Amazon Adds Support for Passkeys, Allowing for More Secure Logins

[ignatius345]

Passkeys rely on iCloud Keychain

Requires you to use Apples Keychain. Not much good in you store everything in Bitwarden, Lastpass or another password manager.

I'm not sure about Bitwarden or Lastpass* but you can save them in 1Password. I just did it as a test for my BestBuy account yesterday. Worked brilliantly.

Until Apple fixes the gaping security hole that lets anyone with an iPhone's unlock PIN get in everywhere, I'll be avoiding iCloud Keychain, myself. 1Password (and, thankfully, all my banking apps) require separate passwords in absence biometrics. iCloud Keychain lets you in with just the PIN you may use in public to unlock your phone. Weak stuff.

* Nobody should be using Lastpass at this point.

 

[mrmister]

The same can be said for TouchID and plain ol' passwords, too.

If the bad guy is holding you and your phone hostage... and plans to use violence... you're gonna have a bad time.

Reminds me of this:

View attachment 2300906

Hint: the wrench will win.

But what's more likely to happen is someone from far away trying to get into your accounts remotely. They could be in another state or another country. It happens all the time.

It's those hackers who will be stopped by these new protective measures since they don't have your phone in their hands.

In short... there are more hackers online than people in the real world following me around with a wrench.

Thank you for writing this so I and others didn’t need to. Thank you for your service.

 

[MrX8503]

Passkey is a branding of WebAuthn, an open standard.

You can learn more at https://webauthn.guide/

Passkey/WebAuthn with biometrics would necessitate the need for 2FA, which should simplify logging in.

 

[jaytv111]

I have a question. If I do this, does that mean that other people who have access to my Amazon account will no longer be able to get in? Or will they still be able to use the password?

So how will this work if you've got four or five family members that access the same Prime account on their iPhones?

Passkey is an added option. It's something that so far you can use in addition to passwords.

Your password is as it was before.

One day, they might offer an option to delete password security from your account and you can't use a password at all, but that day is not today.

 

[Apple_Robert]

Does using Passkeys vendor lock you into Apple, Microsoft, or Google? Are the passwords stored on the cloud in the big 3's servers?

Can you sign up for an account in 3rd party sites using only passkeys and no password? If so, what happens if Apple or Google bans your iCloud/Gmail account that contains all of those passwords? Are you forever not able to log back into those 3rd party sites?

What happens if you use Passkeys on Apple devices and then switch to Android? How does it work?

Passkeys are not passwords.

 

[macmac30]

After fiddling for way too long...I found I had to login to my Amazon account on my web browser to enable passkeys. Then it showed up on the iOS Amazon app...🙄

 

[I7guy]

Does using Passkeys vendor lock you into Apple, Microsoft, or Google? Are the passwords stored on the cloud in the big 3's servers?

Can you sign up for an account in 3rd party sites using only passkeys and no password? If so, what happens if Apple or Google bans your iCloud/Gmail account that contains all of those passwords? Are you forever not able to log back into those 3rd party sites?

What happens if you use Passkeys on Apple devices and then switch to Android? How does it work?

That's a good question. I don't think passkeys locks you in to Apple any more than being locked into Android. But how does the private key gets transferred.

Face ID is hardly secure. Anyone can take your phone by force, hold you by force and open everything. Ask Hamas.

As also noted above, the threat of violence is an equalizer to secrecy. Unless you are willing to give up your life to save some digital assets, a lock is only as strong as the weakest link. But thanks for the nonsense.

 

[david0128]

That's a good question. I don't think passkeys locks you in to Apple any more than being locked into Android. But how does the private key gets transferred.

As also noted above, the threat of violence is an equalizer to secrecy. Unless you are willing to give up your life to save some digital assets, a lock is only as strong as the weakest link. But thanks for the nonsense.

