I’m trying to get started using the new Passcode feature in the latest OSes from Apple. So far, I haven’t found one instance where an app or site asks me about passcodes. Anyone have more luck? Suggestions?
1 Like
So far there aren’t many (any?) sites using passkeys yet. But the FIDO alliance has a site you can use to test: https://www.passkeys.io/
Actually, there are (supposedly) some sites using passkeys. See https://passkeys.com/
One of them includes PayPal. For info on how to change PayPal to using passkeys, see PayPal Holdings, Inc. - PayPal Introduces More Secure Payments with Passkeys
2 Likes
Vanguard’s site allows you to use a passkey as a second factor.
1 Like
Some of these likely are US only. PayPal and eBay don’t seem to support it in Australia. Something similar that I’ve seen work in Australia use a specific app, e.g. Australian National University/Office365 and Cipherise. Would be nice when that is sherlocked.
1 Like
It seems eBay doesn’t mention passkeys by name, but my account has an option to enable Face/fingerprint/PIN sign in which, I think, uses passkeys.
I just logged into PayPal, but there was no apparent way to set up a passkey as far as I could tell. So it might not be supported in the US yet either, at least not for everybody,
On a related note, my PayPal account is set up to use a TOTP code as the second factor, but I find with this enabled, I can’t log into PayPal using Safari. The site just seems to hang with a blank page at the point I should be prompted for the code. I can log in using other browsers, though. Is it just me, or does this problem happen for others too with Safari?
No. A pass-key is a public-key encryption pair. You upload your public key to the site with your account. Authentication is done using the key pair. I don’t know exactly what Passkey is doing, but these algorithms typically involve the remote server sending you some challenge data encrypted with your public key. Your browser then decrypts it (with a locally-stored private key), performs some operation on the data and encrypts the result with your private key before returning it. The server then decrypts the response with your public key and compares the result against the expected result. If the public and private keys don’t match, it doesn’t get the expected result and access is denied.
Conceptually, it seems to me like something very similar to SSH’s key-pair authentication.
Apple will be storing passkeys (both public and private keys, I assume) locally in your keychain. If you enable iCloud keychain sync, then your other Apple devices will also get them. If not, then they will remain local.
2 Likes
And it should be added that Apple does not have keys to view the Keychain data they store on your behalf in iCloud, with or without the recent Advanced Data Protection.
4 Likes
Google is now supporting Passkeys. I have a few Google accounts. I decided to try it on one account. It went smoothly, but the passkey was stored in my iCloud Keychain. I normally don’t enable that as I use 1Password as my password keeper. I could find no way around this situation.
I sent an email to 1Password support.
Now expected in June.
1 Like