Apple Wants Passkeys to Replace Passwords: Here's Where You Can Try Them Out Now With iOS 16

[TriBruin]

1) My understanding is each private key can have multiple public keys? or each private key has 1 public key? Will each website create both public key (stored on their servers) and private key (stored on my computer), so each website will have 2 keys or I will have one private key to unlock all accounts?

Public Keys and Private Keys are mathematical pairs. There is a one to one relation. So each website will have it's own private key stored on your computer and the public key stored by the website. Also, the Public Key/Private Key combo has to be generated on the computer so the Private key never leaves the computer.

2) Is the word being encrypted randomly generated each time or is it the same word always?

For the purposes of this example, it is will be a different word.

3) The main issue, what happens if I lose my private key? I lose access to all my accounts? HDD failure, computer burned power supply, malware....etc etc? With a password I can log in to my email with password and request a password reset.

Assumably, each website will have a method for account recovery. That is no differnt than now. If you forget/lose your password, you need to recover you account.

4) My private key is only a file like everything else on a computer, how I ensure no one gets hold of this file? accidentally uploading it somehwere, or even apple employee has a copy of it they can access from my icloud account (icloud is not encrypted AFAIK, in fact Apple will give out all your icloud info shall it be requested by gov. world wide)

In the case of Apple, the private key will be store in your Keychain which is encrypted on the computer. When transmitted to iCloud it is transmitted encrypted. This is exactly how iCloud keychain works now.

 

[TriBruin]

This is another question, if the passkey is saved in my computer will all apps and browsers have access to it or just Safari? Because AFAIK keychain is only accessed by Safari and Apple apps.

Only if you allow access. When a keychain entry is created by an App, only the App is given access to read it at a later date. If another app tries to read that keychain entry, you are prompted to allow or deny access. (It is possible for the originating app to give access to other apps as well. For example, Microsoft Word grants access to it's keychain entries to the other Microsoft Office app.)

And, no Safari and Apple Apps are not the only apps that can access keychain. EVERY app save and read from the keychain. But, no, they don't have the ability to randomly read keychain entries from other apps.

 

[szw-mapple fan]

This is another question, if the passkey is saved in my computer will all apps and browsers have access to it or just Safari? Because AFAIK keychain is only accessed by Safari and Apple apps.

You can authenticate with Keychain passwords with any app that uses Apple’s Keychain service API. It doesn’t have to be made by Apple. Once passkeys is more common more apps will implement it I think.

 

[George Dawes]

Great Idea

Every time I turn on my iPad it reminds me of all the password issues I've got to sort out .. a nightmare

This looks like it will solve it all - excellent

 

[MacBH928]

Public Keys and Private Keys are mathematical pairs. There is a one to one relation. So each website will have it's own private key stored on your computer and the public key stored by the website. Also, the Public Key/Private Key combo has to be generated on the computer so the Private key never leaves the computer.

For the purposes of this example, it is will be a different word.

Assumably, each website will have a method for account recovery. That is no differnt than now. If you forget/lose your password, you need to recover you account.

In the case of Apple, the private key will be store in your Keychain which is encrypted on the computer. When transmitted to iCloud it is transmitted encrypted. This is exactly how iCloud keychain works now.

-I thought it works like email encryption where there is just 1 public key and 1 private key to decrypt the message. Its called PGP I think.

-Any idea on how that recovery method works? like is there real example of this happening?

-So all this passkeys will eventually lead to the death of password managers? I really do get how this will make it easier for the average joe to not worry about his passwords. I wonder if it will be good enough for corporates, how would they share passkeys like they share passwords now?

My only guess is that in the future password managers will be passkey managers, and instead of storing passwords you would store a passkey and you unlock the password manager with just 1 password you need to remember. All in all I see its pretty much similar to passwords except for 1 main advantage and that is that the password is not stored in the server, none the less I have been using the internet for decades and must say in recent years unless you are on some seriously bad service there is hardly any password stealing or leaks...I believe most of it happen via social engineering or scams (fake websites,, fake email info request)

--

thanks for all the info btw!

 

[MacBH928]

Can I just implore you to read the Apple site on Passkeys I linked above? Feels like there’s a lot of things you’re misunderstanding and it would help if you understood the whole idea before coming up with these questions.

Here is the link again: https://developer.apple.com/passkeys/

The standard was created by FIDO, not Apple, and it was built to use a key pair per site, no one would use one key pair (meaning a private key and a public key) for all sites. A private key only corresponds to one public key so it’s not possible to reuse one private key with many public keys or vice-versa. This is called asymmetric cryptography.

