PlayStation Passkeys: Simplify Logins for PS4 & PS5 Gamers

1. Introduction: PlayStation Passkeys

2. Sonys Passkey Implementation for PlayStation

    2.1 Which Sony Devices Support Passkeys?

    2.2 Which Sony Devices Do Not Support Passkeys?

3. Analyzing Sony's Passkey UX

    3.1 Sign-up

    3.2 Passkey Creation

    3.3 Passkey Management

    3.4 Login

      3.4.1 How To Use Passkeys on a PS4 Console

      3.4.2 How To Use Passkeys on a PS5 Console

4. Technical Analysis of PlayStation Passkeys

    4.1 Relying Party ID

    4.2 User Verification

    4.3 Resident Keys

5. Whats the Security Benefit of Passkeys for Sony?

6. PlayStation Passkey Troubleshooting

    6.1 Reverting to Password Sign-In

    6.2 Passkey Recovery

    6.3 Device-Specific Guidance

    6.4 Sony PlayStation Passkeys FAQ

7. Sonys Passkey Rollout

    7.1 Passkey Support for PlayStation Users

    7.2 PlayStation Passkey Promotion

    7.3 Sony's Recommendations for Passkey Syncing

8. Passkeys in Gaming: Sony vs. Nintendo vs. Microsoft

    8.1 Nintendo: The Pioneer

    8.2 Sony (PlayStation): The Courageous One

    8.3 Microsoft (Xbox): The Laggard

9. Conclusion: Passkeys @ PlayStation

1. Introduction: PlayStation Passkeys

Now Sony and their popular PlayStation consoles. After years of harsh criticism about data security and massive breaches in the early 2010s, Sony has joined many digital-first companies like Revolut, Coinbase or TikTok, to roll out passkeys as a user-friendly and secure login method. Recognizing this potential, Sony made passkeys available across its PlayStation Network (PSN) and their popular gaming consoles, the PlayStation 4 and PlayStation 5. This move is not only a significant milestone in the adoption of passkeys as a whole but also positions Sony as a forward-thinking player in the gaming and entertainment industry.

For developers, product managers, and gamers alike, understanding Sony's approach to passkeys - ranging from the technical implementation on passkeys, understanding how to setup passkeys on the PS4 and PS5 to addressing passkey errors is crucial.

Through this article about Sony's passkey rollout for PSN, PS4, and PS5, we hope to help more people understand and spark conversation of passkeys. Besides the technical implementation, user experience, and broader implications, we also explore why Sony is one of the first companies completely deleting the password for existing users in favor of passkeys.

2. Sony's Passkey Implementation for PlayStation

Sony's introduction of passkeys improves user security and convenience across its PlayStation Network (PSN), including the PS4 and PS5 consoles. The passkey rollout happens globally, ensuring that all users, regardless of their region and device (web apps, native apps, PS4 and PS5 consoles), can benefit from this advanced security feature.

Notably, Sony has dedicated a comprehensive landing page to educate users about passkeys. This resource is a great starting point for understanding the concept of passkeys, highlighting their advantages and illustrating how they can be integrated into the PlayStation user experience. Here, passkeys are not just presented as a technical feature, but as a user-friendly solution designed to streamline authentication and uplift the gaming experience.

2.1 Which Sony Devices Support Passkeys?

The following Sony devices support passkeys:

• PlayStation 4
• PlayStation 5

Of course passkeys are supported by all Windows, Apple and Android devices as well, allowing users to access the web and native apps of the PlayStation Network.

2.2 Which Sony Devices Do Not Support Passkeys?

The following older Sony devices do not support passkeys.

• PS Vita
• PlayStation 3

PlayStation has introduced passkeys

Join them

3. Analyzing Sony's Passkey UX

In the following, well be analyzing the passkey UX for the most common passkey use cases.

3.1 Sign-up

Creating entirely passkey-only / passwordless accounts by only signing up with a passkey is not yet possible as users still have to set up a password. This is somehow confusing as Sony removes the password again when you set up a passkey in the settings. This approach suggests that Sony may introduce the option for passkey-only sign-ups in the future, once passkeys become more widely recognized and adopted among the general user base. The phased approach might be intended to minimize confusion during the account creation process, especially for users who are not yet familiar with passkeys.

