Apple ‘passkeys’ could finally kill off the password for good

Apple demonstrated “passkeys” at WWDC 2022, a new biometric sign-in standard that could finally kill off the password for good.

It’s no secret that passwords are insecure, with easily guessable credentials accounting for more than 80% of all data breaches, per Verizon’s annual data breach report. Passkeys eliminate the need for passwords entirely, according to Apple, and are much less susceptible to being stolen in the case of a data breach or phishing attempt.

Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography instead of passwords for authenticating users to websites and applications, and are stored on-device rather than on a web server. The digital password replacement uses Touch ID or Face ID for biometric verification, which means that rather than having to input a long string of characters, an app or website you’re logging into will push a request to your phone for authentication.

During its WWDC demo of the password-free technology, Apple showed how passkeys are backed up within the iCloud Keychain and can be synced across Mac, iPhone, iPad and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate.

“Because it’s just a single tap to sign in, it’s simultaneously easier, faster and more secure than almost all common forms of authentication today,” said Garrett Davidson, an Apple engineer on the Authentication Experience team,

Apple isn’t alone in its efforts to kill off the password. Last month, Google and Microsoft joined forces with Apple to expand support for passwordless logins across mobile, desktop and browsers. This new collective commitment was commended by Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), who at the time called it “the type of forward-leaning thinking that will ultimately keep the American people safer online.”

Apple, Google and Microsoft said that they aim to support the new passwordless authentication standard — which has been established by the FIDO Alliance and the World Wide Web Consortium — on their platforms within the next year. If Apple’s WWDC demo is anything to go by, macOS Ventura, iOS 16 and iPadOS 16 will be among the first operating systems to support the new sign-in standard.

Apple quietly announced another security feature called Rapid Security Response during its WWDC keynote, which it claims makes macOS and iOS more resistant to attack by delivering security updates in the background without a reboot. “Get important security improvements to your devices even faster,” Apple said briefly on its website. “These improvements can be applied automatically between standard software updates.”