Using a third party application such as 1password allows you to sync the passkey across devices in different ecosystems. The same google passkey seems to work on my windows and apple devices. I'm thinking that most of the third party password managers will be able to do this soon. As there's only about 10 major sites using them, it's going to be a while before they take off... Passwords and 2FA are going to be around a while.

 

[Rigby]

Does using Passkeys vendor lock you into Apple, Microsoft, or Google?

At the moment, yes. But the Fido Alliance is working on a secure import/export scheme.

Also note that some cross-platform password managers have started supporting passkeys (or will soon), including 1Password, Bitwarden, and Strongbox (Keepass-compatible password manager for iOS and MacOS).

Are the passwords stored on the cloud in the big 3's servers?

Depends. Apple stores them in the iCloud Keychain, Google uses its own cloud-based password manager. If you use e.g. Strongbox you can keep its database local if you want.

 

[Rigby]

Face ID is hardly secure. Anyone can take your phone by force, hold you by force and open everything. Ask Hamas.

You can disable it by disabling FaceID for password autofill (which also affects passkeys). You then have to enter your device passcode to authenticate.

 

[Rigby]

I've always wondered, but never researched, what would happen if you lost the authenticating device? How would you access your accounts? Is there a password fallback option?

If you use Apple's system the passkeys are stored in iCloud Keychain, so as long as you have a way to access your account you can also regain access to the passkeys.

 

[Tofupunch]

If you use Apple's system the passkeys are stored in iCloud Keychain, so as long as you have a way to access your account you can also regain access to the passkeys.

Ah, got it. Thanks. After that WSJ video by Joanna Stern about how easy it is for people to lock you out of your own Apple ID, I turned off iCloud Keychain and decided to solely use 1Password. Hope apple addresses that whole issue in future iOS updates.

 

[Rigby]

Ah, got it. Thanks. After that WSJ video by Joanna Stern about how easy it is for people to lock you out of your own Apple ID, I turned off iCloud Keychain and decided to solely use 1Password. Hope apple addresses that whole issue in future iOS updates.

Yeah, I don't use iCloud Keychain either for this and several other reasons (e.g. no ability to add notes or custom fields, lack of cross-platform access etc.). I use Keepass-compatible apps (Strongbox on Mac and iOS and KeepassXC on Windows and Linux), which allows me to store and back up my password database where I want. Strongbox recently added support of passkeys (the KeepassXC project is working on it), and Apple has provided APIs that allow storing passkeys in 3rd party password managers as an alternative to iCloud Keychain. It works fairly well.

The biggest issue with passkeys right now is that the service providers can't seem to agree on a consistent way to integrate them on their web sites. The user experience is often confusing. Needs some more time to mature and develop best practices. But the security benefits are significant.

 

[tim_apple]

Does using Passkeys vendor lock you into Apple, Microsoft, or Google? Are the passwords stored on the cloud in the big 3's servers?

Can you sign up for an account in 3rd party sites using only passkeys and no password? If so, what happens if Apple or Google bans your iCloud/Gmail account that contains all of those passwords? Are you forever not able to log back into those 3rd party sites?

What happens if you use Passkeys on Apple devices and then switch to Android? How does it work?

Amazon's implementation is pretty good. You can setup a Passkey in any ecosystem, and have as many as you want. So you can have a Passkey in your iCloud Keychain and 1Password or another password manager, or even a security key. So in this case, no, you are not locked in at all.

Passkeys are meant to replace passwords, but so far no one allows for the option of ditching your password, which I guess is part of the transition. The passkeys are on your device(s). if Apple/Google deleted your account, this is probably the least of your problems, but theoretically, your local passkey should still work just fine.

If you switch ecosystems, you need to setup passkeys for the new ecosystem for all your accounts. Part of the security of Passkeys prevents this kind of "portability". However 1passwor claims they are working with the FIDO alliance on a solution of this. I'm still a huge fan of passkeys, but done the wrong way they can just be one more tech to lock people in to a specific ecosystem. It is otherwise it is an excellent application of asymmetric cryptography that can let us mostly ditch the concept of passwords.