3.2 Passkey Creation

Creating a passkey to be used on your PlayStation console is a straightforward process. Heres how it works:

Open the native or web app for your PlayStation. Then, navigate to "Account Management" in your settings, then select "Security" followed by the "Sign In with Passkey" option. This pathway is the way to both creating and managing your passkeys.

Sonys passkey implementation allows for the addition of multiple passkeys, catering to users who prefer having separate passkeys for different purposes, in different ecosystems or as a backup (see below).

As a security measure, you'll be prompted to re-enter your password before creating a new passkey. This step ensures that only authorized users can set up or make changes to passkeys (this is also called step up authentication).

Upon successfully creating a passkey, you'll receive an email notification. This not only serves as a confirmation of the action taken but also acts as an alert in case the creation was not authorized by you, adding an extra layer of security.

The email was unfortunately set only in German.

3.3 Passkey Management

If the users goes back to the Account Settings , there will be a new option Manage Passkeys.

After selecting this new option, all existing passkeys are displayed, each identified by the user agent of the device that initiated their creation. This process could benefit from a more user-friendly approach, such as implementing a user agent parser to enhance the overall user experience.

If the user clicks on the Create a Passkey button on the bottom the following modal appears:

In this test, we clicked on "Create on This Device" despite knowing a passkey already existed on this device. We received an error message as a result. However, the message did not explicitly state that the error was due to an existing passkey on the device. The terminology, such as "Create a passkey on this device," might be misleading, suggesting the possibility of generating an additional passkey directly on the same device. However, the use of the excludeCredentials parameters prevents the creation of a second passkey on the same device. In practice, managing multiple passkeys requires a third-party password manager or cross-device authentication via another smartphone.

Clicking on the Create on Another Device button displays a Sony-owned QR code, which is not the official WebAuthn QR Code for cross-device authentication.

We scanned the QR code on a smartphone that opened the PlayStation login page on the smartphone's browser. However, this process was disrupted when attempting to sign in with a passkey that is not, leading to an error message from the Google Password Manager.

The pathway forward becomes less straightforward when clicking on the "Can't Sign In with Passkeys" option, because we only had a passkey on our non-synced Windows machine. Opting to proceed with a "Send Sign In Email" appears promising by offering an email magic link, but this loop frustratingly returns users to the same page without resolving access issues, especially for those reliant on device-bound / non- synced passkeys (e.g. our passkey is currently managed by Windows Hello).

In search of a solution, the "Trouble Signing In?" option presents itself as a lifeline, offering account recovery or additional help.

For users wishing to manage or remove their passkeys, the "Account Management" section provides these options, along with the ability to revert to traditional password sign-in by disabling the "Sign in with Passkey" feature.

The naming of passkeys, based on unparsed user agents, is already a source of confusion. This confusion is made worse by the uniform naming of passkeys, regardless of whether they are stored in Google Password Manager or elsewhere, making it difficult to differentiate between them. The identification relies simply on the user agent of the client device attempting to access the service. This ambiguity becomes even more pronounced when cross-platform authenticators like a YubiKey are used to create a passkey, underscoring the need for a more intuitive and distinct user experience. In the provided screenshot, you can see three different passkeys from various platforms / ecosystems, yet all have the same user agent name:

3.4 Login

The login experience across its web app, native iOS, and Android apps feels super smooth, thanks to the adoption of Conditional UI. A great practical benefit of passkeys for PlayStation is the eliminated need for PlayStation users to enter passwords on their consoles.

Note that the autofill menu in the back is caused by 1Password which was the detault password manager on this Windows laptop.

Besides, PlayStation gamers can now seamlessly connect their PSN accounts with a smartphone or another compatible device, offering a streamlined login process across platforms. The experience is also great in native apps, where signing in from the native Android and iOS apps worked flawlessly.

The most remarkable aspect of using passkeys on the PS4 / PS5 is the elimination of the need to type in credentials. By merely scanning a QR code and authenticating via Face ID, users can instantly access their console. This feature is particularly advantageous in social settings, such as logging in at a friend's place. Rather than typing out a password - potentially compromising its security in the presence of others - users can enjoy a login through a quick QR scan, maintaining the integrity of strong passwords typically generated and remembered by password managers.

3.4.1 How To Use Passkeys on a PS4 Console

The following screenshots were unfortunately only available in German. We try to provide English translations in the paragraphs.

