Apple and other tech giants want to get rid of passwords for online accounts and apps. Here's why that's going to be a great thing for your online account security.
At its WWDC 2022 keynote on Monday, the iPhone maker announced a new feature called passkeys. It's essentially a new type of security that seeks to replace passwords for account login purposes. It will debut in the fall on iOS 16, macOS Ventura, and Apple's other 2022 updates.
While passwords may be familiar, they actually come with a number of disadvantages that passkeys could address. Here's what you should know about the feature — and how it signals a broader move toward a more secure online ecosystem.
What are passkeys?
Apple passkeys are essentially a type of biometric sign-in standard. Instead of typing in a password to log into an app or online account, you'd use a passkey stored on your device.
Passkeys are based on the Web Authentication API WebAuthn, a security standard that uses public key cryptography for authentication. You can think of a passkey as a digital version of something like a hardware security key.
Once you set up a passkey on an account, you'll be able to use it to log in by authenticating with either Face ID or Touch ID.
When it comes time to get into your account, the website or app will push a request to authenticate to your device. From there, scan your face or your thumbprint — and you're done. It's a one-tap login process, so it combines both stronger security and increased convenience.
Also, passkeys can be backed up to iCloud and synced across your iPhone, iPad, and Mac devices in an end-to-end encrypted fashion.
You'll also be able to log into your accounts on non-Apple devices by using an iPhone or iPad to scan a QR code and authenticating using biometrics.
Although technically announced at WWDC 2022, Apple actually previewed the passkey feature at the developer conference in 2021. At the time, Apple said it would be part of a multiyear effort to replace passwords with something more secure.
Benefits of ditching passwords
Passwords are the current standard for online account login and verification. However, despite their ubiquity, passwords aren't a very good standard.
For one, users need to remember them. That leads to the common practices of using easily guessable credentials or reusing the same password across multiple services. Both of those make it easier for an attacker to break into your online accounts.
Passwords are also vulnerable to cyber attacks, including data breaches. A hacker could also attempt to phish you by tricking you into typing your password into a fraudulent website.
On the flip side, a passkey isn't able to be reused across various services. Since it's stored on your device, you won't need to remember a complex password — or be tempted to go with a simple and easily guessable one.
Passkeys also can't be phished or stolen in a data breach as easily as passwords can. Because they're stored on your device instead of a web server, they're much more resistant to data breaches.
A password-less future
The passkey announcement is not just a shiny new feature for Apple users. Instead, it's very much a herald of things to come. We're heading toward a password-less future — and Apple's devices will be among the first to get a taste of it.
Back in May, Apple partnered up with Google and Microsoft to expand support for password-less authentication systems across their various platforms. Normally rivals, the three companies pledged to back new standards from the FIDO consortium on mobile, desktop, and browser within the next year.
The move was commended by Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as "the type of forward-leaning thinking that will ultimately keep the American people safer online."
Apple and Google have both been working toward a password-less future for a while. Apple started letting developers test passkeys in 2021, while Google outlined some of its password replacement mechanisms at Google I/O the same year.
That means that users on Google and Microsoft platforms will also be able to use some type of passkey-like system to authenticate. That doesn't affect Apple users, but more people staying safer online is good for the internet as a whole.
It's likely that Apple devices will be the first to actually get access to FIDO-backed WebAuthn standards. Google will likely follow suit, meaning that the vast majority of smartphone users will have a password-less option. Over time, consumers will get familiar with a password-less system and adoption will grow.
A password-less future may not be here just yet, but it'll be here sooner than you'd think.
36 Comments
How will Passkeys intersect with current password managers like 1Password and LastPass?
The reason I’m not liking this news is because TouchID _sucks_. Passwords suck too, but at least I can use a password manager, and never worry about signing in (unless the password expires or is compromised in a leak, etc.). But biometrics are unreliable. I have to re-train my TouchID constantly—several times a week—or it forgets my fingers. I can see it degrading within hours, failing multiple attempts, and forcing me to go into Settings to tune it, tune it, tune it. Is it more secure? Maybe. But it requires so much babysitting and handholding and just _effort_ that I’d much rather be using a password any day!
I can’t be the only one who TouchID doesn’t work for. (FaceID is fine.)
- What if I have multiple devices?
- What if I lost my device?
- Can I revoke passkeys from another device I own?
I'm all for a new standard, but in order for people to adapt to this, they need a bit more info that isn't too technical.
"A truly password-less future" is a too much marketing and hyperbole since your iCloud username and password will still be needed to at the core of this technology. At best it's just significantly reducing your passwords in favor of biometrics on your Apple devices with an iCloud backend.
1) It syncs with iCloud.
2) You put that old device in lost mode, potentially erase it, and when you get a new one you sign into iCloud on it to get access to your accounts that use that Apple passkey system.
3) You probably just revoke account (passkey) or the device, but marine they'll let you revoke specific account (passkey) from a specific device.