Reporting from The Verge:

In a joint effort, tech giants Apple, Google, and Microsoft announced Thursday morning that they have committed to building support for passwordless sign-in across all of the mobile, desktop, and browser platforms that they control in the coming year.

A passwordless login process will let users choose their phones as the main authentication device for apps, websites, and other digital services…

“For example, users can sign-in on a Google Chrome browser that’s running on Microsoft Windows—using a passkey on an Apple device.”

This is one part excellent news. Password managers such as 1Password have been great for providing a less friction-filled experience around creating and remembering unique passwords for every app and website. Given how saturated folks are with mobile phones, allowing that physical device to be your authentication credential - without even requiring a password to create an account! - is going to vastly improve everyone’s security while simultaneously making the process simpler.

How? When creating an account at a new website, you won’t need to create a password at all. You will use your mobile phone as a passkey (as opposed to generating a password), and anytime you log into that website from a computer you tap your phone and bam, signed in. No saving passwords into a password manager or needing to install password management software on all the devices you use. The piece that makes this safer than passwords is that if someone calls you up and attempts to phish away your password…they can’t! That attacker is using their own machine to log in to your website, and they might know your username, but they would need your physical device on their network in order to login. I don’t think many people are going to believe a phishing attack when the attacker says “now put your phone in an envelope, remove the passcode, and mail it to me.”

The other part is a worry about how this could enable government surveillance and forcing folks to disclose access to their personal and private information. The government cannot force you to divulge a password, something you know in your brain. They can force you to divulge your biometric data, such as a fingerprint which is then used to unlock your phone. Passkeys might be more susceptible to intrusion this way. Time, and court cases, will tell.

Regardless of that last point, this is excellent news. Better security for individuals and less credential stealing by bad actors.

Update 7 May 2022. Brian Krebs with some great quotes out of academia.