Apple and other tech giants want to get rid of passwords for online accounts and apps. Here's why that's going to be a great thing for your online account security.
At its WWDC 2022 keynote on Monday, the iPhone maker announced a new feature called passkeys. It's essentially a new type of security that seeks to replace passwords for account login purposes. It will debut in the fall on iOS 16, macOS Ventura, and Apple's other 2022 updates.
While passwords may be familiar, they actually come with a number of disadvantages that passkeys could address. Here's what you should know about the feature — and how it signals a broader move toward a more secure online ecosystem.
What are passkeys?
Apple passkeys are essentially a type of biometric sign-in standard. Instead of typing in a password to log into an app or online account, you'd use a passkey stored on your device.
Passkeys are based on the Web Authentication API WebAuthn, a security standard that uses public key cryptography for authentication. You can think of a passkey as a digital version of something like a hardware security key.
When it comes time to get into your account, the website or app will push a request to authenticate to your device. From there, scan your face or your thumbprint — and you're done. It's a one-tap login process, so it combines both stronger security and increased convenience.
You'll also be able to log into your accounts on non-Apple devices by using an iPhone or iPad to scan a QR code and authenticating using biometrics.
Although technically announced at WWDC 2022, Apple actually previewed the passkey feature at the developer conference in 2021. At the time, Apple said it would be part of a multiyear effort to replace passwords with something more secure.
Benefits of ditching passwords
Passwords are the current standard for online account login and verification. However, despite their ubiquity, passwords aren't a very good standard.
For one, users need to remember them. That leads to the common practices of using easily guessable credentials or reusing the same password across multiple services. Both of those make it easier for an attacker to break into your online accounts.
Passwords are also vulnerable to cyber attacks, including data breaches. A hacker could also attempt to phish you by tricking you into typing your password into a fraudulent website.
On the flip side, a passkey isn't able to be reused across various services. Since it's stored on your device, you won't need to remember a complex password — or be tempted to go with a simple and easily guessable one.
Passkeys also can't be phished or stolen in a data breach as easily as passwords can. Because they're stored on your device instead of a web server, they're much more resistant to data breaches.
A password-less future
The passkey announcement is not just a shiny new feature for Apple users. Instead, it's very much a herald of things to come. We're heading toward a password-less future — and Apple's devices will be among the first to get a taste of it.
Back in May, Apple partnered up with Google and Microsoft to expand support for password-less authentication systems across their various platforms. Normally rivals, the three companies pledged to back new standards from the FIDO consortium on mobile, desktop, and browser within the next year.
The move was commended by Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as "the type of forward-leaning thinking that will ultimately keep the American people safer online."
Apple and Google have both been working toward a password-less future for a while. Apple started letting developers test passkeys in 2021, while Google outlined some of its password replacement mechanisms at Google I/O the same year.
That means that users on Google and Microsoft platforms will also be able to use some type of passkey-like system to authenticate. That doesn't affect Apple users, but more people staying safer online is good for the internet as a whole.
It's likely that Apple devices will be the first to actually get access to FIDO-backed WebAuthn standards. Google will likely follow suit, meaning that the vast majority of smartphone users will have a password-less option. Over time, consumers will get familiar with a password-less system and adoption will grow.
A password-less future may not be here just yet, but it'll be here sooner than you'd think.