Apple Wants Passkeys to Replace Passwords: Here's Where You Can Try Them Out Now With iOS 16

[BuffaloTF]

Ok maybe I'm making this more confusing than it needs to be, but how exactly is this different from keychain? I use TouchID on my m1 air, can't remember the last time I actually had to type in my password.

Functionally, for you, no difference. You'd still do a TouchID or FaceID. What's happening today is that entry from you is pulling your password out of the Keychain and pasting it into the fields for you. That password would instead be replaced by, if you'll allow me to illustrate this as best I can, with a one-time use token - like the old RSA tags or soft token you may have on your/work phone to sign into a VPN, or access a restricted system at work. There's additional layers of security that appear to work like PGP with a private key you control and generate public keys from, but the general gist of it is your password is replaced by a tokenized entry.

 

[JosephAW]

As long as these sites also offer 2FA and other fallback mechanisms for example when you lose your phone and have to set up a new device or their database has gotten corrupted and you need to reestablish this connection with a new key

 

[SpotOnT]

For those asking how this works, here's a simplified explanation based on my understanding from reading and watching the online resources about it.

To register on a new site, say widget.com

1. You go widget.com and navigate to its new-account creation page
2. Type in what you want your username to be and then click "create account"
3. Your phone will bring up a system sheet confirming you want to create a credential for widget.com. After you confirm, the phone will create a site-specific credential token (called "passkey" in FIDO parlance), the security of which is based on public-key encryption.
4. The phone will store the token and private-key portion of the token on your iCloud Keychain. It will share the public-key portion of the token with widget.com so it can save it on their server.

Whenever you visit widget.com in the future, Safari will know you have a saved credential for the site and will confirm you'd like to login, similar to how it works today for traditional passwords saved in your keychain, including you proving you have rightful access to your keychain (Face ID, passkey, etc...). But instead of a password, Safari will present the passkey (token) to the site (which it already has stored on their server to compare), then verify you're the rightful owner of the token by proving to the site that your phone has the private key associated with the token (challenge/response).

This is an improvement over passwords because there is no password to be stored on a server or presented for each site, which reduces the attack surface of your credentials. It also solves the problem of weak user passwords, or users reusing their password across multiple sites.

Thank you for the explanation. Two quick questions. 1) Will the passkey token used by widget.com enable widget to track my activity across the internet (in the same way that widget.com can track my activity with cookies). 2) what happens if my phone breaks or I loose my phone? Presumably I am locked out of all my accounts until I buy a new device?

 

[SpotOnT]

If I use passkey for say Netflix and my son wants the password how do I share it with him?

I think you can’t. That is part of the design, no one but you can access your accounts.

 

[icymountain]

People are going to give away their fingers or faces after been subjected to social engineering?

Of course not.
They are simply going to receive a dodgy request by email, text, phone call or whatever. As they will feel very secure because of all the nice security technology that they have, they will not complain and will bravely serve the request. And approve it with face ID, fingerprint ID and what not.

 

[BootsWalking]

Thank you for the explanation. Two quick questions. 1) Will the passkey token used by widget.com enable widget to track my activity across the internet (in the same way that widget.com can track my activity with cookies). 2) what happens if my phone breaks or I loose my phone? Presumably I am locked out of all my accounts until I buy a new device?

The token is site specific, so only sites operated by the same company could track you, presumably on only the original URL's domain for which the token was generated.

You can recover the tokens from your keychain, provided you enabled syncing of your keychain to your iCloud account.

 

[DotCom2]

Well it was nice being able to login into all my accounts anywhere in the works from any device. I always found it so freeing. Now I can’t even sign into my bank from my own home without having my iPhone. It was nice while it lasted.

Apple Watch with a notch and Face ID?

 

[DD88]

it’s all ***** and giggles until I let Tom Cruise log in for me but it’s secretly that pesky Dougray Scott trying to hack my details

https://imgur.com/1RYfJWd

 

[Robert.Walter]

Made me think of this old gem, 2001 wants its 2FA tech back!

View attachment 2040873
Unfortunately they cost more than $5!

LoL. IIRC, RSA got hacked.

 

[tobybrut]

Well it was nice being able to login into all my accounts anywhere in the works from any device. I always found it so freeing. Now I can’t even sign into my bank from my own home without having my iPhone. It was nice while it lasted.

I think the idea is that the device you're logging in with ALSO has your private key for the passkey. If you're logging in on your Mac, your Mac will have your passkey. If you're logging in with your iPhone, your iPhone will have your passkey. Nothing says the device you log in on has to be different than the device holding your passkey.

What are you logging in with if not your iPhone or Mac or iPad, all of which would support passkey?

Keep in mind Google and Samsung and Microsoft are also supporting this, so they'd probably have your passkey, too, if you have one of their devices/computers.

 

[DD88]

My fear is that because of the liability advantages, companies might force their users to use passkeys. They should always be optional.

And remembering many passwords is very easy as long as the are not a gibberish many of random latters, numbers and symbols. There is a list of a 7776 words. So six of those words already generate 7776^6 combinations. That 221.073.919.720.733.357.899.776 combinations. The concept is very old and called "Diceware". Remembering six words is much easier than remembering a random string that does not make any sense. That's why I always get angry if a website asks me to use at least a lowercase letter, an uppercase letter, a digit and a symbol in my password. Surely that prevents people from using too simple password, but at the same time it makes them very hard to remeber. You basically have to write them down somewhere and that is dangerous.

You can generate your Diceware password here: https://diceware.dmuth.org

Note that for not very important passwords, even thee words may be enough. Those already give you 470.184.984.576 possible combinations.

And then there are of course the VERY uniportant account. For example a newspaper where I have to log in to comment on an article. Passwords like that are actually 90% of my password. There I do not really care if someone hacks my password, as anybody could impersonate me there anyway by just opening an account with my name.

