Sunday, May 10, 2026
Passkeys Are the New Passwords. You Should Start Using Them Now.
Passkeys Are the New Passwords. You Should Start Using Them Now.
By Max Eddy
“Max Eddy is a writer who has covered privacy and security — including password managers, VPNs, security keys, and more — for over a decade.
For 15 years, experts have told me that passwords are the biggest problem with online security and that’s just the way it is. The passwords that people make up are easily guessed by machines, and the ones that can’t be guessed are too hard to remember.
Over time, as more and more passwords became necessary, many people simply recycled theirs across different accounts — creating a precarious situation where one phished password or data breach gave an attacker access to the victims’ email, bank accounts, and anything else that shared that password.
Then came password managers, services and software in which a person could safely store all of their complex passwords and thus need to remember only a single password: the password for their password manager. This technology addressed, but didn’t solve, some of the problems. If people put in the effort, they could eventually have unique and complex passwords everywhere. But the majority of people did not opt to take on this herculean task that brought no immediate reward except that (maybe) in the future something bad might not happen to them (possibly). And a smart attacker could just phish even the best passwords anyway.
Two-factor authentication was the next bandage on the gaping wound of passwords. With 2FA protecting you, an attacker could have your password but wouldn’t be able to use it without a second confirmation, such as a code generated by an app or sent by text message. But another hoop to jump through for logging in remains a hard sell. And a smart attacker could just (you guessed it) phish most forms of 2FA anyway.
But passkeys are different. Instead of trying to fix unfixable passwords, passkeys are an entirely new technology that securely logs you in without your needing to remember your password or to perform a 2FA ritual. Passkeys are not perfect, and we’re still a ways off from their being commonplace, but learning what a passkey is and how to use it moves you a little closer to a more secure future.
What is a passkey?
A passkey is, essentially, a digital key that “unlocks” your online account by securely logging you in without a password. In Tamora Pierce’s fantasy novel First Test, knight student Kel acquires a lock for her room that opens only when she speaks a magic word while turning an equally magical key. This is, in high-fantasy terms, a passkey: It works on only one door, it can’t be duplicated, and it works only when the owner allows it to do so with a magic word.
When you have a passkey, your device, instead of prompting you to type in your password, automatically finds your passkey and asks your permission to use it. You then authenticate it with a PIN, facial recognition, or a fingerprint scan, and only then does it log you in to your account.
“A passkey is like a super-long password that you can’t copy-paste, but that your computer and phone can use to log in to a website quicker and more safely than a password,” said Jacob Hoffman-Andrews, a senior staff technologist at the Electronic Frontier Foundation.
Passkeys can’t be forgotten, unlike passwords. Passkeys are bound to specific websites, so there’s no risk of their being used on a phishing site or being sent to a savvy scammer. And unlike passwords, they can’t be exposed if the site where you have an account has a data breach.
“In a world where AI can mimic voices and generate flawless phishing emails at scale, passkeys are the most critical defense we have to prevent credential theft,” said Derek Hanson, chief technology officer for Yubico, the maker of Wirecutter’s favorite security keys and a major force behind the creation of passkeys.
Build your virtual keychain
The first thing you need to create a passkey is to figure out where to store it.
You can create a passkey in a few places: on your device, in a password manager, or on a physical piece of hardware called a security key. Regardless of where you store your passkeys, they’re secured with end-to-end encryption. As a result, Apple, Google, Microsoft, and your password manager don’t have the means to decrypt them. Only the devices that you authorize can access your passkeys.
You may have seen some of the biggest sites on the internet — such as Amazon, Google, and PayPal — prompt you to create passkeys. And the reason is that many of the biggest tech companies actively support them. Apple, Google, and Microsoft all back passkeys, and their devices are set up to create, store, and use passkeys. If you’re just starting out with passkeys, we recommend using whatever the default option is on your device.
The passkeys you create can automatically sync between devices to be more available to you — but that feature is limited by where you store your passkeys. Passkeys made on iPhones, iPads, and Macs are saved to the Apple Passwords app and automatically sync between devices where you’re logged in with your Apple ID. Android devices, Chromebooks, and the Chrome browser save your passkeys to the Google Password Manager and sync similarly. Windows also has built-in support for creating and storing passkeys and syncs your passkeys between Windows devices where you’re logged in with your Microsoft account.
