X, formerly Twitter, announced today that iOS users in the United States can now log into their accounts using passkeys.
The passkeys will be linked to the iOS device they’re generated on and will significantly reduce the risk of breaches by providing protection against phishing attacks and blocking unauthorized access attempts.
They’ll also enhance user experience and security by removing the need to memorize complex passwords.
“A passkey serves as an online credential associated with your account. Instead of logging into your account with a username and password, your private passkey automatically authenticates your account using the server’s public passkey, allowing you to log in without the need to type it in,” support document on X’s help center explains.
“Passkeys sync across your iOS devices using iCloud Keychain. This synchronization ensures redundancy if you lose your device. If you lose all of your devices, passkeys can be recovered through iCloud keychain escrow.”
To add a passkey, you have to log into your account, click “Your account” in the navigation bar, go to “Settings and privacy,” then click “Security and Account Access,” then “Security.”
Under “Additional password protection,” click “Passkey” and enter your password when prompted. Select “Add a passkey” and follow the prompts.
After setting up a passkey linked to your iOS device, you can sign in without entering your password or using two-factor authentication (2FA).
”Passkeys are constructed using public key cryptography from the WebAuthentication (or ‘WebAuthn’) standard. When you register an account, your device generates a unique key pair – one public and one private – for each account,” X says.
“The public key is shared and stored on X, while the private key remains on your device. Your passkey is never shared with X to ensure maximum security, and further reducing the likelihood of unauthorized account access.”
While X encourages all iOS users in the U.S. to use passkeys to boost their accounts’ security, passkeys are not yet required for logging in.
This announcement comes after multiple high-profile verified X accounts have been hijacked since the start of the year to push crypto drainers, including the U.S. Securities and Exchange Commission, cybersecurity firm Mandiantand CertiK, and companies like Netgear and Hyundai.