If you're suggesting by social engineering that a user is in some way tricked to disclosing credentials though perhaps a phone call or email, or a dodgy website link, then all of those mechanisms will be thwarted by passkeys.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Wants Passkeys to Replace Passwords: Here's Where You Can Try Them Out Now With iOS 16
- Thread starter MacRumors
- Start date
- Sort by reaction score
If you're suggesting by social engineering that a user is in some way tricked to disclosing credentials though perhaps a phone call or email, or a dodgy website link, then all of those mechanisms will be thwarted by passkeys.
How do I deal with changing devices to non-Apple phones/computers?
So you memorize EVERY password? I find that very hard to believe. I have a couple hundred passwords currently stored in 1Password right now. Most of them are complex between 12 and 24 characters. There is no way any person can memorize that amount of data.
So, if you are truely memorizing passwords, you are either re-using the same password everywhere or you are just making minor changes to your password for specific sites (MyVerySecurePassword-MR). Neither of these is safe and is easily bypassed.
It’s just amazing the confidence that some people post total uninformed nonsense with.
And this is yet another reason why end to end encryption using on device keys for iCloud backups are key. Otherwise one mistake or hack or social engineering attempt at Apple or its backend providers where it doesn't use its own (e.g. AWS, Google etc) will result in a huge loss of credentials.
And that was a good explanation, I only replied to you because it was so thorough.
I like the concept in general. I’d like to understand better how the protocol will allow for portability and backup of ones private keys.
If I use passkey for say Netflix and my son wants the password how do I share it with him?
Well it was nice being able to login into all my accounts anywhere in the works from any device. I always found it so freeing. Now I can’t even sign into my bank from my own home without having my iPhone. It was nice while it lasted.
You forgot the part where you can sign in from any Mac, iPad or iPhone. You have to use your iPhone only when you try to connect to non-Apple devices
Only your phone will have access to the private key, which itself will be protected on the keychain with your existing passcode. The keychain can be local-only if you prefer, or replicated securely online in iCloud.
i'm too old for this ****. i don't get it.
edit: if it only works with apple devices then i'm not going to bother using them. what happens if i get an android phone or want to stay on Windows? if apple wants to push this then fine but i'm not ditching passwords until it's a standard across all devices. this just seems like too much hassle at the moment.
edit: if it only works with apple devices then i'm not going to bother using them. what happens if i get an android phone or want to stay on Windows? if apple wants to push this then fine but i'm not ditching passwords until it's a standard across all devices. this just seems like too much hassle at the moment.
No, you only need to memorize the password for essential accounts only and of course a master account. Things like an email account your family trust and know.
You can’t even log in to iCloud if you don’t know the password to your master account. You really must memorize this if you don’t have access to any of your devices in emergency.
But anyway, until recent times before 2FA became normal we memorized passwords for all our accounts for what…20 years?
But that was another era. Too many cyber criminals now. Celebs who think they have safe passwords get their social media accounts taken over by scammers even when 2FA is enabled.
Because the scammers have inside connections right at the top of social media companies.
So yes, we keep needing new log in methods.
People are going to give away their fingers or faces after been subjected to social engineering?
This would be terrible news if Apple tried to make this the only way to authenticate. I refuse to use Touch ID or Face ID and would switch platforms rather than do it, as painful as that would be. I have no problems using passwords and if Apple tries to make me authenticate with facial recognition, I'm out for real.
My fear is that because of the liability advantages, companies might force their users to use passkeys. They should always be optional.
And remembering many passwords is very easy as long as the are not a gibberish many of random latters, numbers and symbols. There is a list of a 7776 words. So six of those words already generate 7776^6 combinations. That 221.073.919.720.733.357.899.776 combinations. The concept is very old and called "Diceware". Remembering six words is much easier than remembering a random string that does not make any sense. That's why I always get angry if a website asks me to use at least a lowercase letter, an uppercase letter, a digit and a symbol in my password. Surely that prevents people from using too simple password, but at the same time it makes them very hard to remeber. You basically have to write them down somewhere and that is dangerous.
You can generate your Diceware password here: https://diceware.dmuth.org
Note that for not very important passwords, even thee words may be enough. Those already give you 470.184.984.576 possible combinations.
And then there are of course the VERY uniportant account. For example a newspaper where I have to log in to comment on an article. Passwords like that are actually 90% of my password. There I do not really care if someone hacks my password, as anybody could impersonate me there anyway by just opening an account with my name.
Who really has more tan 10 or 20 really important passwords that need ultra strong protection? I my case I counted 18.
And remembering many passwords is very easy as long as the are not a gibberish many of random latters, numbers and symbols. There is a list of a 7776 words. So six of those words already generate 7776^6 combinations. That 221.073.919.720.733.357.899.776 combinations. The concept is very old and called "Diceware". Remembering six words is much easier than remembering a random string that does not make any sense. That's why I always get angry if a website asks me to use at least a lowercase letter, an uppercase letter, a digit and a symbol in my password. Surely that prevents people from using too simple password, but at the same time it makes them very hard to remeber. You basically have to write them down somewhere and that is dangerous.
You can generate your Diceware password here: https://diceware.dmuth.org
Note that for not very important passwords, even thee words may be enough. Those already give you 470.184.984.576 possible combinations.
And then there are of course the VERY uniportant account. For example a newspaper where I have to log in to comment on an article. Passwords like that are actually 90% of my password. There I do not really care if someone hacks my password, as anybody could impersonate me there anyway by just opening an account with my name.
Who really has more tan 10 or 20 really important passwords that need ultra strong protection? I my case I counted 18.
i'm trying to understand it too.
i suppose it is kinda the same thing. you're using touch id and apple has your password stored so it uses that. with passkeys you still authenticate with your touch/face ID but instead of a password there is a encrypted key with a public and private part.
this is what apple has to say about it:
About the security of passkeys - Apple Support
Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.
Please excuse my lack of knowledge in this arena, but wouldn't this also help companies avoid the problem of people sharing log in information with friends, family, etc.?
Maybe not. Just curious.
Maybe not. Just curious.
I'm glad I have a Yubikey C Bio FIDO Edition. It has the advantage of requiring a fingerprint and the USB device itself. Well worth the money.
It could be used that way to stop people from sharing their hardware devices, but it might not. People will likely be able to have multiple hardware devices per account so that if a device is lost, it doesn't permanently lock a user out of their account.
It's not an Apple standard. All the major companies are adopting this open standard.
Exactly. You can use a Yubikey, for instance, instead of an iPhone.
Yeah no thanks. We’re already sleepwalking into a biosecurity future where you won’t be able to buy a sandwich without identifying yourself with your face in your CBDC app. This is just one step closer down that road in conditioning people to accept biometric authentication for absolutely everything.
LMAO.
There are dystopian freaks and madmen in tech.
But don’t stretch it.
”CBDC” has been a thing in finance for many years. It was designed to move money from central banks to the private banks. For it to work for the public, they are designing privacy features so it works like cash - offline.
Most of the worst privacy eroding surveillance tech are in the private sector, like Palantir, blockchain systems, etc
It’s people like that you have to watch out for and kick their ass because they have openly said they want to destroy what you call freedom and replace it with anon oligarchy.