Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Wants Passkeys to Replace Passwords: Here's Where You Can Try Them Out Now With iOS 16
- Thread starter MacRumors
- Start date
- Sort by reaction score
Nice dismissal and rebuttal. Just shut down any possible chance of debate with “it’s conspiracy theory”. Works every time like a charm.
There’s nothing to debate, as it’s nonsense. It’s no different than the options to unlock your phone.
When a person has no facts, they result to criticizing the messenger. Which if fine by me because it shows exactly who they are. The relevant fact here is that neither of us know the truth, but I am willing to accept that and am still open to the possibility that I am wrong. Tin foil hat person will never admit they don't know and may be wrong.
i do not get it, a lot of websites got breached but because of hashes or encrypted form of password on the server no 128bit encryption that no one has broken yet?
Even if you have a passkey, won't that site/server have something to compare it too to make sure its correct and that can get compromised and the passkey can be regenerated or something?
I understand though for the average joe its a smoother ride instead of remembering his passwords but one issue remains and that is where is the passkey stored and how do I regenrate it if its stolen? Now I can ask for a password reset to my email (which is secure with a password) to get a new password, if I will use passkey for everything then how does that work? I can remember my password but I can't remember my passkey
On Apple devices on the same iCloud account the same passkey should be available anywhere. Across Apple accounts I assume it would either allow you to Airdrop it or do a setup as a new device (that is synced with your personal Apple account). On new devices when you try to sign in for the first time the website would ask for you to authenticate with one of your registered device first, then website will create another passkey that would be tied to the new device. Future sign-ins would no longer require the first device.
Yes. Compatible across browsers and across different OSs since Google and Microsoft both committed to adopting the standard.
I tested it out on BestBuy.com. I got the passkey setup but I had to use Safari on my iPhone to set it up, the BestBuy app said the device/OS didn't support Webauthn. I don't think Best Buy has implemented this correctly as it did not remove my password from my account. This just becomes another optional way to sign in which kind of defeats the security gains you are suppose to get by switching to webauthn. If it is not going to remove my password then what is the point?
Also, the article said on unsupported devices it would display a QR code to scan with your iPhone. This does not happen on BesBuy.com with unsupported devices. On my Windows PC in Edge, it just throws up an error saying webauthn is not supported on this browser/OS.
Just checked eBay... it behaves the same way as Best Buy, doesn't remove password, no QR code on unsupported devices.
If webauthn is suppose to be a password-less future then it needs to remove the password from you account once setup. When you setup the password-less option on Microsoft.com, it actually removes your password from your account, these 2 sites above do not.
I can't figure out how to set this up Passkey with my Microsoft account but, maybe that is because my MS account is already password-less through the MS Authenticator app.
Also, the article said on unsupported devices it would display a QR code to scan with your iPhone. This does not happen on BesBuy.com with unsupported devices. On my Windows PC in Edge, it just throws up an error saying webauthn is not supported on this browser/OS.
Just checked eBay... it behaves the same way as Best Buy, doesn't remove password, no QR code on unsupported devices.
If webauthn is suppose to be a password-less future then it needs to remove the password from you account once setup. When you setup the password-less option on Microsoft.com, it actually removes your password from your account, these 2 sites above do not.
I can't figure out how to set this up Passkey with my Microsoft account but, maybe that is because my MS account is already password-less through the MS Authenticator app.
A hash is a numeric representation of the password. It goes 1 way. If I have the hash, I can only know the password when I have the password already, and I can verify that by putting the password into the hash function and I get the same value as the stored value. However, I can’t know what the password is through the hash unless I have the password, this is why it’s very useful, because people breach databases all the time, but they only get hash values of passwords and not the passwords themselves. There’s also the addition of salting passwords that makes it so that you can’t use a “standard” password hash table to compare, you would have to rehash everything which is computationally intensive.
So this is what the state-of-the-art about password storage is today. A hash value allows you to hypothesize what a user’s password could be and then verify if it is the password or not, if the database was breached. It actually isn’t encryption, encryption is supposed to allow you to encrypt and decrypt, or go in both directions in other words, but hashing only goes in one direction.
Passwords wouldn’t have an issue if they were used correctly, using randomly generated sufficiently complex passwords, 1 per site. It basically becomes impossible to take a hash and find a randomly generated password as long as the universe of passwords is huge. But when passwords are not used correctly, like reusing passwords, using variants of passwords, short passwords, guessable passwords like your dog’s name, things like that that reduce the universe of possible passwords, what happens is that you can guess the password more easily and use computational power to just brute force a user’s account if you had the hash value to compare.
