Apple passkey feature will be our first taste of a truly password-less future
Apple and other tech giants want to get rid of passwords for online accounts and apps. Here's why that's going to be a great thing for your online account security.
Apple passkey feature
At its WWDC 2022 keynote on Monday, the iPhone maker announced a new feature called passkeys. It's essentially a new type of security that seeks to replace passwords for account login purposes. It will debut in the fall on iOS 16, macOS Ventura, and Apple's other 2022 updates.
While passwords may be familiar, they actually come with a number of disadvantages that passkeys could address. Here's what you should know about the feature -- and how it signals a broader move toward a more secure online ecosystem.
Passkeys are based on the Web Authentication API WebAuthn, a security standard that uses public key cryptography for authentication. You can think of a passkey as a digital version of something like a hardware security key.
Once you set up a passkey on an account, you'll be able to use it to log in by authenticating with either Face ID or Touch ID.
When it launches, you'll be prompted to create and save a passkey in apps or websites.
When it comes time to get into your account, the website or app will push a request to authenticate to your device. From there, scan your face or your thumbprint -- and you're done. It's a one-tap login process, so it combines both stronger security and increased convenience.
Also, passkeys can be backed up to iCloud and synced across your iPhone, iPad, and Mac devices in an end-to-end encrypted fashion.
You'll also be able to log into your accounts on non-Apple devices by using an iPhone or iPad to scan a QR code and authenticating using biometrics.
Although technically announced at WWDC 2022, Apple actually previewed the passkey feature at the developer conference in 2021. At the time, Apple said it would be part of a multiyear effort to replace passwords with something more secure.
For one, users need to remember them. That leads to the common practices of using easily guessable credentials or reusing the same password across multiple services. Both of those make it easier for an attacker to break into your online accounts.
Logging into an account with a passkey will be as simple as using Face ID.
Passwords are also vulnerable to cyber attacks, including data breaches. A hacker could also attempt to phish you by tricking you into typing your password into a fraudulent website.
On the flip side, a passkey isn't able to be reused across various services. Since it's stored on your device, you won't need to remember a complex password -- or be tempted to go with a simple and easily guessable one.
Passkeys also can't be phished or stolen in a data breach as easily as passwords can. Because they're stored on your device instead of a web server, they're much more resistant to data breaches.
Back in May, Apple partnered up with Google and Microsoft to expand support for password-less authentication systems across their various platforms. Normally rivals, the three companies pledged to back new standards from the FIDO consortium on mobile, desktop, and browser within the next year.
The move was commended by Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as "the type of forward-leaning thinking that will ultimately keep the American people safer online."
Apple and Google have both been working toward a password-less future for a while. Apple started letting developers test passkeys in 2021, while Google outlined some of its password replacement mechanisms at Google I/O the same year.
Apple users will be able to access their passkeys on all of their devices -- and even non-Apple products.
That means that users on Google and Microsoft platforms will also be able to use some type of passkey-like system to authenticate. That doesn't affect Apple users, but more people staying safer online is good for the internet as a whole.
It's likely that Apple devices will be the first to actually get access to FIDO-backed WebAuthn standards. Google will likely follow suit, meaning that the vast majority of smartphone users will have a password-less option. Over time, consumers will get familiar with a password-less system and adoption will grow.
A password-less future may not be here just yet, but it'll be here sooner than you'd think.
Read on AppleInsider
Apple passkey feature
At its WWDC 2022 keynote on Monday, the iPhone maker announced a new feature called passkeys. It's essentially a new type of security that seeks to replace passwords for account login purposes. It will debut in the fall on iOS 16, macOS Ventura, and Apple's other 2022 updates.
While passwords may be familiar, they actually come with a number of disadvantages that passkeys could address. Here's what you should know about the feature -- and how it signals a broader move toward a more secure online ecosystem.
What are passkeys?
Apple passkeys are essentially a type of biometric sign-in standard. Instead of typing in a password to log into an app or online account, you'd use a passkey stored on your device.Passkeys are based on the Web Authentication API WebAuthn, a security standard that uses public key cryptography for authentication. You can think of a passkey as a digital version of something like a hardware security key.
Once you set up a passkey on an account, you'll be able to use it to log in by authenticating with either Face ID or Touch ID.
When it launches, you'll be prompted to create and save a passkey in apps or websites.
When it comes time to get into your account, the website or app will push a request to authenticate to your device. From there, scan your face or your thumbprint -- and you're done. It's a one-tap login process, so it combines both stronger security and increased convenience.
Also, passkeys can be backed up to iCloud and synced across your iPhone, iPad, and Mac devices in an end-to-end encrypted fashion.
