Apple passkey feature will be our first taste of a truly password-less future

Posted:
in General Discussion
Apple and other tech giants want to get rid of passwords for online accounts and apps. Here's why that's going to be a great thing for your online account security.

Apple passkey feature
Apple passkey feature


At its WWDC 2022 keynote on Monday, the iPhone maker announced a new feature called passkeys. It's essentially a new type of security that seeks to replace passwords for account login purposes. It will debut in the fall on iOS 16, macOS Ventura, and Apple's other 2022 updates.

While passwords may be familiar, they actually come with a number of disadvantages that passkeys could address. Here's what you should know about the feature -- and how it signals a broader move toward a more secure online ecosystem.

What are passkeys?

Apple passkeys are essentially a type of biometric sign-in standard. Instead of typing in a password to log into an app or online account, you'd use a passkey stored on your device.

Passkeys are based on the Web Authentication API WebAuthn, a security standard that uses public key cryptography for authentication. You can think of a passkey as a digital version of something like a hardware security key.

Once you set up a passkey on an account, you'll be able to use it to log in by authenticating with either Face ID or Touch ID.

When it launches, you'll be prompted to create and save a passkey in apps or websites.
When it launches, you'll be prompted to create and save a passkey in apps or websites.


When it comes time to get into your account, the website or app will push a request to authenticate to your device. From there, scan your face or your thumbprint -- and you're done. It's a one-tap login process, so it combines both stronger security and increased convenience.

Also, passkeys can be backed up to iCloud and synced across your iPhone, iPad, and Mac devices in an end-to-end encrypted fashion.

You'll also be able to log into your accounts on non-Apple devices by using an iPhone or iPad to scan a QR code and authenticating using biometrics.

Although technically announced at WWDC 2022, Apple actually previewed the passkey feature at the developer conference in 2021. At the time, Apple said it would be part of a multiyear effort to replace passwords with something more secure.

Benefits of ditching passwords

Passwords are the current standard for online account login and verification. However, despite their ubiquity, passwords aren't a very good standard.

For one, users need to remember them. That leads to the common practices of using easily guessable credentials or reusing the same password across multiple services. Both of those make it easier for an attacker to break into your online accounts.

Logging into an account with a passkey will be as simple as using Face ID.
Logging into an account with a passkey will be as simple as using Face ID.


Passwords are also vulnerable to cyber attacks, including data breaches. A hacker could also attempt to phish you by tricking you into typing your password into a fraudulent website.

On the flip side, a passkey isn't able to be reused across various services. Since it's stored on your device, you won't need to remember a complex password -- or be tempted to go with a simple and easily guessable one.

Passkeys also can't be phished or stolen in a data breach as easily as passwords can. Because they're stored on your device instead of a web server, they're much more resistant to data breaches.

A password-less future

The passkey announcement is not just a shiny new feature for Apple users. Instead, it's very much a herald of things to come. We're heading toward a password-less future -- and Apple's devices will be among the first to get a taste of it.

Back in May, Apple partnered up with Google and Microsoft to expand support for password-less authentication systems across their various platforms. Normally rivals, the three companies pledged to back new standards from the FIDO consortium on mobile, desktop, and browser within the next year.

The move was commended by Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as "the type of forward-leaning thinking that will ultimately keep the American people safer online."

Apple and Google have both been working toward a password-less future for a while. Apple started letting developers test passkeys in 2021, while Google outlined some of its password replacement mechanisms at Google I/O the same year.

Apple users will be able to access their passkeys on all of their devices -- and even non-Apple products.
Apple users will be able to access their passkeys on all of their devices -- and even non-Apple products.


That means that users on Google and Microsoft platforms will also be able to use some type of passkey-like system to authenticate. That doesn't affect Apple users, but more people staying safer online is good for the internet as a whole.

It's likely that Apple devices will be the first to actually get access to FIDO-backed WebAuthn standards. Google will likely follow suit, meaning that the vast majority of smartphone users will have a password-less option. Over time, consumers will get familiar with a password-less system and adoption will grow.

A password-less future may not be here just yet, but it'll be here sooner than you'd think.

