I’ve written an email to send to my friends and family trying to give them a heads-up about passkeys. My goal is to tell them not to be afraid of the concept because it really does sound too good to be true. I’m not going to explain to them the details of how passkeys work, but I want them to start noticing where they’re being offered and tell them it’s okay to give them a try. My other goal is to tell them they don’t have to jump in right away, it’s also okay to wait.
I thought this text might give you a framework for how to communicate with those whom you support in your personal life, so please feel free to steal this idea and this text and make it your own. As you read through it, please let me (and all of us know) if you think I’ve missed anything fundamental, or if I’ve mischaracterized anything. Maybe you know a way to simplify what I’m trying to explain even further – let us know if you do.
Here’s the text I plan to send out:
Subject: Passkeys are a good thing
You may start seeing offers from online services to use something called a passkey. The website will make wild promises about how this is our passwordless future finally come to pass and how easy and fun it will be to log in.
While this seems too good to be true, believe it or not, these are not scams. Passkeys are a wonderful new technology that will make logging in easier and more secure. As of right now, I’ve been offered (and am using) passkeys to log in to Amazon, Best Buy, CVS, Google, eBay, and Home Depot.
The technology behind passkeys is complicated, so I’m not going to try to explain it here. I have confidence in it partially because the technology has been created by an alliance of the biggest tech companies including Apple, Google, Amazon, Microsoft, and 1Password. (fidoalliance.org/members/)
The main idea behind passkeys is that it will allow you to teach a website who you are from each device you own (Mac, PC, iPhone, iPad, etc), and from then on you won’t have to type in your password. I know that sounds crazy or crackable but it isn’t.
The good/bad news is that if you use passkeys for a service, you CAN still type in your password if you need to. Websites are still storing and using your password so it still has to be long and strong and not EVER used on more than one site.
Each website seems to be enabling passkeys differently, so I can’t give you step-by-step instructions on how to enable passkeys. I would suggest that if you’re offered to set up a Passkey, say yes, and follow the instructions the website provides.
If this sounds like sorcery and still too good to be true, you are welcome to stick with using your password manager to help you log in for now. You don’t have to change to passkeys right away, but I just wanted to let you know that they’re not a dangerous thing, they’re a wonderful thing.
I said that I wasn’t going to bother you with the nitty-gritty of the technology, but if you would like to listen to/read a fabulous explanation of the tech behind passkeys, I highly recommend this episode of Chit Chat Across the Pond I recorded with security specialist Bart Busschots: