As Apple is launching its iOS 16 update today, one of the key security features that will be available to users is Passkey. This feature will allow users to use their Apple devices to log in to websites and services without passwords.
What is Passkey?
Passkey is the company’s implementation of an industry standard designed to eliminate passwords for online authentication. Earlier this year, Apple, Google, and Microsoft joined the FIDO Alliance and the World Wide Web Consortium to work on removing passwords for user authentication across the platforms.
apple announced your own version of this standard called Passkey at its Worldwide Developers Conference (WWDC) in June. Apple said that Passkeys will be compatible with macOS Ventura, iOS 16, and iPadOS 16.
Access keys can reduce the risks of account compromises because it removes passwords, which can be leaked, exposed, or stolen, from the authentication flow. Also, access keys are not reused across sites like passwords, so there is less risk of stolen credentials affecting other accounts.
How will it work?
Passkey is based on the WebAuthn standard, so users can use biometric authentication like Face ID or Touch ID, or use a PIN to validate a login attempt. At a higher level, instead of relying on the username and password combination, access keys use your device to prove that you are the rightful owner of the account.
If you are directed to a website that has already implemented Passkey: like this demo website — You may see a new option to sign in that uses devices or credentials stored in your iCloud Keychain. If you don’t have a pre-registered account on the site, it may ask you for some basic information and save the passkey in iCloud Keychain, no password needed. Once you register an account, the iCloud-based passkey is shared between Apple devices with the same Apple ID.
All of this is based on FIDO’s proposed multi-device credentials that allow users to store authentication keys on all devices, allowing users to log in without requiring a password. This means that it should work on all platforms, but Google and Microsoft have yet to implement the technology on their platforms.
Passkeys work by generating a pair of keys: a public key and a private key stored on the device. The public key is stored in the cloud and shared between devices that have their own private keys. This also ensures that if a server is compromised, the attacker does not have both keys to gain access to the accounts.
Users can manage their access codes directly from Settings > passwords. There is no separate section for stored access keys, but websites that use access keys will appear in this section. People can also easily share their account details with a friend by tapping the Share button on that particular passkey’s screen and sharing it via Airdrop with a close contact.
So what happens next?
Few websites currently support access key-based authentication, but this is likely to increase over time as developers begin to implement access keys in their services. Initially, access keys will be compatible with Mac, iPad and iPhone. If you’re using a Windows or Chrome-based machine or an Android phone, the site will prompt you to verify using a QR code that you can scan through your iPhone. If users don’t want to rely on iCloud-based backup, password managers like Dashlane they have also announced support for storing access keys.
Skeleton keys are still in their infancy. Most of the popular websites are still based on username and password combination, so a future without password is still far away.