Apple wants to replace passwords with your iPhone or Mac

Posted:
in General Discussion
Apple is working toward a future without passwords with a new iCloud Keychain "passkey" feature that was previewed at WWDC 2021.

Credit: Apple
Credit: Apple


In a WWDC developer session called "Move beyond passwords," Apple teased a new feature called "passkeys in iCloud keychain." The feature is available for testing in iOS 15 and macOS Monterey, but isn't yet ready for a full release.

Essentially, passkeys are pairs of private and public keys based on the WebAuthn standard. They work basically like a hardware security key, but are stored securely in iCloud Keychain.

This means users won't need to carry hardware keys with them -- their iPhone, iPad, or Mac will contain the passkeys. More than that, passkeys will be synced across various devices, meaning they're recoverable even if a user loses all of their devices. Compared to traditional passwords, these passkeys offer a number of security benefits. They aren't guessable, they're not able to be reused across services, and they're not vulnerable to phishing or data breaches.

For users, passkeys will offer an easy and secure alternative to passwords. When implemented, all a user will need to do is authenticate with Face ID to log in. Passkeys in iCloud Keychain would be useable anywhere that supports WebAuthn. Currently, that includes browsers and apps on Apple's platforms, but full adoption of the standard is still a few years off.

As mentioned earlier, the inclusion of passkeys in iOS 15 and macOS Monterey is for developer testing only -- it's not actually a feature yet. Apple says that testing the feature in existing apps and workflows is just the first step of a "multiyear effort in replacing passwords."

Although users won't be able to use passkeys immediately, Apple does have a suite of other security and privacy features in iOS 15 and macOS Monterey. That includes a new built-in authenticator for two-factor logins, a Private Relay feature that encrypts web traffic and hides a user's IP address, and a feature that will allow users to create proxy email addresses.

Apple isn't the only company looking toward a future without passwords. Google at its I/O conference in May detailed a number of new privacy and security features aimed at replacing passwords.

Follow all of WWDC 2021 with comprehensive AppleInsider coverage of the week-long event from June 7 through June 11, including details on iOS 15, iPadOS 15, watchOS 8, macOS Monterey and more.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get the latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.

Comments

  • Reply 1 of 19
    rob53rob53 Posts: 2,562member
    It's about time but there will still be issues for installations where people aren't allowed to carry mobile devices except for approved passkeys devices. These devices usually don't do anything other than provide a PIN making them less of a security issue. That said, I no longer work in this kind of an environment so having a potentially better method of securely authenticating my account would be appreciated. Now if only more websites would include the Login using AppleID I'd think it might actually go somewhere.
    williamlondonwatto_cobra
  • Reply 2 of 19
    citpekscitpeks Posts: 144member
    rob53 said:
    It's about time but there will still be issues for installations where people aren't allowed to carry mobile devices except for approved passkeys devices. These devices usually don't do anything other than provide a PIN making them less of a security issue. That said, I no longer work in this kind of an environment so having a potentially better method of securely authenticating my account would be appreciated. Now if only more websites would include the Login using AppleID I'd think it might actually go somewhere.

    Yes, but this new initiative won't preclude those other approved devices from being still accepted, will they?

    If Apple, or other unapproved mobile devices aren't acceptable now, and still won't be acceptable in the future, nothing has changed.

    Those situations are in the minority anyway.  To not move forward based on those situations would deny the greater overall benefit to vast majority who aren't so encumbered, and kind of like the tail wagging the dog.