The private key stays on device, and it gets backed up to iCloud (or potentially a local backup if you still plug it into a Mac or PC and do manual backups, I haven’t heard if they enabled that but maybe). It also syncs all your passkeys with other iCloud devices you’ve signed into (well, running iOS 16 at least since presumably passkeys won’t be supported on earlier iOS versions). And you absolutely can still use passkeys after restoring from a backup, or if you have another device it will sync back from that device, say if you lost your iPhone but your iPad or Mac is still available you can get a new iPhone and it will sync your passkeys to your new iPhone. This is all covered on the Apple site I linked.

The big problem will be if you have no backups whatsoever and you have one Apple device. You are a bad fit for Passkeys then, if you ever lose said device. But if you have 2 Apple devices they sync passkeys, or if you have 1 and you enable iCloud backups you will have no problem with losing Passkeys.

Getting a public key is meaningless, it doesn’t help a hacker whatsoever, you don’t need the public key for anything (it’s used to generate a challenge that the private key responds to and if the response is correct because the private key was used it‘s authenticated) and it doesn’t reveal anything about the private key.

Apple tightly controls how passkeys (private keys) can be shared, besides iCloud syncing and backup they only share passkeys over Airdrop. They demonstrated this in a developer focused video. Otherwise you will have no option to get at the private key because it’s secured along with other system data.


Apple does not have access to your passkeys. The passkeys are indeed backed up to iCloud, however the backups are encrypted and Apple can’t access them, this is also described in the link.

Thank you very much for putting effort to share information that I hope others benefit from as well.

- As for different keys for different sites, I believe in emails PGP you only have one private key and one public key that is shared with others so I do not know why this approach is not used although I understand its safer as if the private key went public you will lose access to all sites meanwhile with multiple keys only the account with the site with the specific key that was leaked will be compromised

- While the standard is made by FIDO my understanding is that the Apple passkey is only tied to your icloud account, in this case how can I access my websites if I use multiple platforms like an iphone (icloud) and Fedora Linux? Or MacOS and Android phone?

-If the passkey is stored securely how can I move it or share it with family members as many people do share accounts like bank accounts or a family account for Netflix? What about people in the corporate world?

- Is there a way I can backup just my passkeys in a USB drive for safe keeping? What if I wanted a different app to manage my passkeys like 1password or Bitwarden instead of Keychain? Currently I can copy paste the password or there are some export and import options.

 

[jaytv111]

Thank you very much for putting effort to share information that I hope others benefit from as well.

- As for different keys for different sites, I believe in emails PGP you only have one private key and one public key that is shared with others so I do not know why this approach is not used although I understand its safer as if the private key went public you will lose access to all sites meanwhile with multiple keys only the account with the site with the specific key that was leaked will be compromised

- While the standard is made by FIDO my understanding is that the Apple passkey is only tied to your icloud account, in this case how can I access my websites if I use multiple platforms like an iphone (icloud) and Fedora Linux? Or MacOS and Android phone?

-If the passkey is stored securely how can I move it or share it with family members as many people do share accounts like bank accounts or a family account for Netflix? What about people in the corporate world?

- Is there a way I can backup just my passkeys in a USB drive for safe keeping? What if I wanted a different app to manage my passkeys like 1password or Bitwarden instead of Keychain? Currently I can copy paste the password or there are some export and import options.

- Thinking about why the keys are per domain, it’s probably because linking each key to a domain is much better for security. People can make fake versions of real sites, like banks, and just by making a fake site that looks real, if a person supplied a passkey, and it wasn’t intimately linked with the domain, then an attacker gets what they need, they just need a little relaying to translate from one endpoint to another. But, since the Apple device side is smart, and FIDO in general is smart, it will only use a passkey for one domain, making a relay attack impossible.

It’s kind of like why we don’t use one TLS certificate for all sites, it’s on a per-domain basis. Browsers throw a fit if the domain name doesn’t match what’s on the certificate supplied.

- You can have different keys for different devices/platforms. Your iOS devices with one Passkey shared over iCloud, Android with its own key, and Windows with its own key.

But will they ever sync the keys across platforms, I don’t know, that’d be nice but it’s also a security risk.

