be able to log in to things like banking apps until you're back home and using another authenticated device?

Continuing with this example. You're on vacation with your phone but it got stolen. My understanding is you wouldn't be able to pop down to the nearest Apple store because each new device has to be authenticated using a previous authenticated device. My understanding is that if you try to register a new phone, Passkeys would require you to authenticate that new device using a separate laptop, iPad, etc.

Please feel free to correct anything I've said if I'm wrong, but I've been reading about Passkeys for awhile and this is my understanding of how it would work in the event of a theft problem.

 

[jaytv111]

One thing I still don't understand about this whole Passkeys situation is how it will continue to work in the event of some problems. Hope for the best, plan for the worst. What happens if your device is stolen?

I mean I understand that you could still log in to another one of your devices, but say you're on vacation. Say you're traveling abroad with one device and it gets stolen. If this whole Passkeys thing revolves around "authenticated devices," would you not be able to log in to things like banking apps until you're back home and using another authenticated device?

Continuing with this example. You're on vacation with your phone but it got stolen. My understanding is you wouldn't be able to pop down to the nearest Apple store because each new device has to be authenticated using a previous authenticated device. My understanding is that if you try to register a new phone, Passkeys would require you to authenticate that new device using a separate laptop, iPad, etc.

Please feel free to correct anything I've said if I'm wrong, but I've been reading about Passkeys for awhile and this is my understanding of how it would work in the event of a theft problem.

Most websites have multiple methods to sign in and do 2-factor authentication. You can recover accounts using emails or text messages, if you configured it to do so. You can easily use your email or text messages to set a new password on an account you need to access.

If you bought a new iPhone on vacation after losing your old one you can sign in with text messages so as long as you could access your text messages you can get into iCloud. But there’s a complication with eSIM (and USA iPhones 14 and later are now eSIM only) because eSIMs can’t just be popped out and put into a new phone, you have to transfer it, so you could do that at the carrier store but it can complicate things.

 

[ZachHarley]

Passkeys have been a flop. Far too complicated for regular users, with considerable inconveniences and opportunities for failure.

Rather than the tech companies coming up with a truly open and interoperable standard, passkeys are being used as a way to lock people into specific platform ecosystems.

Despite their flaws, passwords will continue to reign supreme in the long run.

 

[Japan Ricardo]

I just used a Windows PC to set this up, and it worked using my fingerprint ID passkey. I don't have the Amazon app, but do access their website via Safari on iPad and iPhone, and I was then able to open it using FaceID.

 

[Japan Ricardo]

Passkeys have been a flop. Far too complicated for regular users, with considerable inconveniences and opportunities for failure.

Rather than the tech companies coming up with a truly open and interoperable standard, passkeys are being used as a way to lock people into specific platform ecosystems.

Despite their flaws, passwords will continue to reign supreme in the long run.

Disagree. They work well for me, and remove a lot of friction, even though I work across platforms (i.e., Windows and iOS).

The Keychain option to populate the 2FA field for sites that don't support Passkey is also very good.

 

[sleeptodream]

But what's more likely to happen is someone from far away trying to get into your accounts. They could be in another state or another country. It happens all the time.

It's those hackers who will be stopped by these new protective measures since they don't have your phone.

There's more hackers online than people following me around with a wrench in the real world.

this! looking at the login attempts on my outlook account, someone tries to log in from an IP in another country almost every day, literally. germany, portugal, ecuador, vietnam, brazil, honduras, all just this week

luckily i have a very strong password and 2FA or i’d have lost it by now. btw, anyone else have that happening to them? idk if my email was in a data leak at some point or something?

 

[budselectjr]

One thing I still don't understand about this whole Passkeys situation is how it will continue to work in the event of some problems. Hope for the best, plan for the worst. What happens if your device is stolen?

I mean I understand that you could still log in to another one of your devices, but say you're on vacation. Say you're traveling abroad with one device and it gets stolen. If this whole Passkeys thing revolves around "authenticated devices," would you not be able to log in to things like banking apps until you're back home and using another authenticated device?