You can also choose to store your passkeys in password managers — our top picks both support passkeys. Passkeys stored in password managers such as 1Password sync to the apps and browser extensions, making them available no matter what device you’re using. If you store passkeys in your password manager, secure your password manager account with a complex, unique password and enable 2FA.
Top pick
1Password offers attractive, colorful apps and a straightforward onboarding experience that’s easy for newcomers to understand. At the same time, the technically inclined will appreciate its advanced features and security.
Budget pick
The free version of Bitwarden covers all the basics of a good password manager and doesn’t cost anything. But features like advanced security reports and encrypted file storage cost extra.
If you don’t like the idea of your passkeys floating around in the cloud between your devices, you can store them offline on a hardware security key. I recommend both the Yubico Security Key C and the Yubico YubiKey 5C NFC in Wirecutter’s guide to security keys, based on price, durability, and brand reputation among the 12 keys I tested.
Top pick
This key works just about anywhere security keys are supported. It can store passkeys, and it supports NFC for wireless communication with your phone.
Upgrade pick
The Yubico YubiKey 5C NFC supports many authentication protocols, so it works anywhere security keys are accepted. If you can make the most of its advanced features, such as signing and encrypting with OpenPGP, it’s well worth the price.
But remember that if you lose your physical security key, you lose all of its passkeys as well. If you go this route, you should create backup passkeys for your accounts and store them on a second, backup security key that you keep in a safe place.
Unlocking sites with a passkey
You can use passkeys only on sites that support them. The FIDO Alliance, the industry group that developed the core technology for passkeys, has a searchable list of sites that use passkeys, which is a good place to start. But you are likely to see a prompt pop up on any of the major online services and retailers that are now using passkeys.
The passkey experience differs slightly depending on the device you’re using and the site you’re logging in to.
Some websites, like Amazon, will prompt you to create a passkey. On a phone, tap Add Passkey and authenticate using the same method you use to unlock your phone (in my case, with Face ID). That’s it — your phone has created a unique passkey for Amazon and securely saved it.
The next time you log in to Amazon, your phone will recognize that you have a passkey and ask to use it. (On desktop computers, you may have to enter your username before you can use a passkey.) Tap the button to confirm and authorize with biometrics or a PIN, and you’re logged in. No password, no problem.
You can also use a device with a passkey to log in to a website on a different device where you don’t have a passkey. After navigating to Amazon’s website on a laptop, for example, enter your username and then choose the option to use a passkey. The browser will display a QR code that you scan with your iPhone, which in turn triggers a request to use a passkey. Tap to confirm, perform a quick Face ID scan, and that’s it: You’re logged in. Note that both devices must have Bluetooth enabled, but you don’t need to pair them.
An important detail: When you use a passkey on one device (like your phone) to authenticate a different device (such as your laptop), the passkey isn’t transferred from one to the other. If you plan on logging in again on the laptop in the future, you might want to create a new passkey specifically for the laptop.
The disadvantages of passkeys
The greatest obstacle to passkey adoption may end up being exhaustion. It’s yet another thing that’s being asked of you to keep your accounts safe.
“Security fatigue is real,” Hoffman-Andrews said.
Passkeys are still in their early-adoption phase, and it can be hard to find sites that support them. So for the foreseeable future, you’ll need to continue using password managers and enabling 2FA wherever possible. Meanwhile, some sites that do use passkeys still rely on passwords and 2FA, which clever attackers can obtain through phishing, as backups.
And while passkeys are intended to be more convenient than passwords, that’s not entirely the case at the moment. Some sites don’t require 2FA for passkey logins, and others do; some sites let you create as many passkeys as you like for an account, while others limit you to just one. Logging in to the same site on an iPhone doesn’t work quite the same as it does on Android. These are little things, but they create more confusion for people still unfamiliar with the technology.
