As Apple is rolling out its iOS 16 update today, one of the key security-facing features that will be available to users is Passkey. This feature will allow users to use their Apple devices to log in to websites and services without any passwords.
What is Passkey?
Passkey is the company’s implementation of an industry standard designed to remove passwords for online authentication. Earlier this year, Apple, Google and Microsoft joined hands with the FIDO Alliance and the World Wide Web Consortium to work on removing passwords for user authentication across the platforms.
Apple announced its own implementation of this standard called Passkey at its Worldwide Developer Conference (WWDC) in June. Apple said Passkeys will be supported on macOS Ventura, iOS 16 and iPadOS 16.
Passkeys can reduce the risks of account compromises because it removes passwords, which can be leaked, exposed or stolen, from the authentication flow. Plus, passkeys are not reused across sites like passwords can be, so the risk of stolen credentials affecting other accounts is less.
How will it work?
Passkey is based on WebAuthn standard, so users can use biometric authentication like Face ID or Touch ID, or use a PIN to validate a login attempt. At a higher level, instead of relying on the username-password combination, passkeys use your device to prove that you are the legitimate owner of the account.
If you head to a website that has already implemented Passkey — like this demo website — you can see a new option for logging in that uses devices or using credentials stored in your iCloud Keychain. If you don’t have a pre-registered account on the site, it might ask for some basic information and save the passkey to iCloud Keychain — no password needed. Once you register an account, the iCloud-based passkey is shared across Apple devices with the same Apple ID.
All of this is based on FIDO’s proposed multi-device credentials that allow users to store authentication keys across devices enabling users to log in without requiring a password. This means it should work across platforms, but Google and Microsoft are yet to implement the technology on their platforms.
Passkeys work by generating a pair of keys — one public key and one private key stored on the device. The public key is stored in the cloud and shared between devices that have their own private keys. This also ensures that if a server is compromised, the attacker doesn’t have both keys to gain access to accounts.
Users can manage their passkeys directly from Settings > Passwords. There is no separate section for stored passkeys, but the websites that use passkeys will show up in this section. People can also easily share their account details to a friend by tapping the share button on that particular passkey’s screen and sharing it through Airdrop to a nearby contact.
So what happens next?
Currently, few websites support passkey-based authentication, but that is likely to increase over time as developers begin implementing passkeys in their services. Initially, passkeys will be supported on Macs, iPads and iPhones. If you use a Windows or Chrome-based machine or an Android phone, the site will ask you to verify yourself using a QR code that you can scan through your iPhone. If users don’t want to rely on iCloud-based backup, password managers like Dashlane have also announced support for storing passkeys.
Passkeys are still in their early days. Most popular websites still rely on the username-password combo, so a passwordless future is still a distance away.