- Currently Apple announced you can share a Passkey with Airdrop (as I said earlier). And that’s about it for sharing the actual key (you can login with QR code login as well but if you ever get logged out you would have to re-login with the QR code thing again).
Apple’s variation of FIDO isn’t really built for the corporate world to be honest, although the underlying concept was kind of pioneered by smart keys which were and still are widely used in corporate settings.

- No, they do not let you get the private keys out onto a file. If they did it would open up an attack vector for phishing and online scamming and such. It’s intentionally built to keep the keys themselves safe so it’s never an option. Imagine an online scammer just has to tell you “oh I need this special code and your special code will unlock my Instagram account“.

You’ll have to rely on Apple’s backup strategy. Or just don’t use passkeys, in all likelihood the two will coexist because many people in the world won‘t have supported devices. The original version of passkeys would just have you use a special USB key but by opening it up to iOS devices it will vastly increase the number of potential users.

 

[TriBruin]

Thank you very much for putting effort to share information that I hope others benefit from as well.

- As for different keys for different sites, I believe in emails PGP you only have one private key and one public key that is shared with others so I do not know why this approach is not used although I understand its safer as if the private key went public you will lose access to all sites meanwhile with multiple keys only the account with the site with the specific key that was leaked will be compromised

In theory, you (really your computer) could give a single site, but it is much more secure to have a separate pair for each site. As you said, IF your private key was comprimised, you would be giving access to all websites, versus just one.

- While the standard is made by FIDO my understanding is that the Apple passkey is only tied to your icloud account, in this case how can I access my websites if I use multiple platforms like an iphone (icloud) and Fedora Linux? Or MacOS and Android phone?

Apple has already demonstrated a way to authorize yourself using your iPhone on another device. You will scan a QR code presented by the web site on your computer using your iPhone. The iPhone then authenticates you with the website and website then logs you in on your computer. Many video services on AppleTV use a similar process. You are given a code or a QR code and asked to authenticate yourself on a computer or iPhone. Once you have authenticated yourself, the app on the aTV is authenticated.

-If the passkey is stored securely how can I move it or share it with family members as many people do share accounts like bank accounts or a family account for Netflix? What about people in the corporate world?

- Is there a way I can backup just my passkeys in a USB drive for safe keeping? What if I wanted a different app to manage my passkeys like 1password or Bitwarden instead of Keychain? Currently I can copy paste the password or there are some export and import options.

Apple has said you can share passkeys via AirDrop, so you if you want to share your Netflix account with a family member, you can just AirDrop the passkey.

Also, this is NOT an Apple only system. It is an open alliance (FIDO) supported by Apple, Microsoft, and Google among other. 1Password has already said they will support storing passkeys instead of password in a future release. I assume other password managers will eventually do the same.

What has not been determined is if passkeys could be import and exported between different solutions (say moving passkeys between Windows and macOS.) There certainly is a secuirty risk alowing export of these keys. But, it would also be very user unfriendly.

 

[sekyura]

That is just a cheap trick be Apple to make it more difficult to leave the Apple ecosystem and switch to Android, as long as you still need an iPhone in order for your Passkey to work on a Windows device. Hacking a good password is virtually impossible. Even if you only use nunbers and lowercase letters, there are 36 combinations for each letter of the password. So to more letters already makes it 1000 times more diffictult to hack.

Hacks usually happen at the server level and not at the user level. When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

I've seen some stupid takes on this site, but this one stands alone.

> Hacking a good password is virtually impossible.

I envy you, living in a reality where password databases are impossible to compromise or are ALWAYS properly stored rather than being in plaintext, and people are perfectly un-phish-able.

> When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

Yes, actually, it would have. Because Passkey uses asymmetric cryptography. The server only has the public portion. All that portion does is establish which private key is required in order to validate the user. That private portion is never in the server's possession or control. There's nothing to compromise.

Here, same concept: This is the SSH key I use for root accounts on my AWS EC2 instances. Go nuts!

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBAcbBc1mEHzGGFh1XcYVv8U912v3t5jxJRyWH0STZOg root@sekyura

It is evident that you know within epsilon of nothing at all about the topic. Maybe spend some more time reading.

 

[sdp77]

So, I went to bestbuy.com, created a passkey but, after I sign out and try to sign back in, nothing pops up to sign me in, I still have to give my password.
Going to passwords", it is acknowledged that I have created a passkey and I can delete the password. If I delete the password, nothing happens. The log in screen stays there, asking for email address and password.

What gives?