On your PS4, go to your Settings and access Account information / Kontoinformationen. There is an option to enter the Security / Sicherheit settings:

In there is an option to sign in with a passkey: Sign in with Passkey / Mit Pass-Key anmelden (for some reason "passkey" is written with a dash which is quite uncommon, even in German)

After clicking on it, you will see a QR code that you should scan with your smartphone (where your passkey is stored / synced). If scanning the QR code does not work for any reason, a six-digit code is provided that you can use.

Scanning this QR code on your smartphone, opens the corresponding PlayStation sign-in page in your browser. The email should be prefilled (but you can add it manually if it is not).

After clicking on Next, you will see the option to Sign In with Passkey.

After clicking this option, the passkey login flow (here via the Android Credential Manager is triggered) and you will be redirected to logged-in page after successful authentication

3.4.2 How To Use Passkeys on a PS5 Console

The following screenshots were unfortunately only available in German. We try to provide English translations in the paragraphs.

In general, the PS5 passkey sign in flow is very similar to the PS4 passkey sign in flow.

If you got to Users and Accounts / Benutzer und Konten and click on Account / Konto , you should see the following screen:

Click on Security / Sicherheit:

Apparently, passkeys are still Disabled / Deaktiviert for your account, so click on Sign In with Passkey / Mit Pass-Key anmelden.

Contrary to the PS4, the PS5 shows a passkey promotion screen:

Then, youll see a similar screen to the PS4 again, where you have the chance to scan a QR code.

After scanning the QR code with your smartphone, your smartphones browser will open and you need to enter your email address, log into your account with your password, create a passkey (as described above there will be a prompt to create the passkey). Then you have to log out (Abmelden) and re-login with your passkey. This is the screen after the logout:

Click on Sign In / Anmelden and youll see the following screen:

You need to either scan the QR code with a smartphone that has access to your created passkey or you can enter the 6-digit code. You will be redirected on your browser to the specific PlayStation sign-in page, can sign in there with your passkey and in the background your PS5 will be logged in as well.

4. Technical Analysis of PlayStation Passkeys

During the passkey creation process, the PublicKeyCredentialCreationOptions are used. Here, interesting information can be extracted that provides insights into how the WebAuthn server is configured.

PublicKeyCredentialCreationOptions:

{
  "attestation": "none",
  "authenticatorSelection": {
    "residentKey": "preferred",
    "userVerification": "preferred"
  },
  "challenge": "AORsLdkGi-LPDC-1KreePOYxcunWO8mkoEmhSuP5KQ",
  "excludeCredentials": [],
  "pubKeyCredParams": [
    {
      "alg": -7,
      "type": "public-key"
    },
    {
      "alg": -37,
      "type": "public-key"
    },
    {
      "alg": -257,
      "type": "public-key"
    }
  ],
  "rp": {
    "id": "my.account.sony.com",
    "name": "Sony"
  },
  "user": {
    "displayName": " vincent.delitz@corbado.com",
    "id": "lelPbtrG1kYRPJVJwnhRzJdJTJNzk7VL68MG4fOw9QI",
    "name": "vincent.delitz@corbado.com"
  }
}

4.1 Relying Party ID

The Relying Party ID is a critical component, acting as a unique identifier for the service requesting the authentication (in this case, Sony's PlayStation Network). It is set to my.account.sony.com. This ID ensures that the authentication process is securely anchored to the correct domain, preventing phishing attacks and ensuring that credentials can't be tricked into being used by a malicious actor.

4.2 User Verification

userVerification specifies the desired level of user interaction when creating or using credentials. It can range from a simple presence test to more stringent biometric checks. This setting allows developers to balance security needs with user convenience. For PlayStation, the setting is preferred.

4.3 Resident Keys

residentKey is set to preferred to streamline the experience for non-technical users and making sure that Conditional UI is possible.

5. What's the Security Benefit of Passkeys for Sony?

Sony's PlayStation Network (PSN) has already faced some security breaches, most notably the 2011 hacks that exposed personal data and passwords of millions of users. These incidents not only highlighted vulnerabilities in Sony's security framework but also underscored the need for robust measures to protect user information and maintain trust. In response, Sony implemented CAPTCHAs as a deterrent against bot access, however at the cost of user convenience, as many gamers on Reddit voiced their frustrations.