Continuing with this example. You're on vacation with your phone but it got stolen. My understanding is you wouldn't be able to pop down to the nearest Apple store because each new device has to be authenticated using a previous authenticated device. My understanding is that if you try to register a new phone, Passkeys would require you to authenticate that new device using a separate laptop, iPad, etc.

Please feel free to correct anything I've said if I'm wrong, but I've been reading about Passkeys for awhile and this is my understanding of how it would work in the event of a theft problem.

Non issue

About the security of passkeys - Apple Support

Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.

support.apple.com

 

[svish]

Great to see that PassKey support is increasing. Hoping to see it at more websites soon.

 

[klasma]

One thing I still don't understand about this whole Passkeys situation is how it will continue to work in the event of some problems. Hope for the best, plan for the worst. What happens if your device is stolen?

I mean I understand that you could still log in to another one of your devices, but say you're on vacation. Say you're traveling abroad with one device and it gets stolen. If this whole Passkeys thing revolves around "authenticated devices," would you not be able to log in to things like banking apps until you're back home and using another authenticated device?

The passkeys are stored in your iCloud keychain. In that respect, the situation is similar as with regular password you have saved in the iCloud keychain. Once you have a device logged into your iCloud account and set up with Face ID or Touch ID, you can use your passkeys.

Passkey transfer between devices/ecosystems is on the roadmap and currently being worked on within the FIDO Alliance. It will probably work similar to how it already does for TOTP authenticator apps.

This is all an industry-wide initiative designed to be interoperable, and basically replaces passwords by asymmetric key pairs. The fact that the private keys are typically themselves protected by device-specific keys and 2FA is incidental and not an inherent requirement. Purely software solutions like 1Password and NordPass using passkeys exist.

 

[paulcons]

Correct me if I am wrong… only my tablet runs 17.x, my phone is locked to 15.x and my desktop locked to 10.13.6. From the terrible descriptions I have read, it seems I can’t use passkeys because only one of my 3 devices can use them… correct?

 

[sw1tcher]

Amazon says that passkey support is available today for all Amazon customers using browsers, and that it will be rolling out to the Amazon app for iOS devices in the near future.

I'm about to do the same after spending 10 minutes looking through this damn Amazon app on my iPhone trying to find Passkeys...FFS!

from the article it doesn’t sound like it’s been added to the app yet. “in the near future”

I was able to set mine up about 15 minutes ago.

For the iOS app on your iPhone? Even when it says it'll be rolling out to the Amazon app for iOS devices in the near future?

Screenshot for proof or it didn't happen. The last time Amazon updated the iOS app was on Oct. 16, 2023 (version 21.20.0). Strange that Amazon would wait until today to announce Passkey support if it was ready a week back.

Amazon is making it easier and safer for you to access your account with passwordless sign-in

More than 175 million Amazon customers are using passkeys, an easier and more secure way to sign in to your Amazon account.

www.aboutamazon.com

Passkey support is available today for all Amazon customers using browsers and is gradually rolling out on the iOS Amazon Shopping app...

 

[mevans7]

Passkeys can’t happen soon enough! So many people with bad passwords, notebooks of passwords, or recipe.txt file full of (bad) passwords. That all has to go away.

 

[jaytv111]

For the iOS app on your iPhone? Even when it says it'll be rolling out to the Amazon app for iOS devices in the near future?

Screenshot for proof or it didn't happen. The last time Amazon updated the iOS app was on Oct. 16, 2023 (version 21.20.0). Strange that Amazon would wait until today to announce Passkey support if it was ready a week back.

Amazon is making it easier and safer for you to access your account with passwordless sign-in

More than 175 million Amazon customers are using passkeys, an easier and more secure way to sign in to your Amazon account.

www.aboutamazon.com

Passkey support is available today for all Amazon customers using browsers and is gradually rolling out on the iOS Amazon Shopping app...

Passkeys on Amazon was there a few days ago, I set it up then. It was funny to see the announcement. It’s in the app, I just did passkey sign in right now on my iPad after doing it on my iPhone days ago.

You have to enter your account info and not let it sign in with a password if you have a password already. You then use the passkey option after entering your account login. Then you can supply a passkey.

I think it basically is a web browser on the backend (Safari) so that would be why it can easily support passkeys.