 

[jaytv111]

So, I went to bestbuy.com, created a passkey but, after I sign out and try to sign back in, nothing pops up to sign me in, I still have to give my password.
Going to passwords", it is acknowledged that I have created a passkey and I can delete the password. If I delete the password, nothing happens. The log in screen stays there, asking for email address and password.

What gives?

Type your username, click “Sign in with WebAuthn”. It will use a passkey if you’ve enabled it on your account.

 

[sdp77]

It asked me to "Insert the security key" after it asked for my email address.

Obviously, it didn't work.

 

[jaytv111]

It asked me to "Insert the security key" after it asked for my email address.

Obviously, it didn't work.

It would say that if you had no passkey available. Maybe you’ll have to delete your old passkey and set it up again.

 

[sdp77]

So, if I didn't click on "Use Security Key", it just took my finger print and it worked.

 

[MacBH928]

- Thinking about why the keys are per domain, it’s probably because linking each key to a domain is much better for security. People can make fake versions of real sites, like banks, and just by making a fake site that looks real, if a person supplied a passkey, and it wasn’t intimately linked with the domain, then an attacker gets what they need, they just need a little relaying to translate from one endpoint to another. But, since the Apple device side is smart, and FIDO in general is smart, it will only use a passkey for one domain, making a relay attack impossible.

It’s kind of like why we don’t use one TLS certificate for all sites, it’s on a per-domain basis. Browsers throw a fit if the domain name doesn’t match what’s on the certificate supplied.

- You can have different keys for different devices/platforms. Your iOS devices with one Passkey shared over iCloud, Android with its own key, and Windows with its own key.

But will they ever sync the keys across platforms, I don’t know, that’d be nice but it’s also a security risk.

- Currently Apple announced you can share a Passkey with Airdrop (as I said earlier). And that’s about it for sharing the actual key (you can login with QR code login as well but if you ever get logged out you would have to re-login with the QR code thing again).
Apple’s variation of FIDO isn’t really built for the corporate world to be honest, although the underlying concept was kind of pioneered by smart keys which were and still are widely used in corporate settings.

- No, they do not let you get the private keys out onto a file. If they did it would open up an attack vector for phishing and online scamming and such. It’s intentionally built to keep the keys themselves safe so it’s never an option. Imagine an online scammer just has to tell you “oh I need this special code and your special code will unlock my Instagram account“.

You’ll have to rely on Apple’s backup strategy. Or just don’t use passkeys, in all likelihood the two will coexist because many people in the world won‘t have supported devices. The original version of passkeys would just have you use a special USB key but by opening it up to iOS devices it will vastly increase the number of potential users.

In theory, you (really your computer) could give a single site, but it is much more secure to have a separate pair for each site. As you said, IF your private key was comprimised, you would be giving access to all websites, versus just one.

Apple has already demonstrated a way to authorize yourself using your iPhone on another device. You will scan a QR code presented by the web site on your computer using your iPhone. The iPhone then authenticates you with the website and website then logs you in on your computer. Many video services on AppleTV use a similar process. You are given a code or a QR code and asked to authenticate yourself on a computer or iPhone. Once you have authenticated yourself, the app on the aTV is authenticated.


Apple has said you can share passkeys via AirDrop, so you if you want to share your Netflix account with a family member, you can just AirDrop the passkey.

Also, this is NOT an Apple only system. It is an open alliance (FIDO) supported by Apple, Microsoft, and Google among other. 1Password has already said they will support storing passkeys instead of password in a future release. I assume other password managers will eventually do the same.

What has not been determined is if passkeys could be import and exported between different solutions (say moving passkeys between Windows and macOS.) There certainly is a secuirty risk alowing export of these keys. But, it would also be very user unfriendly.

Sorry for the late reply and thanks for the educational information!

 

[Dfp000]

So that sounds that Passkeys will only work if a website offers it. In the Apple Event it sounded like you can replace any passeord with a Passkey.

I think you’re _still_ not understanding the technology around this.

 

[Dfp000]

That is just a cheap trick be Apple to make it more difficult to leave the Apple ecosystem and switch to Android, as long as you still need an iPhone in order for your Passkey to work on a Windows device. Hacking a good password is virtually impossible. Even if you only use nunbers and lowercase letters, there are 36 combinations for each letter of the password. So to more letters already makes it 1000 times more diffictult to hack.

Hacks usually happen at the server level and not at the user level. When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

You really need to read up on this, maybe talk with someone who actually understands the concepts here.