With the creation of a passkey, Sony removes the users password entirely from its system. This move directly addresses the risk of phishing attacks and credential stuffing, two prevalent threats in the digital world. Passwords, often reused and easily compromised, have been a weak link in security chains across various platforms. Sony's decision to disable password-based login altogether is a move we havent seen from any other player yet.

Furthermore, the automatic deactivation of 2FA via SMS OTPs when a passkey is created mean an acknowledgment of the limitations and vulnerabilities associated with SMS-based verification. While SMS OTPs are very popular in 2FA implementations, they are susceptible to interception and SIM swap attacks. By moving away from SMS OTPs, Sony not only improves its security measures but also reduces operational costs associated with sending SMS messages.

Become part of our Passkeys Community for updates and support.

Join

6. PlayStation Passkey Trouble Shooting

To ensure a smooth user experience, Sony has outlined specific troubleshooting steps for common issues encountered during the use of passkeys.

6.1 Reverting to Password Sign-In

Sony's primary advice for resolving passkey-related issues revolves around temporarily reverting to traditional password sign-in. This approach is particularly recommended in the following scenarios:

• Remote Play on Mac: If you encounter difficulties using a passkey with Sony's Remote Play feature on a Mac, reverting to password sign-in is advised to bypass the issue and regain access.
• Web Browser Compatibility Issues: Passkeys demand modern web technologies that might not be supported by outdated web browsers. If your browser is not up-to-date and you're facing compatibility issues, switching back to password sign-in can provide an immediate, though temporary, solution.

6.2 Passkey Recovery

In some rare cases, if you lose the device associated with any of your passkeys, you might need to contact the Sony recovery team, which can help you regain access to your account. Online users already complain that losing your phone means you have to call support, and providing proof of ownership is not ideal. They would prefer to have some form of recovery code.

6.3 Device-Specific Guidance

Sony acknowledges that certain devices, particularly Android and Windows, may present unique challenges when using passkeys. Users experiencing difficulties are encouraged to select the Cant Sign In with Passkey option to navigate these obstacles. Additional device-specific advice includes:

• Android: Ensure that Google Play Services are active and up-to-date, as they play a crucial role in facilitating the passkey functionality. Some Android smartphones may require the installation of a dedicated QR code scanner app if the default camera application does not support QR scanning.
• iOS: Activation of the iCloud Keychain is a prerequisite for using passkeys on iOS. This feature stores and synchronizes passkeys across your Apple devices, enabling seamless authentication experiences.

6.4 Sony PlayStation Passkeys FAQ

Do I need Bluetooth for passkeys to work on my PS4 / PS5?

In general, Bluetooth is not needed for passkeys to work on the PS4 / PS5. Even though WebAuthn cross-device authentication leverages QR codes together with Bluetooth to ensure device proximity, it is not required in scenarios where you want to use the passkey for a PS4 or PS5 console. You have to scan a QR code but this is a proprietary QR code by Sony and does not replace the QR code used in WebAuthn cross-device authentication. To still improve security (even though there is no proximity check via Bluetooth), the QR code is only valid temporarily.

However, if you use WebAuthn cross-device authentication for logging into your PlayStation account with a device that serves as a client and does not hold the passkey, you would need Bluetooth to adhere to the WebAuthn protocol.

The passkey on my PS4 / PS5 is not correct?

This is a very rare case and usually implies that someone tries to get access via a passkey to your account with some malicious data. As passkeys are phishing-resistant and bound to a domain (relying party ID), you dont need to fear these vulnerabilities.

7. Sony's Passkey Rollout

7.1 Passkey Support for PlayStation Users

Sony's support page dedicated to passkey setup and management can be found here. This page is designed to offer clear, step-by-step instructions covering a wide array of topics (from what weve seen so far, this is one of the best support pages while still being very concise):

• Set Up a Passkey: Users are provided with a detailed guide on how to create a passkey, making the initial setup process as straightforward as possible.
• Sign in with a Passkey: Instructions on how to use a passkey for signing into the PlayStation Network, emphasizing the simplicity and enhanced security of passkey-based access.
• Manage Passkeys: Guidance on how to manage existing passkeys, including how to add, remove, or update passkeys, granting users full control over their authentication methods.
• Revert to Password Sign-In: For users encountering issues or those who prefer traditional login methods, the page offers advice on how to revert back to using a password for sign-in purposes.
• Troubleshooting: Solutions and troubleshooting tips for common issues faced by users when using passkeys, ensuring a smooth and frustration-free experience.
• FAQ: A comprehensive list of frequently asked questions, providing answers to common queries and concerns regarding the use and management of passkeys.

