Apple wants to replace passwords with your iPhone or Mac
Apple is working toward a future without passwords with a new iCloud Keychain "passkey" feature that was previewed at WWDC 2021.
Credit: Apple
In a WWDC developer session called "Move beyond passwords," Apple teased a new feature called "passkeys in iCloud keychain." The feature is available for testing in iOS 15 and macOS Monterey, but isn't yet ready for a full release.
Essentially, passkeys are pairs of private and public keys based on the WebAuthn standard. They work basically like a hardware security key, but are stored securely in iCloud Keychain.
This means users won't need to carry hardware keys with them -- their iPhone, iPad, or Mac will contain the passkeys. More than that, passkeys will be synced across various devices, meaning they're recoverable even if a user loses all of their devices. Compared to traditional passwords, these passkeys offer a number of security benefits. They aren't guessable, they're not able to be reused across services, and they're not vulnerable to phishing or data breaches.
For users, passkeys will offer an easy and secure alternative to passwords. When implemented, all a user will need to do is authenticate with Face ID to log in. Passkeys in iCloud Keychain would be useable anywhere that supports WebAuthn. Currently, that includes browsers and apps on Apple's platforms, but full adoption of the standard is still a few years off.
As mentioned earlier, the inclusion of passkeys in iOS 15 and macOS Monterey is for developer testing only -- it's not actually a feature yet. Apple says that testing the feature in existing apps and workflows is just the first step of a "multiyear effort in replacing passwords."
Although users won't be able to use passkeys immediately, Apple does have a suite of other security and privacy features in iOS 15 and macOS Monterey. That includes a new built-in authenticator for two-factor logins, a Private Relay feature that encrypts web traffic and hides a user's IP address, and a feature that will allow users to create proxy email addresses.
Apple isn't the only company looking toward a future without passwords. Google at its I/O conference in May detailed a number of new privacy and security features aimed at replacing passwords.
Follow all of WWDC 2021 with comprehensive AppleInsider coverage of the week-long event from June 7 through June 11, including details on iOS 15, iPadOS 15, watchOS 8, macOS Monterey and more.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get the latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
Read on AppleInsider
Comments
Biometric data, when we sleep, where we move (now even when our iOS is off), what we say, read, watch and listen to - is anything left...?
Even with (if) the best of intentions does this concentration of data (digital colonialism?) put the world at increasing dependency & risk ?
Is it an ironic evolution for the internet which I understand was originally conceived to fragment communication access for security reasons,
yet potentially now becoming a source of infinite attack vectors to concentrations of digital data 'wealth'...?
1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.
2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
I agree, this is going to be a hell of a lock in if Apple has your entire entire internet login keychain held hostage. Apple need to think about some sort of transfer or export portability, or else get even more attention from antitrust investigation.
Same as above, it's not required and if you are worried about future compatibility then it isn't the tool to use.
You both are also seem to be forgetting that iCloud Keychain has a Chrome extension and isn't only available on Apple products.
Aren’t they Apple’s servers? Does the Patriot Act force Apple to hand over this info?
Lately I've been thinking it’s time for Apple to include a micro SSD with maybe 512GB of storage inside their devices to store sensitive info on device. Make it some strange format and it will be a deterrence for those who want the info. Or is this what the Secure Enclave does?
Most logins these days allow a number of methods like Login with Google/Facebook/email/Apple. This method Apple describes would be the Login with Apple option. If people choose to login using other methods that require a password, they are just weakening their account but the people who make logins can do whatever they want.
Ideally all companies would adopt keys for logins (and create an open standard) but Apple is in the best position to implement it because they make desktops/laptops/phones with security hardware and the OS and the browser and have cloud services so they can easily sync keys across all devices.
For example:
- user signs up to website using email and chooses to use Apple Keys
- the keys then get setup and the website links the public key to the website account id/email
- user decides they want to also use Google/Samsung/Microsoft Keys and the website links the same account id to this public key too
- when the user logs in using the non-Apple device, it can send the public key used or some signing message and the website knows which public key to use to encrypt the challenge with
---------
website
---------
account: user@email.com, Apple Key (public): hu7gfgv, Other Key (public): kujh8cg
---------
Login via Apple device
----------
send Apple Key (public), website sends encrypted challenge, use Apple Key (private) to decrypt and login
----------
Login via Other device
----------
send Other Key (public), website sends encrypted challenge using Other Key, use Other Key (private) to decrypt and login
----------
They can even allow login via QR code and have the device scan the code or just message the device and have the user verify the login request.
I honestly don't know why this has taken so long and why it's still a multi-year plan, maybe securing the private keys locally is tricky for 3rd parties but this kind of authentication is already used for a few things like SSH and software repositories. It's usually still setup manually (generating key pairs and pasting them) so it just needed some ease-of-use for widespread adoption.
I haven't reviewed the WebAuthn specification in great detail, but every server-side implementation I've seen so far supports many keys associated with the user account. Setup or additional keys is likely to be cumbersome, though that depends on the service. In the WWDC session, they mention they're still working on making the keys interoperable with other device brands. I expect that will take the form of a public format for exporting the keys, and it will be up to others to support importing them from that format.
I have elderly parents who constantly forget, lose, or something inexplicable happens with their passwords. My father writes them down in a notebook and often misplaces the notebook or forgets to update it when an account asks him to change passwords, or enters the correct password but into the wrong account. My mother uses only one very simple password for every account, making all of her accounts highly insecure.
As the youngest family member and thus by default responsible for household IT, I'm constantly having to help them recover their accounts because of password problems. Often, the recovery process is confusing or gets stuck somehow. And even when recovery is successful, my parents will struggle with thinking up a new password; one which isn't the same (required by the system) but will be similar enough to hopefully be remembered. Lastly, although I don't have their same problem currently, I think I will eventually when I get older.
Being able to just use your face and or fingerprint will hopefully get rid of all of these problems.
Please fill us in. How many readers understand (or even read) the lengthy EULAs agreed to with a click?
https://techtalk.pcmatic.com/2012/06/12/it-pays-to-read-license-agreements-7-years-later/
I was told at the Apple store that without iCloud the Apple Watch won't work as designed (by design) - why do all roads seem to lead to iCloud ?
https://appleinsider.com/articles/21/06/12/apple-greenlit-trump-request-for-lawmakers-data-suggests-order-slid-under-radar