Isn’t that what a successful company is supposed to do? Make you want to stay with them?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Wants Passkeys to Replace Passwords: Here's Where You Can Try Them Out Now With iOS 16
- Thread starter MacRumors
- Start date
- Sort by reaction score
Fido passkeys suck, key storage and sharing is centralized and not under user control.
sqrl.grc.com
SQRL Forums
sqrl.grc.com
That was a nice thing about the internet back when the risk of getting hacked was ultra low. Nowadays the ability to sign in anywhere in the world with username and password is a huge security risk. Passwords get hacked or just guessed so easily, and it gets worse with increasing computing power (more computer power enables more brute forcing).
Reality is you view this as a benefit, but it’s really a huge security risk. And maybe you do the right thing and change your passwords and make them long enough and randomly generate them, but many people don’t and it’s literally costing the world billions in fraud a year.
I am a bit skeptical about your view on reality.
For starters, any mainstream website nowadays will lock your account after several failed login attempts, so it is not like a hacker is going to sit there guessing random logins to your account, no matter how powerful their computer is.
Also, as far as I know, the biggest cause of account breaches is from corporate data leaks (thank you Yahoo, Equifax, Marriott, etc). Yes people do tend to recycle their logins and passwords, which means more than one account gets hacked as a result of any leak, but it is mainly corporations who choose not to invest basic resources into their IT department that is costing the world billions, not your average Joe and his weak password. Some legislative requirements on large companies that retain user data would go a long way in that regard (or so claim the studies I have read anyway).
The second biggest cause of data breaches come from targeted phishing attacks. It is not clear passkeys would do much to help with modern phishing attacks that lead to financial loss.
Personally, I don’t feel much incentive to sacrifice my connivence so places like Equifax can make ever larger profits without any concern for the safety of their users.
I agree SQRL is a much better approach but I think Passkeys are a step in the right direction. I won’t consider using them until I can at least store them in something like Bitwarden.Fido passkeys suck, key storage and sharing is centralized and not under user control.
SQRL Forums
I should’ve said this, but I meant that with a database breach, someone gets a password hash table of the users, then uses brute forcing to generate hashes of known passwords. Inevitably they get a few accounts from people who don’t use passwords properly. And if you use variants of old passwords then it’s possible to test out any variant of your old password (if the real password has been breached before) against the known hash. With more computational power available you can test more variants.
I didn’t mean it like someone logs in your account without anything, yes they often lock your account or put you in timeout after a few failed attempts.
If they were in use in finance they probably would cut down on phishing. It actually is quite un-phishable. There’s basically no way to make a fake login page and pass through a passkey to steal someone’s bank information, while a password is easily phishable. Using passkeys, without the public key on the backend and TLS from the browser to the server it basically won’t work. But it does push off the point of attack to the iCloud account, or to try to get the user to disable passkeys and use passwords on their account. I think in either case it becomes obvious someone is stealing your account, in iCloud with 2-factor you just don’t allow the request.
Anyways, you are of course free to use passwords if you would like. That said, my guess is many sites will require at least 2-factor with passwords or passkeys, so your whole “I can login anywhere without having my phone” is getting unlikely. If you don’t like this, you will have to just not use the site, I guess. Going back to paper-only banking?
Oh that is very interesting information. Thank you.
It originally wasn't clear to me if you would have to be signed in with the same Apple ID on all devices to "share" the passkey. If you can use the passkey on multiple devices across multiple platforms, that is a lot better than I originally though.
Yeah it’s great as long as everything else is working 100%. Better hope your battery never dies out on the road, or your phone gets wet or damaged, or you just never have any accidents, or nothing out of the ordinary ever happens to you, because the day you need to access your money or other accounts using someone else’s computer in order to get the car fixed/out of impound, & yourself out of a hotel or clinic, or arrange transport home, you’re screwed.
Last edited:
Ah I see what you mean now. Yes, I agree, passkeys will absolutely help deal with large scale data breaches.
As for the financial phishing, yes I agree, you aren't going to get an e-mail asking you to login to a fake website. What I was trying to say there was more that since most financial institutions now require 2FA, financial phishing is usually done with the victim. Like were a scammer tricks the victim while on the phone and logins into their account together. If a scammer can trick a victim into revealing their 2FA code over the phone, presumable they will be able to trick the victim into sharing their passkey as well.