7.2 PlayStation Passkey Promotion

Sony has launched a dynamic trailer Introducing Passkey for PlayStation on YouTube to introduce and promote the concept of passkeys to the PlayStation community. The video mixes scenes from popular PS4 and PS5 games with scenarios depicting the typical gamer experience.

Through the video, Sony emphasizes the key benefits of passkeys in a manner that resonates with gamers' needs for security, convenience, and speed. The primary advantages highlighted include:

• Simplified Access: The use of passkeys simplifies access to accounts on PlayStation devices.
• Trusted Device Sign-In: Gamers are encouraged to use a trusted device for sign-in, ensuring a secure and personalized access to their PlayStation accounts.
• Faster Game Start: By eliminating the need to enter passwords, passkeys significantly reduce the time it takes to start playing.
• Enhanced Security: The video assures that passkeys cannot be guessed or reused, offering a robust layer of protection against common security threats.

7.3 Sony's Recommendations for Passkey Syncing

Sony warns that some hardware security keys may encounter issues. For this reason, they recommend using synced passkeys, which are more user-friendly. Specifically, Sony advises syncing passkeys across the following platforms:

• Apple iCloud Keychain (targeting iOS and macOS users)
• Google Password Manager (targeting Android users)
• 1Password (targeting cross-platform and Windows users)
• Dashlane (targeting cross-platform and Windows users)

8. Comparison: Gaming Industry on Passkeys

In the following, we briefly analyze how the three major gaming giants behave when it comes to the adoption of passkeys. Nintendo, Sony (PlayStation) and Microsoft (Xbox) have taken varied approaches to implementing passkeys.

8.1 Nintendo: The Pioneer

Nintendo has positioned itself as a pioneer in the gaming scene by introducing passkeys in Q3/2023. Nintendo supports the registration of up to 10 different passkeys per account, compatible with iPhones, iPads, macOS devices, and Android devices. Although there's an anticipation for Windows support, an official announcement has yet to be made. Nintendo's early adoption and broad device support showcase its pioneering spirit and focus on cross-platform compatibility.

8.2 Sony (PlayStation): The Courageous One

Sony's approach to implementing passkeys in its PS4 and PS5 consoles and PlayStation Network (PSN) is the most courageous one. By ditching passwords and 2FA via SMS OTPs entirely, plus making passkeys available on all browsers, devices, platforms and the two latest console generations, Sony doubles down on passkeys.

8.3 Microsoft (Xbox): The Laggard

Even though Microsoft has added passkey support to Microsoft 365, GitHub, and soon LinkedIn, there's no clear indication of when and how their Xbox consoles will adopt passkeys to streamline user authentication for gamers.

The gaming community, known for its openness to new technologies, especially those enhancing security, is an ideal target for rolling out passkeys. The move towards passkey adoption by industry leaders like Nintendo, Microsoft, and potentially Sony, signifies a shift towards a future where digital security and user convenience coalesce, offering gamers not just a platform for entertainment but a secure and seamless user experience.

9. Conclusion: Passkeys @ PlayStation

In conclusion, Sony's global rollout of passkeys across its PlayStation Network, PS4 and PS5 marks a big shift in the gaming industry's approach to digital security and user experience. By embracing passkeys, Sony not only enhances the security of its platform in response to past vulnerabilities but also sets a new standard for user convenience.

The thorough integration of passkeys into the PlayStation ecosystem, supported by comprehensive educational resources and a user-friendly setup process, exemplifies Sony's commitment to innovation. Sony's step in fully adopting passkeys, eliminating traditional passwords and SMS OTPs, not only addresses the issues of security breaches and phishing attacks but also elevates the gaming experience by making it faster and more seamless.

As the gaming community continues to embrace new technologies, Sony's approach to passkeys could very well inspire further innovations in digital security and user authentication methods across the gaming and entertainment sectors.