We recently announced that Proton Pass now supports passkeys for everyone across all devices.
Universal compatibility is a unique approach to implementing passkeys, unfortunately. Even though passkeys were developed by the FIDO Alliance(new window) and the World Wide Web Consortium(new window) to replace passwords and are meant to provide “faster, easier, and more secure sign-ins to websites and apps across a user’s devices”, their rollout hasn’t lived up to these lofty ideals.
Instead, the first organizations to offer passkeys, Apple and Google, prioritized using the technology to lock people into their walled gardens rather than provide a secure solution to everyone. This closed approach diminishes the value of passkeys for everyone and makes it less likely that they’ll be universally adopted, which is critical if they’re to ever replace passwords.
At Proton, we believe online privacy and security should be accessible to everyone. If we want to achieve a better internet for all, everyone must be able to take advantage of the latest security advancements.
This article looks at passkeys’ initial promise, how Big Tech has tried to hijack them to serve their own purposes, and how we can ensure passkeys fulfill their potential for everyone.
The internet needs better account security
Passkeys were developed because, as far back as 2013, companies realized they must provide users with a better solution for account security than passwords. To be effective, you must have a unique, strong password for each online account. Since most people have upwards of 100 accounts, this essentially means you must use a password manager to maintain basic account security.
Also, passwords fail to provide the security they promise. As the FIDO Alliance(new window) points out, passwords are at the root of 80% of data breaches. Attackers can convince people to share passwords with social engineering attacks, easily harvest them from data breach records, or reuse them indefinitely (or at least until the account owner makes a new password).
Passkeys’ initial promise
Passkeys were created in 2016, and they represent a major step towards reducing our reliance on passwords. Passkeys are based on WebAuthn, an open standard that security keys like Yubikey use.
The idea behind passkeys was to create a solution that removes the burden from users and mitigates some of the worst aspects of passwords. Passkeys themselves are a pair of cryptographic keys, one of which resides on your device. This key can be discovered by apps or browsers, allowing for simple and secure logins, and is synced between devices using the cloud and end-to-end encryption. The result is a phishing-resistant, nearly effortless, secure login.
However, for passkeys to be a true account security solution, they must become universal. Like many online features, passkeys benefit from a network effect. The more sites and services that use passkeys, the better and easier a solution they are for users (with the added benefit of making everyone’s data more secure). Unfortunately, Big Tech has treated passkeys as an opportunity to advance their commercial interests rather than as a tool to provide universal security.
Big Tech embraces passkeys to maintain their walled gardens
Apple was the first major company to roll out the passkeys in 2022. In fact, it was Apple that first popularized the name “passkey”.
However, Apple focused primarily on optimizing passkeys to work solely with its products rather than making them an interoperable, easy-to-use feature (as one might expect of a tool developed in collaboration with dozens of other organizations and companies). For example, if you create a passkey on your iPhone, it easily syncs to Mac devices but is incredibly difficult to use on a Windows device. In fact, if you try to use a passkey from an Apple device on an Android (for example, if you have a Mac and an Android), you must use a QR code — there is no automatic sync. This unfortunately set a precedent that every other major rollout of passkeys has followed.
In an attempt to catch up to Apple, Google announced passkey support in 2023, but its implementation is inconvenient. For example, if you use Google Chrome as your browser on a Mac, it uses the Apple Keychain feature to store your passkeys. This means you can’t sync your passkeys to your Chrome profile on other devices. Similarly, Android only recently added support for third-party passkey providers (in Android OS version 14). In addition to a poor user experience, Google passkeys are also limited by Google’s attempt to lock you into its platform. For example, if you create a passkey with Chrome on your laptop, you can’t use it in the Firefox browser on your smartphone. And if you like Chrome but want to use a third-party password manager to store your passkeys, Google forces you through a lengthy process to opt out of Google Password Manager.
And both Apple and Google prevent you from exporting your passkeys, meaning you’ll need to create them all over again if you want to switch to another password manager. They also both use closed-source passkey implementations, making it harder for independent experts to verify their security.
After seeing Big Tech’s rollout, several password managers also rushed their release of passkeys, resulting in a similarly clunky user experience. Some password managers only support passkeys via their web extension, making it difficult for anyone trying to log in to the same app with a passkey on their mobile phone. Most password managers that support passkeys only offer them with a paid plan, meaning Google Password Manager and Apple Keychain were the only viable free passkey providers until Proton Pass added them.
Passkeys should be like HTTPS
Account security is facing a similar inflection point as secure connections did in the early 2010s — the problem has been identified, a simple solution exists, and it’s simply a question of enforcing that solution everywhere. With HTTPS, organizations like EFF (with HTTPS Everywhere(new window)) and Let’s Encrypt(new window) (which simplified obtaining a TLS cert) led the drive in allowing people and websites to create secure, encrypted connections. Now, all major browsers enforce HTTPS connections by default, and the vast majority of websites support TLS. It has made the internet immeasurably safer.
While passkeys are certainly more technically difficult to implement correctly than HTTPS, they promise an even more sweeping effect on internet security — if we force Big Tech companies to adhere to their original, universal intent.
Passkeys could make nearly every account secure against attacks that cause such havoc today. There’s no such thing as a “weak” passkey, so attackers will no longer be able to brute force their way into accounts. And passkeys can’t suffer mass exposure like passwords because apps and websites only store the public key — the private key remains safely stored on your device. If everyone used passkeys, much of the harmful effects of data breaches would disappear.
Both Apple and Google have made it so that if you make a passkey, you need to stick within their apps and devices to use it. This severely limits their potential and sacrifices their utility just so Big Tech can add a moat to its walled garden.
Proton prioritizes universal security
We’ve tried to stay true to the intention behind passkeys. With Proton Pass, passkeys:
- Are easy to use, no matter your device or platform
- Can be quickly shared or exported
- Use an open-source implementation
- Are available to everyone with our Free plan
Even though it’s unlikely the internet will be passwordless anytime soon (or indeed ever), we still believe passkeys should be as easy to use as possible in as many places and for as many people as possible. If you want to use passkeys to improve your account security and speed up your logins, you can sign up for Proton Pass for free today.
And if you believe in our mission and want to help us build a better internet where privacy is the default, you can sign up for a paid plan to get access to even more premium features.