As for 2FA, yes that is a huge hassle for me, even when I bring my own device. This is particularly true when the account only offers 2FA over SMS. Getting SMS text messages to verify a login is very difficult in a place with no cell reception and can be a huge pain in the you know where when traveling internationally (you know, because a whole bunch of countries don't use SMS and their carriers won't transfer any SMS from a US carrier to your phone). The real kicker is that SMS isn't any more secure than e-mail for 2FA!
Luckily, most of my logins still allow 2FA verification over email and my email doesn't require 2FA to login from a new device. I do know a lot of people who use a VOIP service, just so they can get their SMS 2FA codes when traveling internationally, and be able to login to their own accounts. I suppose I could resort to that if I had to. But yes, I have closed accounts at financial institutions when their login requirements starting getting too invasive/unreasonable.
I don’t think you can actually share a passkey, at least not over the internet. Apple outlined that you can send passkeys over Airdrop, or if you login to other devices with QR codes, it connects the devices over Bluetooth. The FIDO standard made it so that it’s only local connections for the QR code route. But there doesn’t seem to be any way to share a passkey over the internet, with the exception of iCloud syncing but you can of course deny an iCloud login with iCloud 2-factor.
I think one benefit with passkeys is going to be that 2-factor won’t even be necessary. It does better authentication than 2-factor over SMS so it won’t be necessary to use 2-factor with passkey, it would just be redundant. I think we’ll see the choice between using passwords + 2 factor or passkey without 2 factor.
I actually can get SMS pretty much anywhere thanks to the magic of WiFi calling. It sends SMS over WiFi so I can get all my SMS anywhere I have WiFi, or I can even pop in a local SIM and use data with WiFi Calling. I suppose I could use Starlink and my phone could work anywhere too, amazing tech these days.
Hoping to see many more websites supporting this. Excited to try this out later this year.
You get SMS over WiFi with WiFi calling enabled? If you are based in the USA, may I ask what carrier you use?
I too have WiFi calling enabled on my iPhone, and to the best of my knowledge, I do not get SMS without an actual cell signal.
Obviously, the big one is training people about passkeys and changing their behavior so that they are encouraged to use passkeys instead of passwords.
Which is only going to be short pain, not really a downside tbh. Knowing a mirror always has two sides, I am concerned about other aspects, but not knowledgeable enough to notice yet. Nothing in the world only has pure downsides or upsides, this is what I believe.
AT&T Numbersync provides that functionality
NumberSync - Call From Any Device | AT&T
NumberSync links your wireless phone number with tablets, smartwatches & smart speakers. So you can make calls from your iPad, Apple Watch, or Alexa device.
www.att.com
I'm not sure I understanding how this will work. The way I understand it, I have to create the passkey on one device and the mortgage company stores something on their end too. Do I get to go through the process twice, and does the mortgage company have two store two things for the one account? Or will Apple (and others) allow me to share the passkey (including the secret) with others? or .....?
Yep, Passwords were just too difficult for the FBI and NSA so they talked Apple into this new technology which will be much easier with the built in back doors. Kinda like that photo scanning software the government wanted in every iPhone a few months back.
Great question. Read the following explanation from Apple, scrolling down to "How a user’s other devices are added to the syncing circle".
https://support.apple.com/guide/security/secure-keychain-syncing-sec0a319b35f/web
All good. Give the biometric verification to those who want it.
But the day you remove the passwords completely and leave this as an only option, that will be the day when we will part ways. It’s been a blast.
But the day you remove the passwords completely and leave this as an only option, that will be the day when we will part ways. It’s been a blast.
Drawback is lack of 5th Amendment protection, because it doesn’t apply to biometric data. No authority can force you to give your password, but they can force you to give your fingerprint or face scan.
There might be other drawbacks but that’s the one I can think of right now.
Thanks, it just that with the dumpster fire that iCloud was for the first 5 years I just don't trust Apple to get this right. Apple software and services are just not at the top of the heap today.
Heck, Apple cannot even keep my album covers between Music upgrades. How are we supposed to believe that we are not just one update away from being locked out of everything if Apple manages it behind the scenes. If they can prevent us from being locked out of everything (Keychain escrow for example) then I believe they probably have access to everything. Something here just does not make sense.