I’ve also found that it can be tricky to remember where I’ve created my passkey, which sometimes means I simply don’t know what device to use to log in. It’s not currently possible to transfer passkeys between different types of devices, which is annoying, but Hoffman-Andrews explained that this limitation also helps keep passkeys safe from phishing attacks.
Although passkeys are stored with end-to-end encryption, which prevents both providers and third parties from accessing or examining them, they’re not entirely in your control when you store them on third-party cloud services like those of Apple and Google.
“It is technically possible that a compromised cloud account — or a legal subpoena directed at the cloud provider — could impact the security or privacy of those synced credentials,” said Hanson.
If someone steals your phone, or confiscates your laptop, or gains access to the account that manages your passkeys, they might be able to access those passkeys. That’s why you should never reveal your PIN to anyone. You should also enable manufacturer tools to protect lost devices and learn how to deactivate fingerprint login or facial recognition on devices. People with elevated risk, such as journalists, activists, and politicians, should consider using hardware security keys to store their passkeys.
The bottom line: Use passkeys when you can
Password phishing, data breaches, two-factor authentication, and increasingly lengthy strings of mixed-case alphanumeric nonsense phrases may soon be relics of our password past — just not yet.
We recommend that you create a passkey on any site that allows it. If you’ve previously dismissed the option to create a passkey, or if you aren’t sure whether a site supports them, there are a few places to look. On the login page, look for the option to create or use a passkey. You should also check the security options in your account settings page for information on passkeys. On Amazon, for instance, go to Your Account > Login & Security > Passkey.
Although passkeys haven’t won out against passwords, “that doesn’t mean the users won’t benefit from them today where they are already available,” Hanson said.
Every passkey you create makes your accounts, and your online life, a little safer. And someday, the magic of passkeys will be so commonplace, you won’t be able to imagine life without them.
This article was edited by Caitlin McGarry and Annemarie Conte.
Friday, May 08, 2026
Opinion | Mark Zuckerberg Is Running Meta Into the Ground - The New York Times
Meta Is Dying
By Julia Angwin
"Ms. Angwin, a contributing Opinion writer, is an investigative journalist.
There is a moment when internet companies get the stink of death on them. For AOL, it was 2003, when it became clear that its users were abandoning its clunky dial-up internet service for far-faster broadband. For Yahoo, it was 2015, when their last-ditch acquisition spree failed, and they sold themselves to Verizon.
For Meta, that time is now. I believe the company — one of the most powerful media organizations in the world and one of the most valuable members of the S&P 500 — is at the start of a long, slow decline that will trigger aftershocks to our economy and our society.
It may be named Meta, but the company’s biggest asset is still Facebook. Started from a Harvard dorm, the original online social network has dominated our world for two decades. Its three billion users are still bigger than any single country. Its platforms can help sway an election, fuel an insurrection or spark a genocide.
But if you look carefully, you can see chinks in the armor. Meta’s earnings are starting to show the strain from years of growing consumer disaffection and reckless spending. The latest earnings, released on April 29, revealed a dip in user numbers for the first time since it started reporting these figures. And the slumping stock confirms what we have all known in our guts for a while: This is a company entering its zombie era.
Death is different on the internet. Lifeless companies like AOL and Yahoo are still technically with us. You can visit their websites. They have customers. They may even be profitable, as they cut staff and monetize their last remnants of traffic. But they are, as the kids say, peak cringe. Many teens wouldn’t be caught dead with an AOL account, a Yahoo email address — or a Facebook profile.
Sign up for the Opinion Today newsletter Get expert analysis of the news and a guide to the big ideas shaping the world every weekday morning.
As a company’s brand ages, its founders leave. The excitement evaporates. The stock shrivels to a fraction of its former glory as the user base withers to those captured by an old email account or friend group. New owners often arrive — usually bean counters who are focused on cutting costs and maximizing profits. That’s when websites stoop to junk mode, spamming you with endless email “final sales” and loading up the pages with ads so gross and disturbing that they should be age-restricted.
Of course, Meta is a long way from hitting rock bottom. The online giant — which benefits from its ownership of WhatsApp, the world’s largest messaging app, and Instagram, the popular photo-sharing social network — made $200 billion in ad revenue last year. That was an astonishing 20 percent of the global ad market. Meta’s founder, Mark Zuckerberg, is still firmly at the helm thanks to an unusual ownership structure that prevents him from being fired.
