Apple puts the password on life support with passkey

The “passwordless future” is something many internet users—and a great majority of the cybersecurity industry—have hoped for. Now Apple is about to make those hopes a reality.

With the release of iOS 16 yesterday, and macOS Ventura next month, Apple fans will be able to use passkeys, its password replacement, for iPhones, iPads, and Macs. The word “passkey” is not unique to Apple, however. Microsoft and Google are using the term, too.

Apple’s passkey works like a password in that it is built into entry boxes where you put your password. It also acts as a digital key that users create to access their apps or websites.

A video demonstrating passkey’s use in Apple’s WWDC 2022 event shows a prompt on the user’s device before sign-in or during account creation, asking if they would like to “save a passkey” for the account in use. Once users say yes, they are prompted to authenticate the passkey creation using Face ID, Touch ID, or another method. The created passkey is stored in the user’s iCloud Keychain and synced across all Apple devices and Safari web browsers.

Whenever a passkey is created, the device’s system creates a pair of digital keys: public and secret keys. According to Garrett Davidson, an Apple engineer, in the demo video, these keys are created “securely and uniquely” for every account. The public key is stored on Apple’s servers, while the secret key is kept on the device.

When signing in to an account protected by a passkey, the website or app looks for the secret key kept safe on the device to prove that the user is who the user claims they are. And because Apple’s passkey is based on passwordless standards defined by the FIDO Alliance, it’s likely the passkey can be stored anywhere, including some password managers with a provision for the passkey, such as Dashlane.

Those with other devices besides Apple can still take advantage of passkey. However, how things are done is slightly different because passkeys won’t be stored on non-Apple devices. For example, accessing a browser account on a Windows machine would require a user to use a QR code containing a URL to a single-use encryption key and their iPhone. Once scanned, the machine and the device can communicate using end-to-end encryption via Bluetooth and share information.

“That means a QR code sent in an email or generated on a fake website won’t work, because a remote attacker won’t be able to receive the Bluetooth advertisement and complete the local exchange,” Davidson said in the video.

“This has the potential to be far superior to weak passwords and chosen by people who don’t use a password manager or don’t know how to choose a password,” said Thomas Reed, Malwarebytes’ Director for Mac & Mobile. “So even if this isn’t 100% perfect, it’s still going to be better than what most people are doing today.”