Who really has more tan 10 or 20 really important passwords that need ultra strong protection? I my case I counted 18.

Facebook, Twitter, Instagram , that’s 3. All passwords 15 digits long
All my bank details across various accounts of which I have 5 accounts- that’s 8. Banking passwords -30 digits long
Retail passwords where I shop online like Amazon etc - easily 10-15 there , that’s 23
Each password would take the most powerful supercomputer on Earth around 400 vigintillion years to brute force entry into any account, that number is 400 followed by 63 zeros.

 

[Robert.Walter]

My bank makes me scan my Mac screen with my iPhone and their custom app every time I log in on the Mac. Then I have to verify w Touch ID.

It’s really a PITA.

I’d much prefer they just use a TOTP authenticator code.

 

[genovelle]

I imagine a very large proportion of identity theft attacks involve some sort of social engineering at one point or another and that passkeys (the concept is not even very clear) will not prevent that…

I believe it will because fake sites won’t be able to trick users into entering their password, because their is none and the user can only enter a passkey via biometrics on the proper domain

 

[twolf2919]

Ok, i have the latest Ventura and went to one of the site that, according to the article, supports Passkey - PayPal.com - where i already have a login. When i go to the login page, I'm still asked to enter my login/password. Is there something that needs to be enabled in the browser (if so, I don't see a setting) to use this new mechanism?

 

[SpotOnT]

I think the idea is that the device you're logging in with ALSO has your private key for the passkey. If you're logging in on your Mac, your Mac will have your passkey. If you're logging in with your iPhone, your iPhone will have your passkey. Nothing says the device you log in on has to be different than the device holding your passkey.

What are you logging in with if not your iPhone or Mac or iPad, all of which would support passkey?

Keep in mind Google and Samsung and Microsoft are also supporting this, so they'd probably have your passkey, too, if you have one of their devices/computers.

I can’t use personal devices where I work, so I rely on “public” devices provided there to check my personal email, login to my media subscriptions, shop on ebay, etc

Also, when I travel for pleasure I usually don’t bring any of my devices….but rather rely on the device wherever I am staying if I need to schedule a bill payment or check my e-mail/text.

That was the beauty of the internet. I am free to access my personal information/accounts/subscriptions using any device, anywhere in the world. I am not tied to a specific physical thing.

Saying I have to use this exact phone or that specific laptop or the desktop in my home office, etc to use my accounts feels like the days where I had to carry a CD, DVD or paperback book around with me if I wanted to listen to music, watch TV, or read a novel.

 

[DotCom2]

Welp, I guess this is one way for Netflix to stop password sharing.

 

[genovelle]

Facebook, Twitter, Instagram , that’s 3. All passwords 15 digits long
All my bank details across various accounts of which I have 5 accounts- that’s 8. Banking passwords -30 digits long
Retail passwords where I shop online like Amazon etc - easily 10-15 there , that’s 23
Each password would take the most powerful supercomputer on Earth around 400 vigintillion years to brute force entry into any account, that number is 400 followed by 63 zeros.

But only a few moments to fool a non techy pawpaw into entering their new user name and 15 digit password into a spoofed site. No super computer required. Or a device with the wrong unvetted 3rd party app on it that is monitoring key strokes and transmitting you passwords.

 

[SpotOnT]

My bank makes me scan my Mac screen with my iPhone and their custom app every time I log in on the Mac. Then I have to verify w Touch ID.

It’s really a PITA.

I’d much prefer they just use a TOTP authenticator code.

My bank starting doing something similar (although not quite that bad, scan and touch ID, geezzzz) and I closed my account and switched banks. I wanted to support my local credit union, but their digital requirements made their online banking impossible for me to use.

 

[Nicky G]

I just want to say: "My voice is my passport. Verify me."

Then I'll be living my early 90s dream! (Anyone catch the reference?)

 

[DD88]

But only a few moments to fool a non techy pawpaw into entering their new user name and 15 digit password into a spoofed site. No super computer required. Or a device with the wrong unvetted 3rd party app on it that is monitoring key strokes and transmitting you passwords.

Correct, but I wouldn’t do that lol

 

[Cromulent]

I just want to say: "My voice is my passport. Verify me."

Then I'll be living my early 90s dream! (Anyone catch the reference?)

You can already do that with HSBC for example (in the UK at least).

 

[icanhazapple]

Get WebAuthN working with 3rd party software (Chrome) and the Apple Watch and I'll buy in.

 

[Premium1]

Functionally, for you, no difference. You'd still do a TouchID or FaceID. What's happening today is that entry from you is pulling your password out of the Keychain and pasting it into the fields for you. That password would instead be replaced by, if you'll allow me to illustrate this as best I can, with a one-time use token - like the old RSA tags or soft token you may have on your/work phone to sign into a VPN, or access a restricted system at work. There's additional layers of security that appear to work like PGP with a private key you control and generate public keys from, but the general gist of it is your password is replaced by a tokenized entry.

Makes sense. Thanks for explaining it better than apple did in their press release!

 

[Morgenland]

Exactly. You can use a Yubikey, for instance, instead of an iPhone.

What makes a yubikey interesting for you in the future while you already carry a phone?

 

[Scotticus]

So I’ve no idea how these work. Sounds great if you are using your own device. But what happens if you left your phone at home, and want to log on to, e.g. internet banking on a friend’s PC. Will it just be impossible? Or you’re on holiday and lose your phone, are you locked out of everything until you get your phone replaced when back home?

This is something I'm also wondering about. Yes, it's nice to be able to just use FaceID or my fingerprint to log in to a website, but I don't want to completely lose access to everything if I lose my phone or it's stolen.