Thanks to that, we will all get to watch Mr. Zuckerberg drive the company into the ground. From 2021 to 2026, he poured $80 billion into the Metaverse in the firm belief that we would all want to don headsets and hang out in a virtual world populated by legless avatars. Even after shutting that project down, the company still loses billions a quarter on projects like selling $500 “smart” glasses that are not only unpopular but also give major creep-filming-you-without-consent vibes.
While its adventures in avatars were going nowhere, Meta’s revenues still soared as even more ad dollars moved online in the pandemic. Then in 2022, the revolutionary chatbot ChatGPT burst on the scene, and Mr. Zuckerberg jumped into the A.I. race with an open checkbook. Pontificating about the democratization of A.I., he sank about $100 billion into building an A.I. model that anyone could run on their own machine. But last year, when that model turned out to be too slow, too inaccurate and too unwieldy for most people to operate on their own, Mr. Zuckerberg abandoned the effort and plunked down another $14 billion for a new team to play catch-up with the other leading A.I. models. Now Meta has said it will spend another $115 billion (minimum) over the next year into its new effort, which thus far performs worse than the competition.
Where is this money coming from? Increasingly, Meta has been using debt to fuel its spending, amassing $59 billion in long-term debt on its balance sheet by the end of 2025, double the prior year’s total. And that doesn’t count the “aggressive” accounting it has used to keep the cost of a $27 billion Louisiana data center off its books. “The spending growth looks increasingly unsustainable,” The Wall Street Journal’s “Heard on the Street” columnist Asa Fitch wrote this week.
Now, as the company careens from one staggeringly expensive misadventure to another, its cash-cow core business is starting to wear out. Last quarter, the number of daily active users across its properties declined for the first time to 3.56 billion from 3.58 billion.
When an aging business starts to take on water, the quickest, easiest — and most destructive — solution is to make moves that will generate more money now, but may cost the company later. And that’s exactly what Meta has started to do. In the first three months of this year, the company started cramming more ads onto its platforms while charging advertisers more. Those choices may have allowed the company to increase its revenue-per-user by a significant 27 percent in the first quarter of 2026, but they are also likely to further alienate users (and annoy advertisers).
At the same time, judges and juries are starting to penalize Meta for the societal harms of its products. In March, the company (alongside YouTube) lost a bellwether lawsuitalleging that its addictive design choices triggered anxiety, depression and body-image issues in a teen. Waiting in the wings are over 100,000 similar cases seeking claims in the tens of billions of dollars.
There is a grim satisfaction in watching this organization hoist with its own petard. This is the company that profited from trafficking in lies, that tuned its algorithms to boost hatred and division, that stole our data and used it against us, that created the culture of toxic memes that are now central to our degraded public discourse. The fall of Facebook could even be a sign of a heartening turn in our national conversation: TikTok traffics more in inspirational content — prom videos are currently trending — than in the divisive narratives Facebook fostered.
But in the continued absence of any meaningful regulation, history shows us that internet companies can still wreak a lot of damage when they are in decline.
As it was being outpaced by Google on nearly every front, Yahoo failed to invest in cybersecurity and fell victim to what is still the largest data breach of all time. In 2014, Russian hackers gained access to 500 million Yahoo accounts, targeting Russian dissidents and journalists while stealing gift card and credit card numbers.
Meta’s properties, which are already riddled with fraud and scams, are likely to get even worse, given that the company has been slashing its work force in key areas focused on A.I. safety and identifying dangerous and illegal content. That means its apps are likely to grow even more polluted with everything from A.I. deep fakes to child sexual abuse material.
And Meta is still Meta. Even after losing that bellwether case on its efforts to addict users to its platforms, Meta’s chief financial officer, Susan Li, recently bragged to Wall Street that the company is using A.I. to increase the amount of time users spend watching videos and interacting with content. Fortunately, given the company’s recent track record, there’s a good chance that at least some of these terrible ideas are likely to end up in the same graveyard where Meta’s other expensive flops are buried.