 

[sppunk]

I've found a problem with Passkeys.

I set up in Google and the PK is stored within Strongbox. It works great on my phone and tablet and home PC, but PKs require Bluetooth so you can't use on a public (or work virtual) computers. I tried to log into my Google account today and hit "Sign in with another method" and chose PK and got a popup box that I need to sign in to Google.com. You're supposed to get a QR code to scan, that didn't happen.

So on a pubic machine, at least to me, it seems PKs prevent you from getting into your own accounts.

And on top of that, you can always bypass the PK to log in with the traditional password so at this point I don't understand the actual point except you don'[t have to create random numbers and letters (but then if you can't use the PK on a device that you don't own/know well then it's all moot anyway).

VDIs reset daily and without bluetooth it's a dead end IMO.

 

[jaytv111]

I've found a problem with Passkeys.

I set up in Google and the PK is stored within Strongbox. It works great on my phone and tablet and home PC, but PKs require Bluetooth so you can't use on a public (or work virtual) computers. I tried to log into my Google account today and hit "Sign in with another method" and chose PK and got a popup box that I need to sign in to Google.com. You're supposed to get a QR code to scan, that didn't happen.

So on a pubic machine, at least to me, it seems PKs prevent you from getting into your own accounts.

And on top of that, you can always bypass the PK to log in with the traditional password so at this point I don't understand the actual point except you don'[t have to create random numbers and letters (but then if you can't use the PK on a device that you don't own/know well then it's all moot anyway).

VDIs reset daily and without bluetooth it's a dead end IMO.

You'd be better off with a USB security key which implements the same thing as Passkey, but they could disable USB too. Or you could also theoretically plug in a Bluetooth module if you had USB on your VDI but I would guess they don't enable you to install your own devices.

Passkeys aren't a replacement for everyone's every conceivable use. It's for the most people who use their personal devices, it's basically a perfect password and 2-factor in one package.

The fact that most websites and apps still use passwords even side-by-side with passkeys isn't a knock against passkeys, it just means the world has to transition. There aren't that many sites with passkeys at all, and the idea is they could (if they want) implement an option to delete password security at some point, but today is not that day.

 

[Rigby]

I've found a problem with Passkeys.

I set up in Google and the PK is stored within Strongbox. It works great on my phone and tablet and home PC, but PKs require Bluetooth so you can't use on a public (or work virtual) computers. I tried to log into my Google account today and hit "Sign in with another method" and chose PK and got a popup box that I need to sign in to Google.com. You're supposed to get a QR code to scan, that didn't happen.

I imagine it will become better on public computers as passkeys become more common. It's actually a great use case for passkeys from a security perspective, since passkey authentication does not expose any secret credentials (as opposed to passwords, which are risky to use on a public computer since there could always be a keylogger ).

And on top of that, you can always bypass the PK to log in with the traditional password so at this point I don't understand the actual point except you don'[t have to create random numbers and letters (but then if you can't use the PK on a device that you don't own/know well then it's all moot anyway).

There are security benefits even if passwords are also available. For one, when you use a passkey you are protected from phishing. Second, as already alluded to above, passkeys do not rely on transmitting secret information, so there is no risk that your password could be exposed during transmission or on compromised endpoints.

 

[kiranmk2]

I'm not sure about Bitwarden or Lastpass* but you can save them in 1Password. I just did it as a test for my BestBuy account yesterday. Worked brilliantly.

Until Apple fixes the gaping security hole that lets anyone with an iPhone's unlock PIN get in everywhere, I'll be avoiding iCloud Keychain, myself. 1Password (and, thankfully, all my banking apps) require separate passwords in absence biometrics. iCloud Keychain lets you in with just the PIN you may use in public to unlock your phone. Weak stuff.

* Nobody should be using Lastpass at this point.

