Key Takeaways
- Passkeys eliminate the need to remember or type passwords, increasing convenience and security for users. They consist of a secret key saved on your device and a corresponding public key stored on the website's server.
- Currently, only a few passkey management services, such as Apple iCloud Keychain and 1Password, allow for passkey sharing. However, passkey sharing may never become widely practiced as businesses aim to discourage account sharing and prioritize user security.
- Passkeys are designed to enhance user security, and if sharing is too easy, it could weaken their effectiveness against phishing schemes and other attacks. Passkey sharing may be limited to certain groups or individuals within a passkey manager, and the future adoption and practices surrounding passkeys are still evolving.
Passkeys are set to replace passwords over the next few years. But one of the hurdles during this transition will be passkey sharing—you aren't supposed to know your passkeys, you can't type them out manually, so how do you share passkey-protected accounts with friends and family?
This Cybersecurity Awareness Week article is brought to you in association with Incogni.
What Are Passkeys?
Old-fashioned passwords are inconvenient and often pose a risk to user security. Your password may be included in a data leak, for example, and a sophisticated phishing scheme might trick you into writing out your password for a hacker. There are several ways to improve the convenience and security of passwords—a premium password manager is the best option—but very few people will ever take the steps to secure their digital life.
So, the FIDO Alliance created passkeys. Several big-name tech companies, including Google, Apple, and Microsoft, are involved in the FIDO Alliance and have agreed to pursue passkeys as a full replacement for passwords. The idea here is surprisingly simple. With passkeys, there's nothing to memorize or type. You sign up for a website, and it generates a "secret key" that's saved directly to your phone or computer. This secret key corresponds to a "public key" that's kept on the website's server. When the keys are put together, your identity is verified, and you're allowed to log in.
Nobody knows your secret keys, not even you. If a website is hit by a data breach, only its public keys will be leaked. And unless a hacker sits down at your phone or computer (and manages to fool your fingerprint reader or guess your PIN), stealing your private keys is an extremely difficult task.
All major operating systems now offer a built-in passkey manager. Some password management tools, such as 1Password, also offer passkey support. But as passkeys become common practice across the web, people will start wondering how they're supposed to share these keys with friends or family. After all, if you don't know your private keys, how are you supposed to share them?
Which Passkey Managers Allow You to Share Passkeys?
Only a handful of passkey management services allow you to share your passkeys. If sharing is important to you, a premium password manager is usually your best option—your friends and family may need to use the same password manager, though.
Here are the popular passkey management services that currently offer (or plan to offer) a sharing feature:
- Apple iCloud Keychain
- 1Password
- NordPass
- Bitwarden (Plans to offer passkey sharing)
- Dashlane (Plans to offer passkey sharing)
Google is supposedly working on password sharing in Chrome, so passkey sharing may be possible in the future. There are no such rumors for Windows 11's passkey implementation.
Note that passwords and passkeys will coexist for some time. If you need to share login credentials with someone, you can simply send them your password. Creating a passkey for a website won't make your password unusable, at least for now. And passkey sharing may be unnecessary (or discouraged) even as passwords are phased out.
Passkey Sharing May Never Become Common Practice
As of October 2023, only 75 apps and websites actually support the passkey standard. Very few of these apps and websites use passkeys as the default sign-in option, and none of them have forced users to enable passkeys. As passkeys become common and enforced, the problem of account sharing will need to be addressed. But, for better or worse, passkey sharing may not be the chosen solution.
Most web-based services are trying to crack down on account sharing, and many websites already require two-factor authentication through a text message or email. The idea that these business will encourage passkey sharing is somewhat unbelievable. Yes, some accounts or services must be shared with family, caretakers, or other people in your home. But even in these situations, passkey sharing isn't completely necessary. Businesses may simply ask you to generate a unique passkey for each person. Or, they may ask everyone to create a unique account that can be linked to yours. (The latter option is already preferred by some subscription services, as it gives users a sense of privacy and makes data collection easier.)
Not to mention, passkeys are supposed to increase user security. If passkeys are too easy to share, we may not see a substantial boost in user security, as phishing schemes and other attacks will continue to be effective. So, passkey sharing may be uncommon, it may be discouraged, or it may be restricted to a family group that you've made within your passkey manager. It will take a few years for everything to shake out.