Meta may be dying, but rest assured it won’t go gently into that good night. Maybe that could be a good thing. The more users quit, and the more corroded Meta’s apps grow, the faster we can all log off and close this chapter of the social-media revolution forever.
Julia Angwin, a contributing Opinion writer and the founder of Proof News, writes about tech policy. She is the author of the forthcoming book “On Courage: How to Be a Dissident in an Age of Fear.”
Thursday, May 07, 2026
Wednesday, May 06, 2026
Neil deGrasse Tyson: Give Us the Aliens
Neil deGrasse Tyson: Give Us the Aliens
“Neil deGrasse Tyson, an astrophysicist, expresses his desire for the release of U.S. government files on aliens and UFOs to include an actual alien. He highlights the anticlimactic nature of the files, given prior testimonies and declassified information. Tyson also explores the human tendency to imagine aliens as humanoid, despite the vast diversity of life on Earth, and suggests that aliens might perceive humans differently based on our cultural norms and behaviors.
By Neil deGrasse Tyson
Dr. Tyson is an astrophysicist and the author of “Take Me to Your Leader: Perspectives on Your First Alien Encounter.”
Ever since childhood I’ve wanted to be abducted by aliens. Now, as a professional astrophysicist armed with the knowledge of the size, age and composition of the cosmos, I know that nothing prevents any of us from imagining a universe teeming with life.
So the impending release of U.S. government files on aliens and U.F.O.s is a good thing, even if it feels like a distraction from other important files we’ve all been waiting to be disclosed. I expect the alien files will be anticlimactic. After a parade of alien insiders and whistle-blowers testified under oath to Congress in 2023, 2024 and 2025, what’s left to learn?
Personally, I’d be delighted if the files were accompanied by an actual alien. Alive or dead or undead. Preferably alive. Is that too much to ask for?
The whistle-blowers have already told us about the crashed flying saucers, extraterrestrial bodies and alien technology in our possession — hidden in undisclosed places. Not only that, but secret files have been declassified before. A 2017 headline in this newspaper was unambiguous: “Glowing Auras and ‘Black Money’: The Pentagon’s Mysterious U.F.O. Program.” And who could forget the Air Force’s Project Blue Book, which studied more than 12,000 U.F.O. sightings from 1952 until the project was terminated in 1969, with the goal of assessing threats to national security.
What’s clear, however, is that if an authentic alien walked out of the halls of Congress, nobody would ever again have to ask if you “believe” in aliens, just as nobody questions the existence of elephants. An alien of the alien files could become the literal elephant in the room.
Without good evidence of what actual aliens look like, we’re stuck imagining them. And imagine them we do. IMDb, an online database about entertainment, lists hundreds upon hundreds of films, TV shows, video games and documentaries about aliens — both friendly and evil. Mostly evil.
Disappointingly, in nearly all these portrayals, these aliens look a lot like us. They’re humanoid, with a head, two eyes, a nose, a mouth, a neck, shoulders, a torso, arms, fingers and legs. Remember that most life on Earth, with which we have DNA in common, looks nothing like us or any vertebrate animal. So we should expect aliens with no DNA in common — or no DNA at all — to look at least as different from humans as humans and other life-forms on Earth (like jellyfish or termites) look different from each other.
The only thing that would shock me about a living, declassified alien is if most Hollywood depictions ended up being right, violating everything we know about biodiversity on Earth and across the universe.
We care a lot about what aliens look like, but we don’t pay nearly enough attention to what we might look like to them. If an alien emissary landed in Los Angeles, for example, its first impression might be that Earth’s dominant life-form is the automobile. The city is heavily crisscrossed by major freeways, many of them 12 lanes wide. People line up in their cars on slow lines to obtain fast food handed through a window. They consume the food while still seated, never exiting their vehicles. Some of the larger life-forms on the freeway carry multiple automobiles within them. To the aliens, these car haulers are surely pregnant.
Assuming on arrival that the alien knew we were human, it would probably want to meet the person in charge. Who exactly would that be? The president? The prime minister? The pope? Or would it be a multibillionaire or captain of industry? Not knowing anything in advance about human civilization, but picking up clues from our cultural norms before arrival from leaked radio waves, an alien might instead expect to meet Ryan Gosling, Taylor Swift or Oprah Winfrey.