So if you were doing passwords correctly you have nothing to fear. But many people don’t and that exposes them to hacking.
Which brings us to passkeys. If a server full of passkeys was breached, it’s no longer hash values, instead it is public keys. Public keys are part of asymmetric cryptography, the public key is used to encrypt, the private key is used to decrypt. If the public key is breached, it basically doesn’t matter because it’s the private key that matters, the private key is needed to generate the responses that authenticate an account. That’s one of the advantages, while hashing is hard, it still is a possibility to get the password from the hash, most likely with known guessable passwords. On the other hand, the public key gives nothing to a hacker about what the private key is, it literally does not help. At least if you are up to date on cryptography, we have old cryptography algorithms that are insecure and broken and we can’t use them any more without harming users.
As per FIDO and Apple, passkeys are stored on device (meaning the private key is on device), technically the passkey is a pair of keys from server to phone. To regenerate a passkey if you lose your device, you need to use iCloud backups, or if you have more than one iCloud device (iPad, Mac) you can get a new phone and it will sync the other device’s passkeys to your phone. If you’re the kind of person who has one Apple device, and you specifically DON’T backup, then you’re a bad fit for passkeys.
I don’t know what happens with resetting an account that had a passkey, the same concept could apply and you could use an email to reset the account to use passwords and discard its Passkey, then login and use a password, then regenerate a passkey again, but that would be up to the site operator to enable. Again the backups would save you, but if you hate backups then you are not a great candidate for passkeys.
A lot of your questions were answered on Apple’s documentation, here: https://developer.apple.com/passkeys/
No, even if a website was hacked, getting a bunch of public keys won't help them. Let's use this very simple example. You have setup passkeys on a website (banana.com). When you go to log in to banana.com, you send your username (MacBH928) to the site. The site looks your account up and finds the PUBLIC key that has been created for you. The site then creates a challenge and encrypts the challenge. For simplistic sake, let's say banana.com encrypts a random word ("television") with your public key. Since the word is encryped wiht your Pubic key, only your Private key can decrypt it. The website sends your computer the encryped message. Your computer decrypts it to get the original word (television) and sends it back to the server. The server confrims the word received matches the word it sent and authenticates you, since only someone wiht your Private key can decrypt the message.
So, this is more secure because the security of the private information is no longer on single point of failure (the website storing password hashes.) Now, the private information is stored on millons of individual computers. Even if a hacker were to get all the public keys, there is NOTHING they can do with them. Heck, I could publish my public key for every website I visit and not be worried. It is the private key that needs to remain secure.
Needless to say, my wife and I do not share the same iCloud account. At this point, Apple doesn't allow sharing passwords nor passkeys. So unless Apple changes this, it is up to the website to provide the option to have multiple passkeys for the same account. Given how it works with passwords + 2FA Authentication Apps, I don't have high hopes of websites providing this option. At least I am not aware of any website that allows my wife and myself to both have the 2FA setup on our two different phones.
So, what I am hearing is, there is no technical reason why it can't work. But it doesn't mean that it will be possible.
A private key has to be processed by a hash algorithm on the server before being compared with the public key for authentication. It's also implemented so that you can't just do a simple comparison with the public key, otherwise it would be no different than a text password. This way even if the public key was compromised you account stays secure. Hashed values (in this case the public key) are designed to be irreversible, meaning that it would not be possible to reverse engineer a private key from the public key. On a high level OAuth 2.0 sign-ins like Sign In with Apple does something similar.
The passkey is 2 parts, the public key is stored by the website and the encrypted private key is stored on your device, so it's close to impossible for it to be stolen. PassKeys can be recovered from the iCloud Keychain Escrow (which even Apple cannot access) even if all of your devices are stolen. Each website will come with a different public/private key that is stored on your computer/phone. You have nothing to remember and nothing to reset.
Last edited:
You can already share passwords with people on other iCloud accounts, but it sounds like you want to sync passwords across accounts which isn't possible.
Since you can set up passkeys for the same website account on different platforms like Android and Windows that don't sync with each other by design, websites probably don't have a choice on having to support multiple public/private key pairs. Because of this it should also work on Apple devices on different iCloud accounts, just with an extra step for initial set up like you would on another OS.
Apple demonstrated in the developer video on Passkeys that you can send a passkey over Airdrop. So as long as you both have Apple devices you can share the passkey just fine.
