Passkey authentication’s highest-profile holdout is now giving its customers a more secure alternative to brittle, password-based sign-ons. On Wednesday, Facebook announced that it’s rolling out passkey logins for users of its Android and iOS apps. 

“Passkeys will soon be available on iOS and Android mobile devices for Facebook, and we will begin rolling out passkeys to Messenger in the coming months,” it says. “The same passkey you set up for Facebook will also work on Messenger once this capability launches.”

Meta’s flagship social platform is late to the party. Google opened passkey support to Gmail users more than two years ago, while other tech companies of Meta’s size have since not only added passkey support but, in Apple and Microsoft’s cases, made it standard for new accounts.

Meta’s passkey rollout is nowhere near that ambitious. A tech-support note advises that only some Android and iOS users will see it in the “Privacy and security” subsection of their Accounts Center. On Wednesday afternoon, one of four PCMag staffers with either app installed could not add a passkey. Facebook’s iPad and web users aren’t eligible for this offer at all.

(See also, how the new friends-only feed that Facebook founder and CEO Mark Zuckerberg touted in March as “OG Facebook” remains confined to its iOS and Android apps, notably excluding the web app that was the actual “OG” Facebook.)

To see if you have passkey support in your app, navigate to Settings & Privacy > Settings > Accounts Center > Password and security and look for the Passkey option.

(Credit: Facebook)

A Welcome Update

Meta isn’t offering any hints about when it might enable passkey security in those other apps, but its announcement does tout upcoming support for using a passkey to unlock its Meta Pay payment feature, log into Facebook Messenger, and secure backups of that application’s end-to-end encrypted messages. 

But even in this limited state, Facebook making passkeys a primary login option (as opposed to last year’s quiet addition of support for passkeys as a backup authentication option for users with USB security keys) should be a welcome update. 

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Facebook continues to suffer from a serious problem with scams that lead to account takeovers, and some of its existing multi-factor authentication options can crumble if humans fail to recognize phishing sites inviting them to enter those one-time codes.

As Meta’s announcement correctly notes, passkeys can’t fall prey to phishing scams. These cryptographic credentials, generated by your device and presented to a site in response to its challenge for authentication, require that initial request to come from the correct domain name, not just a site that looks like the real thing.

As in other implementations of passkeys, Meta’s will require the user to confirm a passkey login with their mobile device’s biometric security or a PIN code. 

The company’s announcement nods to privacy concerns, stating that it can’t access any of those saved security factors: “Passkeys and the fingerprint, face scan or PIN you use to create them are always stored on your device and we’ll never see, share or store them.”

One of the password-manager services that has been particularly avid in supporting passkeys endorsed the move in a statement Wednesday afternoon. 

“We’re entering passkey primetime, and Facebook is yet another domino in the passwordless movement,” said Rew Islam, director of product engineering and innovation at Dashlane and a board member at FIDO Alliance, the industry group behind the passkey standard. “For other companies and platforms with large social followings, the writing is on the wall – passkeys aren’t a nice-to-have, they’re essential to protecting users.”

About Rob Pegoraro

Contributor

Rob Pegoraro writes about interesting problems and possibilities in computers, gadgets, apps, services, telecom, and other things that beep or blink. He’s covered such developments as the evolution of the cell phone from 1G to 5G, the fall and rise of Apple, Google’s growth from obscure Yahoo rival to verb status, and the transformation of social media from CompuServe forums to Facebook’s billions of users. Pegoraro has met most of the founders of the internet and once received a single-word email reply from Steve Jobs.

Read Rob’s full bio

Read the latest from Rob Pegoraro