    I also doubt that Apple would make this method exclusive, and abandon current solutions.  Note that existing iCloud accounts don't requite 2FA to be enabled, though admittedly, that could change at some point.
    Beatswatto_cobra
  • Reply 3 of 19
    ...so Apple now wants to store the world's passcodes on Patriot Act governed servers...?
    Biometric data, when we sleep, where we move (now even when our iOS is off), what we say, read, watch and listen to - is anything left...?
    Even with (if) the best of intentions does this concentration of data (digital colonialism?) put the world at increasing dependency & risk ?
    Is it an ironic evolution for the internet which I understand was originally conceived to fragment communication access for security reasons,
    yet potentially now becoming a source of infinite attack vectors to concentrations of digital data 'wealth'...?
    williamlondonGRKostur
  • Reply 4 of 19
    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    williamlondon
  • Reply 5 of 19
    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    Super easy, when a tool doesn't work for you use case you don't use it. 
  • Reply 6 of 19
    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    Super easy, when a tool doesn't work for you use case you don't use it. 
    No, not in this case, considering how this works. Imagine having hundreds of keys and not being able to use them on Android. 
     
    williamlondon
  • Reply 7 of 19
    crowleycrowley Posts: 8,253member
    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    Super easy, when a tool doesn't work for you use case you don't use it. 
    And a person is supposed to predict whether they'll be using an Apple device 5 years down the line are they?

    I agree, this is going to be a hell of a lock in if Apple has your entire entire internet login keychain held hostage.  Apple need to think about some sort of transfer or export portability, or else get even more attention from antitrust investigation.
    edited June 10 muthuk_vanalingam
  • Reply 8 of 19
    genovellegenovelle Posts: 1,227member
    crowley said:
    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    Super easy, when a tool doesn't work for you use case you don't use it. 
    And a person is supposed to predict whether they'll be using an Apple device 5 years down the line are they?

    I agree, this is going to be a hell of a lock in if Apple has your entire entire internet login keychain held hostage.  Apple need to think about some sort of transfer or export portability, or else get even more attention from antitrust investigation.
    crowley said:
    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    Super easy, when a tool doesn't work for you use case you don't use it. 
    And a person is supposed to predict whether they'll be using an Apple device 5 years down the line are they?

    I agree, this is going to be a hell of a lock in if Apple has your entire entire internet login keychain held hostage.  Apple need to think about some sort of transfer or export portability, or else get even more attention from antitrust investigation.
    crowley said:
    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    Super easy, when a tool doesn't work for you use case you don't use it. 
    And a person is supposed to predict whether they'll be using an Apple device 5 years down the line are they?

    I agree, this is going to be a hell of a lock in if Apple has your entire entire internet login keychain held hostage.  Apple need to think about some sort of transfer or export portability, or else get even more attention from antitrust investigation.
    How many time would you have changed your password over 5 years. If you think you will be encumbered by they system, just don’t use it and stick with passwords. The rest of us Apple users will enjoy the benefits, because we are not planning to jump to Android. Ever. 
    williamlondonBeatswatto_cobra
  • Reply 9 of 19

    How many time would you have changed your password over 5 years. If you think you will be encumbered by they system, just don’t use it and stick with passwords. The rest of us Apple users will enjoy the benefits, because we are not planning to jump to Android. Ever. 
    "The rest of us Apple users" is an assumption, and a biased one. Also, it doesn't matter whether all people are fine with it or not; from a company business practices side of things, this is exactly why anti-trust cases exist.
     
    williamlondonmuthuk_vanalingam
  • Reply 10 of 19
    So if I have an iPad that I sign in to a website with, and I work on a PC, can I still access the website on the PC?
    williamlondon
  • Reply 11 of 19
    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    Super easy, when a tool doesn't work for you use case you don't use it. 
    No, not in this case, considering how this works. Imagine having hundreds of keys and not being able to use them on Android. 
     
    What I said applies. There is no requirement to use this. If you have hundreds of passwords you need to use on Android then this is the wrong tool for you. Don't use it. 

    crowley said:
    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    Super easy, when a tool doesn't work for you use case you don't use it. 
    And a person is supposed to predict whether they'll be using an Apple device 5 years down the line are they?

    I agree, this is going to be a hell of a lock in if Apple has your entire entire internet login keychain held hostage.  Apple need to think about some sort of transfer or export portability, or else get even more attention from antitrust investigation.
    Same as above, it's not required and if you are worried about future compatibility then it isn't the tool to use. 