Thank you for sharing this! I missed this unfortunately. Thank you for enlightening me
.No problem. The video is like 30 minutes and it’s developer focused.Thank you for sharing this! I missed this unfortunately. Thank you for enlightening me
So each user will have a permenant public AND private key , his private key stored on his device and the public key is shared with all websites (or does each website has a different public key?)
ok, what happens if I lose my private key? how do I back it up? What about my iCloud account? It stores the backup of my private key but since I do not have the private key it won't be able to unlock with passkey.
What happens if someone gets a hold of my private and public key?
Also, since this is all done by Apple and stored on apple iCloud, isn't it possible that Apple has access to both keys of every Apple Passkey user?
Can I just implore you to read the Apple site on Passkeys I linked above? Feels like there’s a lot of things you’re misunderstanding and it would help if you understood the whole idea before coming up with these questions.
Here is the link again: https://developer.apple.com/passkeys/
The standard was created by FIDO, not Apple, and it was built to use a key pair per site, no one would use one key pair (meaning a private key and a public key) for all sites. A private key only corresponds to one public key so it’s not possible to reuse one private key with many public keys or vice-versa. This is called asymmetric cryptography.
The private key stays on device, and it gets backed up to iCloud (or potentially a local backup if you still plug it into a Mac or PC and do manual backups, I haven’t heard if they enabled that but maybe). It also syncs all your passkeys with other iCloud devices you’ve signed into (well, running iOS 16 at least since presumably passkeys won’t be supported on earlier iOS versions). And you absolutely can still use passkeys after restoring from a backup, or if you have another device it will sync back from that device, say if you lost your iPhone but your iPad or Mac is still available you can get a new iPhone and it will sync your passkeys to your new iPhone. This is all covered on the Apple site I linked.
The big problem will be if you have no backups whatsoever and you have one Apple device. You are a bad fit for Passkeys then, if you ever lose said device. But if you have 2 Apple devices they sync passkeys, or if you have 1 and you enable iCloud backups you will have no problem with losing Passkeys.
Getting a public key is meaningless, it doesn’t help a hacker whatsoever, you don’t need the public key for anything (it’s used to generate a challenge that the private key responds to and if the response is correct because the private key was used it‘s authenticated) and it doesn’t reveal anything about the private key.
Apple tightly controls how passkeys (private keys) can be shared, besides iCloud syncing and backup they only share passkeys over Airdrop. They demonstrated this in a developer focused video. Otherwise you will have no option to get at the private key because it’s secured along with other system data.
Apple does not have access to your passkeys. The passkeys are indeed backed up to iCloud, however the backups are encrypted and Apple can’t access them, this is also described in the link.
No, there will be different public and private keys for EACH website. Even if a website was hacked, the public keys would not help with any other websites. (And don't forget the public key alone is useless.)
What happens if you forget your password now on a website? Oh yea, there is almost always a recovery method. Websites are going to have a recovery method.
First, the public and private keys are kept completely separate so obtaining both of them (and tying them together) is extremely unlikely. As a comparison, it is more likely that a hacker obtains your password in a breach AND happens to find your phone (to use as a 2FA) on the street.
Apple NEVER will have the public key. It is not store with private key. The public key is store on the originating website.
Excellent technology. The added benefits to security far outweigh the slight inconvenience of needing to have a device present with the private key. It's not that unlike a security token in this way.
Nope. You should read up on the standard. In a nutshell, this is a new cross-platform authentication solution that will be able to replace the current password/2FA combo. It will be similarly convenient on Windows and Android since Google and MS are both also committed to supporting this.
Passkey brings back the ease of password-only logins but retains the security of 2FA. In the near future I think it will become a choice of either doing a password + 2FA combo or passkey, with the former eventually being phased out.
1) My understanding is each private key can have multiple public keys? or each private key has 1 public key? Will each website create both public key (stored on their servers) and private key (stored on my computer), so each website will have 2 keys or I will have one private key to unlock all accounts?
2) Is the word being encrypted randomly generated each time or is it the same word always?
3) The main issue, what happens if I lose my private key? I lose access to all my accounts? HDD failure, computer burned power supply, malware....etc etc? With a password I can log in to my email with password and request a password reset.
4) My private key is only a file like everything else on a computer, how I ensure no one gets hold of this file? accidentally uploading it somehwere, or even apple employee has a copy of it they can access from my icloud account (icloud is not encrypted AFAIK, in fact Apple will give out all your icloud info shall it be requested by gov. world wide)
This is another question, if the passkey is saved in my computer will all apps and browsers have access to it or just Safari? Because AFAIK keychain is only accessed by Safari and Apple apps.