This is what I'm worried about. I've just tested now, and it's scary how much access someone can get with just you device PIN. With this, someone can bypass your lock screen, disable Find My, reset your iCloud password and access the Passwords section in the Settings app. Presumably, they can also access all your PassKey-proected accounts as if TouchID/FaceID can't authenticate it falls back to the device PIN...

Does anyone know if passkey access to accounts (e.g. this Amazon account) is disabled if the biometric data on the phone is changed? (FYI, in the UK banking apps disable TouchID/FaceID logins if additional fingers/appearence is registered on the device after the banking app is first set up)

 

[tim_apple]

I tried to log into my Google account today and hit "Sign in with another method" and chose PK and got a popup box that I need to sign in to Google.com. You're supposed to get a QR code to scan, that didn't happen.

So on a pubic machine, at least to me, it seems PKs prevent you from getting into your own accounts.

No. This is not how it should work. you should've received a QR code. I was not aware passkeys had anything to do with Bluetooth. Maybe on Android devices? Being able to bypass the passkey with a password defeats the whole purpose, So I'm assuming this is just part of the transition.

 

[sppunk]

No. This is not how it should work. you should've received a QR code. I was not aware passkeys had anything to do with Bluetooth. Maybe on Android devices? Being able to bypass the passkey with a password defeats the whole purpose, So I'm assuming this is just part of the transition.

Google instructions say you get a QR code on. A device without the passkey to authorize.

 

[jaytv111]

No. This is not how it should work. you should've received a QR code. I was not aware passkeys had anything to do with Bluetooth. Maybe on Android devices? Being able to bypass the passkey with a password defeats the whole purpose, So I'm assuming this is just part of the transition.

It does use Bluetooth, I can verify. If you want to sign in with a QR code, the QR code basically connects your phone to the PC you want to sign in. Then it uses Bluetooth as a check against you being able to supply QR codes to someone else on the internet. They designed FIDO to need a local data connection to unite the two devices (they didn’t strictly need Bluetooth to do this, but they needed some way to block out common social engineering tactics).

You can also do the same over NFC though this option is far less popular, for the obvious reason that Bluetooth is in way more PCs than NFC.

As a result, you just need to put Bluetooth on on the PC and phone, they work in a pairing free mode (the QR code scan protects the info from outsiders who might be listening to your Bluetooth connections).

This is what I'm worried about. I've just tested now, and it's scary how much access someone can get with just you device PIN. With this, someone can bypass your lock screen, disable Find My, reset your iCloud password and access the Passwords section in the Settings app. Presumably, they can also access all your PassKey-proected accounts as if TouchID/FaceID can't authenticate it falls back to the device PIN...

Does anyone know if passkey access to accounts (e.g. this Amazon account) is disabled if the biometric data on the phone is changed? (FYI, in the UK banking apps disable TouchID/FaceID logins if additional fingers/appearence is registered on the device after the banking app is first set up)

When you disable biometrics, as long as you have a device passcode, you can use iCloud passwords and passkeys. My old iPad Pro one day had a broken FaceID sensor but I still could use any autofill passwords but using my passcode instead of my face.

 

[Apple_Robert]

It’s in the app.

Profile tab > Your Account > See All > Login & security > (login) > Passkeys

I just checked the iPhone app and I don't see any Passkey option. However, it shows on the iPad. After I added the Passkey on the iPad, the option then showed on the iPhone.

 

[QuarterSwede]

I just checked the iPhone app and I don't see any Passkey option. However, it shows on the iPad. After I added the Passkey on the iPad, the option then showed on the iPhone.

Weird. I signed up on the iPhone app … maybe they’re doing a rollout.

 

[ignatius345]

Presumably, they can also access all your PassKey-proected accounts as if TouchID/FaceID can't authenticate it falls back to the device PIN...

That’s why I was suggesting using a third party password manager instead of iCloud Keychain. My passwords (and the one passkey I’ve set up so far) are in 1Password, and even if you stole my phone unlock PIN, you’d still need to type in a 20+ character password to get into it without biometrics. That’s at least a layer of protection for my most sensitive stuff.