Apple Wants Passkeys to Replace Passwords: Here's Where You Can Try Them Out Now With iOS 16

[MacRumors]

Apple is on a mission to get rid of traditional passwords for good, and a step towards that future is something called "Passkeys." Passkeys aim to entirely replace passwords in both apps and on the web and instead use either your finger or face as the password.

Passkeys are part of iOS 16 and macOS Ventura but also work on non-Apple devices and platforms such as Android and Windows. Apple's goal with Passkeys is to eliminate the need for users to ever type out, remember, or use a password again.

There are two scenarios for Passkeys: when you're using an Apple device and when you're on a Windows or Android device.

On an Apple Device

When you go to a website on your iPhone or iPad running iOS 16 or a Mac on macOS Ventura that supports Passkeys, the website will not prompt you to enter a password as you may expect it to. Instead, you'll simply be asked to authenticate with Touch ID or Face ID.

On a Windows or Android Device

On non-Apple devices, when you go to a website that supports Passkeys, you'll be asked to scan a QR code with your iPhone and then proceed to use Touch ID or Face ID as your actual password.

Passkeys will be more widely supported by apps and websites when iOS 16 and macOS Ventura are released to all users this fall, but there are already some websites that support Passkeys. Here are just a few apps and websites that are starting to roll out support:

• eBay
• Best Buy
• Cloudflare
• Microsoft
• Nvidia
• PayPal
• Carnival

In an interview earlier this month, Apple's director of platform product marketing Kurt Knight said, "This isn't a future dream to replace passwords. This is something that's going to be a road to completely replace passwords, and it's starting now."

Passkeys is just one of several new changes and features coming to iOS 16 and macOS Ventura which you can learn about in our respective roundups.

Article Link: Apple Wants Passkeys to Replace Passwords: Here's Where You Can Try Them Out Now With iOS 16

 

[ashdelacroix]

I said at the time that this was the biggest announcement at the keynote, and I still believe that.

This will totally change how we authenticate online.

 

[Skyscraperfan]

That is just a cheap trick be Apple to make it more difficult to leave the Apple ecosystem and switch to Android, as long as you still need an iPhone in order for your Passkey to work on a Windows device. Hacking a good password is virtually impossible. Even if you only use nunbers and lowercase letters, there are 36 combinations for each letter of the password. So to more letters already makes it 1000 times more diffictult to hack.

Hacks usually happen at the server level and not at the user level. When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

 

[ProfessionalFan]

This sounds really good and a nice evolution on passwords.

That is just a cheap trick be Apple to make it more difficult to leave the Apple ecosystem

This is the standard reply when Apple introduces something new.

When it’s a feature Android already had (even if worse), the common reply is “iNnOVAtion”.

 

[tomnavratil]

That is just a cheap trick be Apple to make it more difficult to leave the Apple ecosystem and switch to Android, as long as you still need an iPhone in order for your Passkey to work on a Windows device. Hacking a good password is virtually impossible. Even if you only use nunbers and lowercase letters, there are 36 combinations for each letter of the password. So to more letters already makes it 1000 times more diffictult to hack.

Hacks usually happen at the server level and not at the user level. When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

Actually, the passkeys will utilize an open standard so they can be migrated between systems AFAIK. Also, passkeys or even passphrases are often more suitable options to stronger passwords - the latest NIST recommendations and guidelines are a good read on the matter.

These days, obtaining password via phishing is much more common compared to larger password leaks from companies. Personal data is leaked more often, certainly, passwords, not that much.

 

[icymountain]

I imagine a very large proportion of identity theft attacks involve some sort of social engineering at one point or another and that passkeys (the concept is not even very clear) will not prevent that…

 

[tomnavratil]

This is a huge deal and I'm glad Apple is pushing for this amongst other companies. Using 36-character passwords with a strong master to a password manager like BitWarden or 1Password is all great but that's not a typical use case for most users (unfortunately). Leveraging passkeys, passphrases and educating general public on physical/TOTP MFAs is the way to go.

 

[FloridaScrubJay]

This is long over due. Passwords are mess. Love being able to log into mt bank account with Face ID on the iPhone. Face ID works with CLEAR at airports to avoid security lines. Now MacBooks need to have Face ID.

 

[Skyscraperfan]

Can't there a solution where some $5 device can generate a secure password for me? Like the TAN generator from by bank. Of course TANs are very insecure as there are only a million combinations, but the concept could be expanded. Something that is even smaller than an iPhone with a battery that lasts for years. You do not need a $799 pocket computer for a secure password.