Read on AppleInsider
«1

Comments

  • Reply 1 of 36
    ricochetricochet Posts: 18member
    How will Passkeys intersect with current password managers like 1Password and LastPass?
    davgregwatto_cobra
  • Reply 2 of 36
    The reason I’m not liking this news is because TouchID _sucks_. Passwords suck too, but at least I can use a password manager, and never worry about signing in (unless the password expires or is compromised in a leak, etc.). But biometrics are unreliable. I have to re-train my TouchID constantly—several times a week—or it forgets my fingers. I can see it degrading within hours, failing multiple attempts, and forcing me to go into Settings to tune it, tune it, tune it. Is it more secure? Maybe. But it requires so much babysitting and handholding and just _effort_ that I’d much rather be using a password any day!

    I can’t be the only one who TouchID doesn’t work for. (FaceID is fine.)
    williamlondondavgreg
  • Reply 3 of 36
    CheeseFreezeCheeseFreeze Posts: 1,297member
    - What if I have multiple devices?
    - What if I lost my device?
    - Can I revoke passkeys from another device I own?

    I'm all for a new standard, but in order for people to adapt to this, they need a bit more info that isn't too technical.
    lkruppjony0watto_cobra
  • Reply 4 of 36
    command_fcommand_f Posts: 423member
    The reason I’m not liking this news is because TouchID _sucks_. Passwords suck too, but at least I can use a password manager, and never worry about signing in (unless the password expires or is compromised in a leak, etc.). But biometrics are unreliable. I have to re-train my TouchID constantly—several times a week—or it forgets my fingers. I can see it degrading within hours, failing multiple attempts, and forcing me to go into Settings to tune it, tune it, tune it. Is it more secure? Maybe. But it requires so much babysitting and handholding and just _effort_ that I’d much rather be using a password any day!

    I can’t be the only one who TouchID doesn’t work for. (FaceID is fine.)
    The only time I've had problems with TouchID is when my hands have had a hard time (sanding wood, plaster etc being a good example). If your hands have a tough time, could you perhaps use your little finger* for TouchID hoping that it gets less damage?

    *I think that's 'pinky' in US English.
    scampercomdoozydozenfotoformatwatto_cobra
  • Reply 5 of 36
    XedXed Posts: 2,703member
    "A truly password-less future" is a too much marketing and hyperbole since your iCloud username and password will still be needed to at the core of this technology. At best it's just significantly reducing your passwords in favor of biometrics on your Apple devices with an iCloud backend.

    - What if I have multiple devices?
    - What if I lost my device?
    - Can I revoke passkeys from another device I own?

    I'm all for a new standard, but in order for people to adapt to this, they need a bit more info that isn't too technical.
    1) It syncs with iCloud.
    2) You put that old device in lost mode, potentially erase it, and when you get a new one you sign into iCloud on it to get access to your accounts that use that Apple passkey system.
    3) You probably just revoke account (passkey) or the device, but marine they'll let you revoke specific account (passkey) from a specific device.
    edited June 2022 tyler82doozydozendewmeCheeseFreezejony0
  • Reply 6 of 36
    welshdogwelshdog Posts: 1,903member
    This is a good development. I am using Enpass now, having dumped 1Password when they forced everyone to put their secure data in the cloud. I only sync data to our other devices via Enpass' WiFi sync system. I realize these Passkeys would/could be in the Cloud, but I'm going to assume they are encrypted/protected in some manner and if a criminal got them would not necesarily be able to use them. Sounds like it might be possible to use them in the same way I use Enpass, and sync them to devices without storing them in iCloud.
    watto_cobra
  • Reply 7 of 36
    blastdoorblastdoor Posts: 3,426member
    The reason I’m not liking this news is because TouchID _sucks_. Passwords suck too, but at least I can use a password manager, and never worry about signing in (unless the password expires or is compromised in a leak, etc.). But biometrics are unreliable. I have to re-train my TouchID constantly—several times a week—or it forgets my fingers. I can see it degrading within hours, failing multiple attempts, and forcing me to go into Settings to tune it, tune it, tune it. Is it more secure? Maybe. But it requires so much babysitting and handholding and just _effort_ that I’d much rather be using a password any day!

    I can’t be the only one who TouchID doesn’t work for. (FaceID is fine.)
    that's really weird. I have never heard of this before. Are you a shapeshifter? 
    scampercombonobobjony0watto_cobra
  • Reply 8 of 36
    crowleycrowley Posts: 10,453member
    The reason I’m not liking this news is because TouchID _sucks_. Passwords suck too, but at least I can use a password manager, and never worry about signing in (unless the password expires or is compromised in a leak, etc.). But biometrics are unreliable. I have to re-train my TouchID constantly—several times a week—or it forgets my fingers. I can see it degrading within hours, failing multiple attempts, and forcing me to go into Settings to tune it, tune it, tune it. Is it more secure? Maybe. But it requires so much babysitting and handholding and just _effort_ that I’d much rather be using a password any day!

