Apple is working toward a future without passwords with a new iCloud Keychain "passkey" feature that was previewed at WWDC 2021.
In a WWDC developer session called "Move beyond passwords," Apple teased a new feature called "passkeys in iCloud keychain." The feature is available for testing in iOS 15 and macOS Monterey, but isn't yet ready for a full release.
Essentially, passkeys are pairs of private and public keys based on the WebAuthn standard. They work basically like a hardware security key, but are stored securely in iCloud Keychain.
This means users won't need to carry hardware keys with them — their iPhone, iPad, or Mac will contain the passkeys. More than that, passkeys will be synced across various devices, meaning they're recoverable even if a user loses all of their devices. Compared to traditional passwords, these passkeys offer a number of security benefits. They aren't guessable, they're not able to be reused across services, and they're not vulnerable to phishing or data breaches.
For users, passkeys will offer an easy and secure alternative to passwords. When implemented, all a user will need to do is authenticate with Face ID to log in. Passkeys in iCloud Keychain would be useable anywhere that supports WebAuthn. Currently, that includes browsers and apps on Apple's platforms, but full adoption of the standard is still a few years off.
As mentioned earlier, the inclusion of passkeys in iOS 15 and macOS Monterey is for developer testing only — it's not actually a feature yet. Apple says that testing the feature in existing apps and workflows is just the first step of a "multiyear effort in replacing passwords."
Although users won't be able to use passkeys immediately, Apple does have a suite of other security and privacy features in iOS 15 and macOS Monterey. That includes a new built-in authenticator for two-factor logins, a Private Relay feature that encrypts web traffic and hides a user's IP address, and a feature that will allow users to create proxy email addresses.
Apple isn't the only company looking toward a future without passwords. Google at its I/O conference in May detailed a number of new privacy and security features aimed at replacing passwords.
Follow all of WWDC 2021 with comprehensive AppleInsider coverage of the week-long event from June 7 through June 11, including details on iOS 15, iPadOS 15, watchOS 8, macOS Monterey and more.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get the latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
19 Comments
It's about time but there will still be issues for installations where people aren't allowed to carry mobile devices except for approved passkeys devices. These devices usually don't do anything other than provide a PIN making them less of a security issue. That said, I no longer work in this kind of an environment so having a potentially better method of securely authenticating my account would be appreciated. Now if only more websites would include the Login using AppleID I'd think it might actually go somewhere.
...so Apple now wants to store the world's passcodes on Patriot Act governed servers...?
Biometric data, when we sleep, where we move (now even when our iOS is off), what we say, read, watch and listen to - is anything left...?
Even with (if) the best of intentions does this concentration of data (digital colonialism?) put the world at increasing dependency & risk ?
Is it an ironic evolution for the internet which I understand was originally conceived to fragment communication access for security reasons,
yet potentially now becoming a source of infinite attack vectors to concentrations of digital data 'wealth'...?
This is a fine idea but:
1. I want to transfer this data out of iCloud, which should allowed by Apple. I don’t want a lock in to their ecosystem just because I can’t access my keys outside iDevices.
2. What happens when I need to login to accounts via routers, TV’s and other appliances? OAuth delegation? Apple’s solution shouldn’t hinder me.