    You both are also seem to be forgetting that iCloud Keychain has a Chrome extension and isn't only available on Apple products. 
  • Reply 12 of 19
    BeatsBeats Posts: 2,441member
    rob53 said:
    It's about time but there will still be issues for installations where people aren't allowed to carry mobile devices except for approved passkeys devices. These devices usually don't do anything other than provide a PIN making them less of a security issue. That said, I no longer work in this kind of an environment so having a potentially better method of securely authenticating my account would be appreciated. Now if only more websites would include the Login using AppleID I'd think it might actually go somewhere.

    Wait that last sentence made me think of something. If Apple gets more “Sign in with Apple” support maybe Apple can roll out this feature via “Sign in with Apple” and have hundreds of apps/sites/etc. supported day one.

    ...so Apple now wants to store the world's passcodes on Patriot Act governed servers...?
    Biometric data, when we sleep, where we move (now even when our iOS is off), what we say, read, watch and listen to - is anything left...?
    Even with (if) the best of intentions does this concentration of data (digital colonialism?) put the world at increasing dependency & risk ?
    Is it an ironic evolution for the internet which I understand was originally conceived to fragment communication access for security reasons,
    yet potentially now becoming a source of infinite attack vectors to concentrations of digital data 'wealth'...?

    Aren’t they Apple’s servers? Does the Patriot Act force Apple to hand over this info?

    Lately I've been thinking it’s time for Apple to include a micro SSD with maybe 512GB of storage inside their devices to store sensitive info on device. Make it some strange format and it will be a deterrence for those who want the info. Or is this what the Secure Enclave does?
  • Reply 13 of 19
    MarvinMarvin Posts: 14,513moderator
    So if I have an iPad that I sign in to a website with, and I work on a PC, can I still access the website on the PC?
    This is decided by the people who make the login authentication.

    Most logins these days allow a number of methods like Login with Google/Facebook/email/Apple. This method Apple describes would be the Login with Apple option. If people choose to login using other methods that require a password, they are just weakening their account but the people who make logins can do whatever they want.

    Ideally all companies would adopt keys for logins (and create an open standard) but Apple is in the best position to implement it because they make desktops/laptops/phones with security hardware and the OS and the browser and have cloud services so they can easily sync keys across all devices.

    For example:
    - user signs up to website using email and chooses to use Apple Keys
    - the keys then get setup and the website links the public key to the website account id/email
    - user decides they want to also use Google/Samsung/Microsoft Keys and the website links the same account id to this public key too
    - when the user logs in using the non-Apple device, it can send the public key used or some signing message and the website knows which public key to use to encrypt the challenge with

    ---------
    website
    ---------
    account: [email protected], Apple Key (public): hu7gfgv, Other Key (public): kujh8cg
    ---------

    Login via Apple device
    ----------
    send Apple Key (public), website sends encrypted challenge, use Apple Key (private) to decrypt and login
    ----------

    Login via Other device
    ----------
    send Other Key (public), website sends encrypted challenge using Other Key, use Other Key (private) to decrypt and login
    ----------

    They can even allow login via QR code and have the device scan the code or just message the device and have the user verify the login request.

    I honestly don't know why this has taken so long and why it's still a multi-year plan, maybe securing the private keys locally is tricky for 3rd parties but this kind of authentication is already used for a few things like SSH and software repositories. It's usually still setup manually (generating key pairs and pasting them) so it just needed some ease-of-use for widespread adoption.
    edited June 10 jony0watto_cobra
  • Reply 14 of 19
    zimmiezimmie Posts: 537member
    ...so Apple now wants to store the world's passcodes on Patriot Act governed servers...?
    Biometric data, when we sleep, where we move (now even when our iOS is off), what we say, read, watch and listen to - is anything left...?
    Even with (if) the best of intentions does this concentration of data (digital colonialism?) put the world at increasing dependency & risk ?
    Is it an ironic evolution for the internet which I understand was originally conceived to fragment communication access for security reasons,
    yet potentially now becoming a source of infinite attack vectors to concentrations of digital data 'wealth'...?
    This involves storing the private keys in iCloud Keychain, which you should read about. Apple doesn't have the ability to read passwords or private keys stored in iCloud Keychain.

    This is a fine idea but:

    1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.