    I can’t be the only one who TouchID doesn’t work for. (FaceID is fine.)
    Sounds like there's either something wrong with your TouchId sensor, or there's something wrong with your finger.  I find TouchId rock solid reliable on my MBP.
    welshdogdoozydozenbonobobjony0watto_cobra
  • Reply 9 of 36
    blastdoorblastdoor Posts: 3,426member
    I remember when TouchID first came out and all of the security experts went around bemoaning how terrible it is to use biometrics in place of passwords to access a device. I believe the argument was that because biometrics cannot be changed they make terrible passwords. Whatever happened to those guys? 
    doozydozenjony0watto_cobra
  • Reply 10 of 36
    XedXed Posts: 2,703member
    welshdog said:
    This is a good development. I am using Enpass now, having dumped 1Password when they forced everyone to put their secure data in the cloud. I only sync data to our other devices via Enpass' WiFi sync system. I realize these Passkeys would/could be in the Cloud, but I'm going to assume they are encrypted/protected in some manner and if a criminal got them would not necesarily be able to use them. Sounds like it might be possible to use them in the same way I use Enpass, and sync them to devices without storing them in iCloud.
    I'm pretty sure that 1Password and iCloud use a similar vault-like system that encrypts your personal vault based on your password. If you don't have that they are screwed. If your password is stolen, either because it was weak to begin with or you've been compromised, then you're also screwed.

    1Password hasn't forced anyone to use their cloud service, but I am still on version 7 instead of the newly launched version 8 because version 8 doesn't allow for syncing via iCloud or Dropbox, just through their cloud service. I do use their cloud service but it's not with my personal vault, but with shared vaults through the many family members that I manage.
    doozydozenwatto_cobra
  • Reply 11 of 36
    XedXed Posts: 2,703member
    blastdoor said:
    I remember when TouchID first came out and all of the security experts went around bemoaning how terrible it is to use biometrics in place of passwords to access a device. I believe the argument was that because biometrics cannot be changed they make terrible passwords. Whatever happened to those guys? 
    "Those guys" are still around. Biometrics over something you recall from memory is not the safest form of security, but it more convenient. The beauty of Touch ID and Face ID is that it's secure enough while being very easy that it's better people to use them instead of simply not having any passcode at all. Getting the average person to use more complex passcode options is another challenge altogether.
    watto_cobra
  • Reply 12 of 36
    welshdogwelshdog Posts: 1,903member
    Xed said:
    welshdog said:
    This is a good development. I am using Enpass now, having dumped 1Password when they forced everyone to put their secure data in the cloud. I only sync data to our other devices via Enpass' WiFi sync system. I realize these Passkeys would/could be in the Cloud, but I'm going to assume they are encrypted/protected in some manner and if a criminal got them would not necesarily be able to use them. Sounds like it might be possible to use them in the same way I use Enpass, and sync them to devices without storing them in iCloud.
    I'm pretty sure that 1Password and iCloud use a similar vault-like system that encrypts your personal vault based on your password. If you don't have that they are screwed. If your password is stolen, either because it was weak to begin with or you've been compromised, then you're also screwed.

    1Password hasn't forced anyone to use their cloud service, but I am still on version 7 instead of the newly launched version 8 because version 8 doesn't allow for syncing via iCloud or Dropbox, just through their cloud service. I do use their cloud service but it's not with my personal vault, but with shared vaults through the many family members that I manage.

    Me: Thanks. The new extension does not work with the "Primary" vault that is stored on my Mac?
    1Password: Correct, it does not. Standalone vaults will also not be part of the next major release of 1Password. You can read dave's statement on that in his recent post: https://1password.community/discussion/comment/601917/#Comment_601917

    This conversation was between me and 1Password. I was using V7 at the time. V8 as you said does not work with standalone vaults. So people are being forced to put their data in the Cloud if they want to use up-to-date versions of the app. V7 will eventually not be surpported and will quit working on some future version of MacOS.
    jony0watto_cobra
  • Reply 13 of 36
    command_f said:
    The only time I've had problems with TouchID is when my hands have had a hard time (sanding wood, plaster etc being a good example). If your hands have a tough time, could you perhaps use your little finger* for TouchID hoping that it gets less damage?