If we look more deeply into our own alien stories, there’s a persistent plotline that aliens are evil and want to kill us all. I suspect those fears are based not on what we believe about aliens but on what we know about humans.
In the history of our species, there’s no shortage of technologically advanced cultures that commit rampant violence against less-advanced ones. Within what we call civilization, humans oppress — or kill — one another over which creator of the universe they worship, or who they sleep with, or what side of an arbitrary line on Earth’s land masses they’re born, or how absorptive their skin is to sunlight, or what set of sounds comes out of their mouths.
Upon bearing witness to our irrational ways, any visiting alien that might have accompanied the release of the alien files surely long ago escaped back home to report, “There’s no sign of intelligent life on Earth!”
Neil deGrasse Tyson is an astrophysicist who is the director of the Hayden Planetarium at the American Museum of Natural History in New York City. He is the author of “Take Me To Your Leader: Perspectives on Your First Alien Encounter.”
Apple Reaches $250 Million Settlement Over Claims It Misled People on A.I.
Apple Reaches $250 Million Settlement Over Claims It Misled People on A.I.
“Apple agreed to a $250 million settlement over claims it misled consumers about the capabilities of its artificial intelligence system, Apple Intelligence. The settlement resolves lawsuits alleging Apple oversold the features of the iPhone 16 and some iPhone 15 models. Apple denied wrongdoing but acknowledged the challenges in the global technology race to dominate A.I.
Some iPhone owners will be eligible to receive $25 to $95 over claims that the tech giant oversold its artificial intelligence system, Apple Intelligence.
Apple agreed on Tuesday to pay $250 million to settle legal claims that it misled consumers about the abilities of its artificial intelligence system, Apple Intelligence, according to court filings.
The settlement resolves a handful of class action lawsuits filed against Apple last year, which claimed the company oversold what its product could do during its rollout in 2024. Those suits were consolidated last year by the U.S. District Court for the Northern District of California, where a judge still needs to approve the settlement.
Consumers who purchased an iPhone 16 and some models of the iPhone 15 between June 2024 and March 2025 will be eligible to collect up to $95 per device, according to the filings. As part of the settlement, Apple denied any wrongdoing.
The settlement underscores Apple’s challenges in a global technology race to dominate A.I. The iPhone maker has largely sat it out, in part because it hasn’t built its own A.I. models like Google’s Gemini. Tech companies like Microsoft and Nvidia soared in value as they bet heavily on the technology.
Since “the launch of Apple Intelligence, we have introduced dozens of features across many languages that are integrated across Apple’s platforms,” Marni Goldberg, an Apple spokeswoman, said in a statement. “We resolved this matter to stay focused on doing what we do best, delivering the most innovative products and services to our users.”
Apple first teased Apple Intelligence in June 2024 as an answer to products like OpenAI’s ChatGPT. The company promised big improvements to its personal assistant, Siri, which has been part of its devices for more than a decade.
Apple also said it planned to introduce A.I. features to summarize notifications and offer help on improving writing in emails and text messages. In advertisements, the actor Bella Ramsey used Apple Intelligence to remember someone’s name and to catch up on an email.
But those features weren’t available on the iPhones that Apple shipped in September 2024. Instead, the company gradually rolled out the promised features and soon ran into problems. Notification summaries misrepresented news reports, for example, and Apple disabled that feature. In March 2025, Apple delayed the release of an upgraded Siri over quality problems.
Apple misrepresented the “capabilities of the series 16 iPhone and deceived millions of consumers into spending hundreds of dollars on a phone they did not need, based on features that do not exist,” according to one of the class action lawsuits.
In December, Apple announced the retirement of its head of A.I., John Giannandrea. In January, the company said it would use Google’s Gemini to power its A.I. products, including Siri.
David McCabe is a Times reporter who covers the complex legal and policy issues created by the digital economy and new technologies.
Kalley Huang is a Times reporter in San Francisco, covering Apple and the technology industry.“
Subscribe to:
Posts (Atom)