 

[icanhazmac]

Can't there a solution where some $5 device can generate a secure password for me?

Made me think of this old gem, 2001 wants its 2FA tech back!

Unfortunately they cost more than $5!

 

[MacknTosh]

So I’ve no idea how these work. Sounds great if you are using your own device. But what happens if you left your phone at home, and want to log on to, e.g. internet banking on a friend’s PC. Will it just be impossible? Or you’re on holiday and lose your phone, are you locked out of everything until you get your phone replaced when back home?

 

[EmotionalSnow]

That is just a cheap trick be Apple to make it more difficult to leave the Apple ecosystem and switch to Android, as long as you still need an iPhone in order for your Passkey to work on a Windows device. Hacking a good password is virtually impossible. Even if you only use nunbers and lowercase letters, there are 36 combinations for each letter of the password. So to more letters already makes it 1000 times more diffictult to hack.

Hacks usually happen at the server level and not at the user level. When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

Sure, passkeys cannot prevent a database from being accessed by an attacker. The important difference is that when passkeys are leaked your account is not compromised because unlike passwords they use asymmetric cryptography and are also unique to every website.

Please do not spread misinformation about passkeys if you do not have a clue what you are talking about ...

 

[1557750]

Keychain works great for me personally.

But bring on the Passkeys. 🔒🍎

 

[Will Co]

I think this is a great step forward. For many users within the Apple ecosystem who probably rely heavily on KeyChain to provide their passwords automatically, the user experience will be virtually unchanged. But rather than sending an unchanging, if complex, password, the new system will use a one time passcode which itself does not disclose the underlying secret used to generate it, and which is counter or date/time encoded to prevent re-use. Anyone who is familiar with the Yubico type dongle (other dongles are available) will know how this works. So having it built-in means just one less piece of kit to carry around, and one less thing to worry about losing.

Others have said that this would not have prevented attacks on servers, where databases of "secrets" are downloaded and used to steal user accounts. The implication is that the underlying secret used to encode the passkey could still be stolen and used. But that's incorrect - because Apple's implementation uses an asymmetric key-pair, the secret lodged at the server being only the "decrypt" key. If that information was stolen, it would not allow a third party to generate the passkey.

Passkeys also prevent the user from accidentally disclosing a password, since a password doesn't exist. It's a very important, useful and significant increase in overall security at both the client and server side and it's long overdue.

 

[BootsWalking]

For those asking how this works, here's a simplified explanation based on my understanding from reading and watching the online resources about it.

To register on a new site, say widget.com

1. You go widget.com and navigate to its new-account creation page
2. Type in what you want your username to be and then click "create account"
3. Your phone will bring up a system sheet confirming you want to create a credential for widget.com. After you confirm, the phone will create a site-specific credential token (called "passkey" in FIDO parlance), the security of which is based on public-key encryption.
4. The phone will store the token and private-key portion of the token on your iCloud Keychain. It will share the public-key portion of the token with widget.com so it can save it on their server.

Whenever you visit widget.com in the future, Safari will know you have a saved credential for the site and will confirm you'd like to login, similar to how it works today for traditional passwords saved in your keychain, including you proving you have rightful access to your keychain (Face ID, passkey, etc...). But instead of a password, Safari will present the passkey (token) to the site (which it already has stored on their server to compare), then verify you're the rightful owner of the token by proving to the site that your phone has the private key associated with the token (challenge/response).

This is an improvement over passwords because there is no password to be stored on a server or presented for each site, which reduces the attack surface of your credentials. It also solves the problem of weak user passwords, or users reusing their password across multiple sites.

 

[neuropsychguy]

Hacks usually happen at the server level and not at the user level. When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

With this protocol, the servers only keep public keys that are useless without the client side key. If there are no passwords to hack (e.g., Passkey), how can millions of passwords be hacked?

 

[cdarlington1]

Just set it up today when I went to login to eBay. Nice one. Glad it’s not just Apple implementing this.

 

[fwmireault]

That is just a cheap trick be Apple to make it more difficult to leave the Apple ecosystem and switch to Android, as long as you still need an iPhone in order for your Passkey to work on a Windows device. Hacking a good password is virtually impossible. Even if you only use nunbers and lowercase letters, there are 36 combinations for each letter of the password. So to more letters already makes it 1000 times more diffictult to hack.