1. Your “cheap trick” accusation is a bit difficult to support given that Apple, and Google, and Microsoft, and a lot of others, are adopting an open standard, making things far more portable rather then less so.

2. Hacking a good password is not virtually impossible. And your definition of “good” only appears to include alphanumeric characters, ignoring punctuation, which actually increases complexity even more. You’re about 15 years behind the curve on this. And that said, since passkeys are generally thousands of characters long as well as assymetric with only the public key accessible, comparing security between passwords and passkeys isn‘t even worth dwelling on. Security people have known this for decades — it’s just taken this long to adopt a standard that was transparent enough for the big players to feel comfortable with, and intuitive enough to be accessible to everyone.

3. Server-side hacks are only one of many, many attack vectors. And while passkeys would not have prevented someone grabbing a database of credentials, all they’d have would be a mess of very large public keys that are useless without their private keys — and you can’t simply “hack” those.

 

[CodeSpyder]

I did this with Best Buy. Now how do I remove my password so that option doesn't show up when I want to log in? Never mind. I figured it out. I can delete the password in Settings / Passwords

 

[CodeSpyder]

So, I went to bestbuy.com, created a passkey but, after I sign out and try to sign back in, nothing pops up to sign me in, I still have to give my password.
Going to passwords", it is acknowledged that I have created a passkey and I can delete the password. If I delete the password, nothing happens. The log in screen stays there, asking for email address and password.

What gives?

Here's what I see. Sign in with WebAuthn.

 

[Dfp000]

Google’s implementation appears to be a mess. You have to download the Google app, then the Smart Login app, and then they use notifications, which is really painful. I couldn’t find my way to a passkey. I don’t know why I’m surprised.

So far, I’ve found GitHub and Login.gov work okay. Paypal: nope. LinkedIn: nope.

 

[usagora]

Surely that prevents people from using too simple password, but at the same time it makes them very hard to remeber. You basically have to write them down somewhere and that is dangerous.

This is what password managers are for. You don't write them down with pen and paper (or in a computer file) but enter them in an encrypted database and then only have to memorize one password (your master password). And you can also add a common prefix or suffix (or both) to your passwords on the website that you don't add in your password manager, so even if somehow your password database is hacked, the hacker still won't have your actual passwords.

 

[lairdpopkin]

That is just a cheap trick be Apple to make it more difficult to leave the Apple ecosystem and switch to Android, as long as you still need an iPhone in order for your Passkey to work on a Windows device. Hacking a good password is virtually impossible. Even if you only use nunbers and lowercase letters, there are 36 combinations for each letter of the password. So to more letters already makes it 1000 times more diffictult to hack.

Hacks usually happen at the server level and not at the user level. When millions of passwords for Ebay or Yahoo were hacked, Passkey would not have prevented that.

No, this is cross-platform FIDO credentials, a cross-platform standard supported by, among others, Apple, Google and Microsoft. You can make one identity, and use it across Windows, MacOS, iOS, and Android, in any combination. You can, for example, use an Android phone's biometrics to prove your identity to a web site you're browsing on a MacOS laptop, because it's an open standard with full interoperability. https://www.authgear.com/post/passkeys-compatibility

 

[yogaman28734]

I am not upgrading to iOS 16.1.1 because I di not want to be forced to use passkeys. I am not concerned about cyber attacks. I am more concerned with thugs.
Here’s a scenario for you: Thug kidnaps me, ties me up, and uses my face to unlock my phone. Then proceeds to visit my browsing history, unlocking any website he wants using only my face.
This scenario would not be possible with good passwords that are not stored on the phone.
If you want to get mire gruesome, on a fingerprint-secured device, all the thug needs is to cut off your thumb. You don’t have to be alive, the way you would if your face ID requires your eyes to focus.

 

[compwiz1202]

This is long over due. Passwords are mess. Love being able to log into mt bank account with Face ID on the iPhone. Face ID works with CLEAR at airports to avoid security lines. Now MacBooks need to have Face ID.

MT Bank app or website is garbage no matter how you login I get not not available every time I really need to use it.

 

[compwiz1202]

Please excuse my lack of knowledge in this arena, but wouldn't this also help companies avoid the problem of people sharing log in information with friends, family, etc.?

Maybe not. Just curious.

I was thinking the same about the comment about sharing Netflix. If you try that anyhow, the goblin accountants will come kidnap your child and take them to the Labyrinth