    2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.
    Super easy, when a tool doesn't work for you use case you don't use it. 
    No, not in this case, considering how this works. Imagine having hundreds of keys and not being able to use them on Android. 
     
    I haven't reviewed the WebAuthn specification in great detail, but every server-side implementation I've seen so far supports many keys associated with the user account. Setup or additional keys is likely to be cumbersome, though that depends on the service. In the WWDC session, they mention they're still working on making the keys interoperable with other device brands. I expect that will take the form of a public format for exporting the keys, and it will be up to others to support importing them from that format.
    watto_cobra
  • Reply 15 of 19
    am8449am8449 Posts: 360member
    I'm really looking forward to this feature rolling out, which will finally alleviate the mess of trying to recover accounts with forgotten passwords.

    I have elderly parents who constantly forget, lose, or something inexplicable happens with their passwords. My father writes them down in a notebook and often misplaces the notebook or forgets to update it when an account asks him to change passwords, or enters the correct password but into the wrong account. My mother uses only one very simple password for every account, making all of her accounts highly insecure.

    As the youngest family member and thus by default responsible for household IT, I'm constantly having to help them recover their accounts because of password problems. Often, the recovery process is confusing or gets stuck somehow. And even when recovery is successful, my parents will struggle with thinking up a new password; one which isn't the same (required by the system) but will be similar enough to hopefully be remembered. Lastly, although I don't have their same problem currently, I think I will eventually when I get older.

    Being able to just use your face and or fingerprint will hopefully get rid of all of these problems.
    Detnatorwatto_cobra
  • Reply 16 of 19
    ...so Apple now wants to store the world's passcodes on Patriot Act governed servers...?
    Biometric data, when we sleep, where we move (now even when our iOS is off), what we say, read, watch and listen to - is anything left...?
    Even with (if) the best of intentions does this concentration of data (digital colonialism?) put the world at increasing dependency & risk ?
    Is it an ironic evolution for the internet which I understand was originally conceived to fragment communication access for security reasons,
    yet potentially now becoming a source of infinite attack vectors to concentrations of digital data 'wealth'...?
    Wow, none of that works the way you think it does. 
    williamlondonRayz2016watto_cobra
  • Reply 17 of 19

    How many time would you have changed your password over 5 years. If you think you will be encumbered by they system, just don’t use it and stick with passwords. The rest of us Apple users will enjoy the benefits, because we are not planning to jump to Android. Ever. 
    "The rest of us Apple users" is an assumption, and a biased one. Also, it doesn't matter whether all people are fine with it or not; from a company business practices side of things, this is exactly why anti-trust cases exist.
     
    Antitrust wouldn’t apply here. Besides, there will be a way to export the keys anyway. 
    williamlondonBeatswatto_cobra
  • Reply 18 of 19
    zimmie said:
    ...so Apple now wants to store the world's passcodes on Patriot Act governed servers...?
    Biometric data, when we sleep, where we move (now even when our iOS is off), what we say, read, watch and listen to - is anything left...?
    Even with (if) the best of intentions does this concentration of data (digital colonialism?) put the world at increasing dependency & risk ?
    Is it an ironic evolution for the internet which I understand was originally conceived to fragment communication access for security reasons,
    yet potentially now becoming a source of infinite attack vectors to concentrations of digital data 'wealth'...?
    This involves storing the private keys in iCloud Keychain, which you should read about. Apple doesn't have the ability to read passwords or private keys stored in iCloud Keychain.

    Wow, none of that works the way you think it does. 
    Of course there is much one cannot know...  
    Please fill us in.  How many readers understand (or even read) the lengthy EULAs agreed to with a click?
    https://techtalk.pcmatic.com/2012/06/12/it-pays-to-read-license-agreements-7-years-later/

    I was told at the Apple store that without iCloud the Apple Watch won't work as designed (by design) - why do all roads seem to lead to iCloud ?

    https://appleinsider.com/articles/21/06/12/apple-greenlit-trump-request-for-lawmakers-data-suggests-order-slid-under-radar
    williamlondon
Sign In or Register to comment.