Hacks usually happen at the server level and not at the user level. When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

I believe you don’t know how passkey works. It is based on the webauthn standard, which ensure cross platform compatibility and no lock in. No big companies, even apple, would have accepted a standard where their customers are locked in their respective mobile platform, because that mean that apple cannot grow its customer base as easily.

Good passwords are difficult to crack, but not impossible. Anyway, with methods like social engineering or phishing, the complexity of your password doesn’t really matter. If someone build a perfect replica of your bank website, some people will think this site as trustworthy and will enter their password anyway.

And Passkey would definitely prevented password hacking, because it’s only the public key that is stored on servers, the private key is stored on device and never leave it. Hackers can get all the public keys they want, it’s a useless information without the accompanying private key.

 

[TheOldChevy]

I have mixed feelings. It is fine for my main accounts where I am under my own identity, but I am not sure how it will be for secondary accounts that need to run under other identities, accounts that cannot be connected with my main account. Will we keep the possibility to have several user-IDs ?

 

[Skyscraperfan]

So that sounds that Passkeys will only work if a website offers it. In the Apple Event it sounded like you can replace any passeord with a Passkey.

 

[CanYouImagineI]

Does anybody know how this will work if I share an account with my partner? For example, we have one account for our newspaper app or for our energy company, could I then share my passkey?

 

[maninhat]

That is just a cheap trick be Apple to make it more difficult to leave the Apple ecosystem and switch to Android, as long as you still need an iPhone in order for your Passkey to work on a Windows device. Hacking a good password is virtually impossible. Even if you only use nunbers and lowercase letters, there are 36 combinations for each letter of the password. So to more letters already makes it 1000 times more diffictult to hack.

Hacks usually happen at the server level and not at the user level. When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

If you even bothered to read the article, you'd learn this is not an apple thing.

And the rest of your post just underlines that you have zero idea how it works

 

[Will Co]

So that sounds that Passkeys will only work if a website offers it. In the Apple Event it sounded like you can replace any passeord with a Passkey.

I predict that you will see large numbers of websites moving to this standard. It reduces their liability in the event of a data breach because quite often, the most valuable thing in that breach is a user's password, even if hashed. And sites that are driven by accreditation or standards, or regulatory pressures (BSI, FSA e.g. in the UK) will likely have no real option other than to implement.

 

[nt5672]

For those asking how this works, here's a simplified explanation based on my understanding from reading and watching the online resources about it.

To register on a new site, say widget.com

1. You go widget.com and navigate to its new-account creation page
2. Type in what you want your username to be and then click "create account"
3. Your phone will bring up a system sheet confirming you want to create a credential for widget.com. After you confirm, the phone will create a site-specific credential token (called "passkey" in FIDO parlance), the security of which is based on public-key encryption.
4. The phone will store the token and private-key portion of the token on your iCloud Keychain. It will share the public-key portion of the token with widget.com so it can save it on their server.

Whenever you visit widget.com in the future, Safari will know you have a saved credential for the site and will confirm you'd like to login, similar to how it works today for traditional passwords saved in your keychain, including you proving you have rightful access to your keychain (Face ID, passkey, etc...). But instead of a password, Safari will present the passkey (token) to the site (which it already has stored on their server to compare), then verify you're the rightful owner of the token by proving to the site that your phone has the private key associated with the token (challenge/response).

This is an improvement over passwords because there is no password to be stored on a server or presented for each site, which reduces the attack surface of your credentials. It also solves the problem of weak user passwords, or users reusing their password across multiple sites.

"The phone will store the token and private-key portion of the token on your iCloud Keychain",

1. but what you have not explained is what entities (companies) have access to the token and private-key portion?
2. Does it work with a local private keychain?
3. Can the user control access to the token and private-key?

This seems like other Apple security features, in that it is half baked to make Apple look good.

 

[ponzicoinbro]

I said at the time that this was the biggest announcement at the keynote, and I still believe that.

This will totally change how we authenticate online.

Totally?

No.

Many prefer a manual log in and don’t want their password anywhere, encrypted or on paper or anything. Memorized.

And what happens if you are a tourist, all your belongings and phone stolen, and now you need to find an internet cafe or library internet to send email to your family?

You have to use memorized password. No other solution.

So people will do a mix, predictably. Because ‘totally’ is not a thing in technology.