With Some Help, Apple Passkeys Could Finally Kill the Password | #macos | #macsecurity


At its Worldwide Developer Conference (WWDC) this week, Apple previewed a new scheme that could help make passwords a thing of the past with a passwordless login scheme called Passkey. Darin Adler, VP of Internet Technologies at Apple, pitched Passkey as “more secure, easier to use, and aims to replace passwords for good.” That’s good to hear, considering how lousy passwords are, but many have tried to do away with passwords before.


Enter Apple Passkeys

Adler described Passkeys this way: “A unique digital key is created that only works for the site it was created for.” Instead of passwords, Apple users would verify their identity using biometric authentication, which is already built into most of the company’s product line with Face ID, for facial recognition, and Touch ID, for fingerprint scanning. 

In the presentation, we see someone creating a new account on a website. They enter their email address, but instead of creating a password, a window pops up asking if they want to create a Passkey. The user authenticates using biometrics—in this case, the Touch ID on their Mac—and that’s it. 


Apple says that Passkeys will work cross-platform.
(Photo: Apple)

Adler explained that Passkeys are automatically synced between a user’s Apple devices, including Apple TVs, using iCloud Keychain, and are intended to work in apps as well as on the web. Passkeys are also meant to work cross-platform. In the demonstration, a user goes to log in with their passkey and is presented with a QR code to scan. Adler said that in this scenario, the person’s iPhone would authenticate the login, presumably by scanning the QR code.

While ease of use was on display in the WWDC presentation, Adler stressed the security benefits of Passkeys. “Passkeys can’t be phished since the Passkey never leaves your devices,” he said. “Hackers can’t trick you into sharing it on a fake website. And passkeys can’t be leaked because nothing secret is kept on a web server.”


A FIDO Connection

At WWDC, Adler said that Passkeys were created in collaboration with the FIDO Alliance, the trade group that has managed the creation of standards for multi-factor authentication and passwordless login. He also highlighted Apple’s work with Google and Microsoft specifically. 


Passwords are the single greatest threat to the integrity of one’s accounts and digital lives.

– Andrew Shikiar, Executive Director and CMO of the FIDO Alliance

The FIDO Alliance confirmed to us that Apple’s Passkeys use the multi-device FIDO credential(Opens in a new window), a passwordless login system that we reported on in early May. In his story, PCMag reporter Michael Kan explained how the new FIDO system worked.

“The other important advantage is how no credential data is transmitted from the phone to the website during the login process. ‘Instead, your phone will store a FIDO credential called a passkey which is used to unlock your online account,’ Google said.

“In other words, the website issues a digital ‘challenge’ that your passkey can sign, which will then unlock access to the account. This approach could be more secure than some two-factor authentication systems involving one-time passcodes, which can be stolen or intercepted.”

Andrew Shikiar, Executive Director and CMO of the FIDO Alliance, gave me a little more insight into how it all works. “‘Passkeys’ primarily leverage the WebAuth protocol within the FIDO2 standard,” he said. “Apple, Google, and Microsoft have worked within FIDO’s technical working groups alongside dozens of other companies to evolve FIDO’s standards and this implementation.”


Bigger Than Apple

Despite passwords being so bad that we have an entire product category designed to make them slightly better, momentum is only just now building to do away with passwords for good.

“Passwords are the single greatest threat to the integrity of one’s accounts and digital lives,” Shikiar told us. “By taking passwords out of the equation, consumers will be protected from phishing and other remote attacks that continue to plague today’s networked economy—and businesses will be freed from the liability of maintaining them on their servers. 

“The move to passwordless truly is a rare win/win for consumers and businesses alike.”

So far, the need for special hardware has limited the adoption of passwordless technology. Microsoft has been experimenting with passwordless login for some time now on PCs using Microsoft Hello and facial recognition or on the web using a hardware security key. By relying on phones and other devices users already own, anything that uses the multi-device FIDO credential—including Apple’s Passkeys—should be more accessible. 

Apple's Darin Adler standing in front of a white screen


Apple’s Darin Adler makes the pitch for Passkeys at WWDC.
(Photo: Apple)

While many of Apple’s most controversial decisions have been what it leaves out (floppy drives, headphone jacks, etc.), the company has also driven adoption for new technology by integrating it into its existing products. As part of Apple’s ecosystem, Passkey is likely to see greater adoption than if it had been an option presented from a third party.

Recommended by Our Editors

Another challenge in killing the password has been getting other sites and services to adopt new, more secure login systems. Although more sites than ever support multi-factor authentication, not every site does and only a few support hardware security keys for MFA login. FIDO multi-factor and passwordless login systems do require websites to integrate FIDO technology, so it’s safe to assume the same will be true with Apple’s Passkeys.

If this were Apple on its own, I would be skeptical that it could muster the kind of pressure necessary to drive third-party support for Passkeys. However, the inclusion of Google, Microsoft, and the FIDO Alliance make acceptance far more likely. Apple might get the credit for Passkeys on its platform, but it’s only collaboration that will kill the password.

Even with the momentum toward a passwordless future, Apple was careful to set expectations. In his WWDC segment, Adler hinted at some of the challenges still ahead: “The transition away from passwords will be a journey.” 

What’s less clear is if this journey is coming to an end, or just beginning.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.





Original Source link

Leave a Reply

Your email address will not be published.

80 − = seventy three