Passwords are now a thing of the Past for Apple Users
At the end of May, we reported that Apple, Google and Microsoft had all announced support for a method of authentication that did not require the use of a password. It seems as though sooner than anticipated, Apple is implementing just that.
At this year’s Apple Worldwide Developer Conference, the company announced that it will launch passwordless logins across Macs, iPhones, iPads and Apple TVs in September of this year. Rather than using a password to gain access to your devices, apps and accounts, users will use a “passkey” with iOS 16 and macOS Ventura. This is the first major shift to eliminating passwords.
How do passkeys work? They’ll create a new digital key using Touch ID or Face ID, according to Apple’s vice president of internet technologies, Darin Adler. As explained at the conference, when a user is creating an online account with a website, you can use a passkey instead of a password to do so. In Adler’s words, “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done.”
When logging in to that website again, the Passkey will allow you to prove who you are using your biometrics rather than typing in a password. When signing in to an account on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across devices using iCloud’s Keychain, and will be stored on your device rather than in the cloud. The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices. Apple’s Passkeys are based on Web Authentication API and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.
A system where passwords were no longer required represents a big step forward for most users’ online security. Using a passwordless environment reduces the chances of your password being guessed and the likelihood of a cybersecurity incident such as a phishing attack. Also, a password cannot be stolen if it isn’t created in the first place.
Apple isn’t the only organization that wants you to eliminate passkeys. The FIDO Alliance, a tech industry group, has been working on the underlying standards that are needed for a passwordless environment for nearly a decade, and Apple’s Passkeys are the company’s implementation of these standards.
In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys”.
When all of the tech companies roll out their version of passkeys, it should be possible for the system to work across different devices. In theory, you could use your iPhone to log in to a Windows laptop, or have an Android tablet log in to a website in Microsoft’s Edge browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms that Apple is the first to start rolling out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”
The success of a passwordless future depends on how it works in reality. There are current concerns around what happens to your passkeys if a user decides to switch from an Apple environment to an Android one. Additionally, developers need to implement changes to their apps and websites to support passkeys. There also needs to be education on how it works. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” Alex Simons, the head of Microsoft’s identity management efforts, said in May.
To sum it up, if the rollout of cross-device systems and passkeys are clunky or difficult to use, people may resort back to the use of old fashioned passwords.
Story via WIRED