    *I think that's 'pinky' in US English.
    That’s what I thought. I’ve tried all my fingers, but none works longer than a day or two. (I haven’t tried my toes.)

    my mother couldn’t use her fingers at all, worse than me. Maybe it’s hereditary. 
    doozydozenwatto_cobra
  • Reply 14 of 36
    crowley said:
    Sounds like there's either something wrong with your TouchId sensor, or there's something wrong with your finger.  I find TouchId rock solid reliable on my MBP.
    Multiple fingers, multiple devices over several years. FaceID was a life saver! But several devices still want my fingers, and that never lasts long. 
  • Reply 15 of 36
    22july201322july2013 Posts: 3,638member
    It seems to me that when passkeys are used, captchas won't be needed anymore, because software bots shouldn't be able to work autonomously when biometrics are required. Yesterday I got really tired of entering captchas (about 25 times) on an internet server that I'm already paying a monthly fee for (apparently it was because I "logged in and out" over 30 times which triggered their bot-detection software.) C'mon, I'm a paying customer, so I want an authentication system that works.
    watto_cobra
  • Reply 16 of 36
    mdossmdoss Posts: 40member

    What about sites/apps for which we already have created passwords? Can they be migrated to use this system instead (and remove those old passwords from the app/site) without losing any prior features/data from said app or site?

    Or is this only for any new accounts we create?

    Many of us have so many logins for sites and apps we have been using for all these years, and if we have to create new accounts for all of these, thereby losing all history, it would not be very helpful.

    Also, what happens with those sites or apps that need/ask for password changes every few months? Many sites have password policies that require one to change passwords regularly.

    Would sites/apps need to implement this feature (like “Sign In with Apple” that most sites have not implemented at all) or is this something that needs no involvement from the site itself?

    Thanks and cheers

    watto_cobra
  • Reply 17 of 36
    blastdoor said:
    I remember when TouchID first came out and all of the security experts went around bemoaning how terrible it is to use biometrics in place of passwords to access a device. I believe the argument was that because biometrics cannot be changed they make terrible passwords. Whatever happened to those guys? 
    That argument isn't very relevant, because your biometrics never go to any third parties, even Apple.

    The biometrics are only used as a "master password" to unlock your passkeys within your device. Then those keys are used in a zero-knowledge exchange with the server/website/whatever you're interacting with. Neither your passkey nor your biometrics ever go over the internet in that interaction. The passkey is used to mathematically prove that you are you, but it's never sent, nor can it be derived from what is sent.

    Encrypted passkeys may go into iCloud, but that's safe. They're useless there without your biometrics, which are never uploaded (and in fact are in the secure enclave, which is... relatively secure).
    watto_cobra
  • Reply 18 of 36
    gatorguygatorguy Posts: 24,387member
    The reason I’m not liking this news is because TouchID _sucks_. Passwords suck too, but at least I can use a password manager, and never worry about signing in (unless the password expires or is compromised in a leak, etc.). But biometrics are unreliable. I have to re-train my TouchID constantly—several times a week—or it forgets my fingers. I can see it degrading within hours, failing multiple attempts, and forcing me to go into Settings to tune it, tune it, tune it. Is it more secure? Maybe. But it requires so much babysitting and handholding and just _effort_ that I’d much rather be using a password any day!

    I can’t be the only one who TouchID doesn’t work for. (FaceID is fine.)
    If it's similar to Google's implementation, and I'm fairly certain it is, there will be a “phishing-resistant option for users who do not want to use their phone to sign-in.”
    jony0
  • Reply 19 of 36
    sandorsandor Posts: 663member
    How it works (you have to assume Apple wouldn't join the board of FIDO & then implement the feature in a non-standard way)
    https://fidoalliance.org/fido-authentication/

    It has been in the works for a while:
    https://fidoalliance.org/overview/history/

    1Password (and many many others) are members of the group:
    https://fidoalliance.org/members/


    LastPass "is committed" to FIDO:
    https://blog.lastpass.com/2022/06/lastpass-is-first-password-manager-committed-to-a-fido-supported-passwordless-future/
    jony0
  • Reply 20 of 36
    The problem I see with something like this is when using cross-platform devices. My work laptop is a Windows machine, but at home I use Apple devices. 
    For a while, I tried using the iCloud Key Manager add-in that Apple had for Edge, but it was a real pain. It would ask for a validation every time I used it, which meant that me directly typing in the password was simpler.

    I am not sure it will be simple to solve it. 
    watto_cobra
Sign In or Register to comment.