You'll also be able to log into your accounts on non-Apple devices by using an iPhone or iPad to scan a QR code and authenticating using biometrics.
Although technically announced at WWDC 2022, Apple actually previewed the passkey feature at the developer conference in 2021. At the time, Apple said it would be part of a multiyear effort to replace passwords with something more secure.
Benefits of ditching passwords
Passwords are the current standard for online account login and verification. However, despite their ubiquity, passwords aren't a very good standard.For one, users need to remember them. That leads to the common practices of using easily guessable credentials or reusing the same password across multiple services. Both of those make it easier for an attacker to break into your online accounts.
Logging into an account with a passkey will be as simple as using Face ID.
Passwords are also vulnerable to cyber attacks, including data breaches. A hacker could also attempt to phish you by tricking you into typing your password into a fraudulent website.
On the flip side, a passkey isn't able to be reused across various services. Since it's stored on your device, you won't need to remember a complex password -- or be tempted to go with a simple and easily guessable one.
Passkeys also can't be phished or stolen in a data breach as easily as passwords can. Because they're stored on your device instead of a web server, they're much more resistant to data breaches.
A password-less future
The passkey announcement is not just a shiny new feature for Apple users. Instead, it's very much a herald of things to come. We're heading toward a password-less future -- and Apple's devices will be among the first to get a taste of it.Back in May, Apple partnered up with Google and Microsoft to expand support for password-less authentication systems across their various platforms. Normally rivals, the three companies pledged to back new standards from the FIDO consortium on mobile, desktop, and browser within the next year.
The move was commended by Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as "the type of forward-leaning thinking that will ultimately keep the American people safer online."
Apple and Google have both been working toward a password-less future for a while. Apple started letting developers test passkeys in 2021, while Google outlined some of its password replacement mechanisms at Google I/O the same year.
Apple users will be able to access their passkeys on all of their devices -- and even non-Apple products.
That means that users on Google and Microsoft platforms will also be able to use some type of passkey-like system to authenticate. That doesn't affect Apple users, but more people staying safer online is good for the internet as a whole.
It's likely that Apple devices will be the first to actually get access to FIDO-backed WebAuthn standards. Google will likely follow suit, meaning that the vast majority of smartphone users will have a password-less option. Over time, consumers will get familiar with a password-less system and adoption will grow.
A password-less future may not be here just yet, but it'll be here sooner than you'd think.
Read on AppleInsider
Comments
I can’t be the only one who TouchID doesn’t work for. (FaceID is fine.)
- What if I lost my device?
- Can I revoke passkeys from another device I own?
I'm all for a new standard, but in order for people to adapt to this, they need a bit more info that isn't too technical.
*I think that's 'pinky' in US English.
1) It syncs with iCloud.
2) You put that old device in lost mode, potentially erase it, and when you get a new one you sign into iCloud on it to get access to your accounts that use that Apple passkey system.
3) You probably just revoke account (passkey) or the device, but marine they'll let you revoke specific account (passkey) from a specific device.
1Password hasn't forced anyone to use their cloud service, but I am still on version 7 instead of the newly launched version 8 because version 8 doesn't allow for syncing via iCloud or Dropbox, just through their cloud service. I do use their cloud service but it's not with my personal vault, but with shared vaults through the many family members that I manage.
Me: Thanks. The new extension does not work with the "Primary" vault that is stored on my Mac?
my mother couldn’t use her fingers at all, worse than me. Maybe it’s hereditary.
What about sites/apps for which we already have created passwords? Can they be migrated to use this system instead (and remove those old passwords from the app/site) without losing any prior features/data from said app or site?
Or is this only for any new accounts we create?
Many of us have so many logins for sites and apps we have been using for all these years, and if we have to create new accounts for all of these, thereby losing all history, it would not be very helpful.
Also, what happens with those sites or apps that need/ask for password changes every few months? Many sites have password policies that require one to change passwords regularly.
Would sites/apps need to implement this feature (like “Sign In with Apple” that most sites have not implemented at all) or is this something that needs no involvement from the site itself?
Thanks and cheers
https://fidoalliance.org/fido-authentication/
It has been in the works for a while:
https://fidoalliance.org/overview/history/
1Password (and many many others) are members of the group:
https://fidoalliance.org/members/
LastPass "is committed" to FIDO:
https://blog.lastpass.com/2022/06/lastpass-is-first-password-manager-committed-to-a-fido-supported-passwordless-future/
For a while, I tried using the iCloud Key Manager add-in that Apple had for Edge, but it was a real pain. It would ask for a validation every time I used it, which meant that me directly typing in the password was simpler.
I am not sure it will be simple to solve it.