Meta-owned messaging platform WhatsApp today announced that it is rolling out support for passkeys on iOS, a feature that will let WhatsApp users log in to their accounts on iOS devices using Face ID, Touch ID, or their device passcode.
Passkeys serve as a replacement for a traditional password, and because device authentication is required, passkeys put a stop to online attacks like phishing. With a passkey, there's no password to steal, and no one-time SMS or authentication code that can be intercepted.
Passkeys are also more convenient, because logins are done with a quick Face ID or Touch ID scan rather than a password. WhatsApp passkeys can be enabled by opening up the app settings, choosing the Account section, and tapping on "Passkeys."
Apple has supported passkeys since 2022, and they work on devices that run iOS 16 and later, iPadOS 16 and later, and macOS Ventura and later. Many companies have been implementing support for passkeys, including X (formerly Twitter), Google, TikTok, PayPal, Best Buy, Microsoft, PlayStation, and eBay.
Top Rated Comments
1. They’re not portable. You cannot sync passkeys between an iCloud Keychain, or a Google account, or 1Password, etc. The standard has no mechanism for it - keys are bound to the keychain software you use when you make them - although it’s apparently something they’re looking in to.
You’re not completely locked-in, though. Accounts can have multiple passkeys (e.g. an iCloud one, a Google one, 1Password one, etc), but it’s a hassle to set that up. Also, you can use one device to authenticate a login from another device (e.g. if you want to login to an account on an Android device, you can get a prompt and confirm it on your iPhone which has the passkey).
2. Currently, most places only offer passkeys in addition to passwords, which kind of defeats the point. AFAIK only Microsoft accounts let you disable password logins entirely.
I get that this is probably a transitional thing, but I wish more places offered it as an option now. GitHub says they’ll likely offer that within a year. Hopefully they do, and hopefully all the early adopters follow suit.
iPad??
Considering SMS authentication can’t be disabled, and the passkey can’t be used as a second factor, it provides zero additional security.
The fact it doesn’t replace 2FA is baffling. This is one of the key concepts of passkeys. Plus, WhatsApp is the only app in existence that constantly pesters me to confirm that I “remember” my PIN. In 2024 we shouldn’t be encouraging users to remember pins/passwords. This was bad practice 15 years ago. No, I don’t remember my PIN because it’s saved in my password manager. I know 2FA is enabled and I know where the PIN is. Give me the option to stop pestering me about it.