Apple’s passkeys were announced at WWDC 2022 and will launch with the arrival of iOS 16 in the fall. These magical keys are set to change the way we log in to all of our apps and websites, but what are they, how do they work and are they really safer? Apple’s VP of Internet Technologies, Darin Adler and Senior Director of Platform Product Marketing, Kurt Knight, sat down with me for an exclusive talk about passkey technology.
“It's hard to remember now because today, virtually everyone has a passcode on their phone, but prior to touch ID, it was not actually the norm. Those extra digits were a huge inconvenience for people,” says Kurt Knight, Senior Director of Platform Product Marketing.
Today we use passwords almost everywhere. But systems that increase our digital security also create barriers for us to use it ourselves, slowing down our access to it. Whether that’s putting in your passcode, entering a username and password or doing a two-step authentication using your phone or a code generator.
Apple’s passkeys aim to remove those barriers by actually speeding up the login process while also making it more secure. It does this in two ways: Any login using a passkey can use another device you have on you to authenticate it’s really you, or your regular face or touch ID. All you need to do is click to approve and you’re instantly logged in. No more, typing in user names or passwords.
The second part is the security. While password managers and multi-factor authentication can help make things safer, they are not foolproof. Passkeys use what’s known as public key cryptography. This comprises a public key (like a username) that is shared with the website and a private key that remains on your device. Unlike with a password, your private key is never even shown to the website, let alone stored. Instead, the public key is used to set your device a challenge that can only be solved using that private key.
“Passkeys solve the security issues with passwords today. They can't be phished, they can't be leaked, and at the same time, they're dramatically easier to use,” says Knight. “They take all the guesswork of protecting your accounts. It's one choice and it's secure.”
Password managers can still be hacked
Many of us use a form of password manager to hold our passwords. There’s even password managers now built into browsers like Chrome. All you need to do to access your passwords is enter your device password or use your touch/face ID. But with password managers, you are still sharing your password with other devices. Data leaks or hacks of websites can expose these passwords leaving your accounts very vulnerable. With passkeys, though, even if someone hacked your favourite website, all they would get is your public key. And without the private key on your device, it’s not enough to gain access to your account.
Touch ID (followed by face ID) revolutionised digital security for Apple users. It made added security simpler and encouraged people to be more secure. Apple’s passkey system will take that to the next level.
“What's unique about passkeys is that combination of using the device already in your pocket with the iCloud keychain,” says Darin Adler, Apple’s VP of Internet Technologies.
Logging on using passkeys
When you go to log on to a website that uses passkeys, it will work much the same way as before. In fact, websites will be able to offer both passkey and password sign up in parallel without an issue (they don’t need to choose between the two methods). Your iCloud keychain will offer up your public passkey when your click to sign in and all you will need to do is confirm with a touch/face ID, or if you’re on a Mac, by confirming on your phone.
In a video from WWDC 2022, you can see the passkeys in action. First it shows the process of adding a passkey to your account (websites are likely to offer this in your account settings). Then it shows the process of logging in with a passkey. Rather than putting in your username, password and then getting a two-factor authorisation, the user selects the username field as before. Instead of entering your user name, the iCloud Keychain suggests using your new passkey. With one tap, it activates face ID, approves and logs you straight in.
“Passkeys fit in the way password autofill did, and with touch ID and face ID, only you make the choice of using a passkey. You don't have to teach yourself something new. That gives this powerful new level, but it's truly easy, easy to use,” says Adler.
Access everywhere, for everyone
The beauty of this passkey system is that it’s not Apple-only. It was developed in cooperation with Google and Microsoft, through the FIDO Alliance. This means you can still use your iPhone to authenticate on a PC – you’ll just be presented with a QR code to scan on your phone to start the process. Similar processes are expected for Android phone users when using a Mac.
Apple is expecting a fast implementation of the passkey system from launch. Developers gained access to passkey technology at WWDC 2022, back in June, so have time to implement before the iOS 16 / Mac Ventura launch. It’s even expected that website builders will offer small businesses the facility to add passkey access into their websites, with little disruption.
The end of passwords
So will Passkeys completely eliminate the password? Well, for now you will still need a master password to access your iCloud Keychain – that stores your passkeys and passwords. If for some reason you need to remove access to your keychain or change or passkeys, you can do that in much the same way as you would with passwords. The difference being that even if someone has one of your devices, they would still need your password, face or touch ID to access your keychain.
The beauty of your passkeys being held by the iCloud Keychain is that they are not simply tied to a single device.
“We know people lose their phones, they upgrade to a new phone, or switch to a different phone you're kept secure,” adds Adler. “The way iCloud Keychain achieves that is that it’s end-to-end encrypted. So those are strong cryptographic keys, and they're not known to Apple. It gets the info from one of your other devices, without Apple having access to your credentials.”
Of course, if someone has access to your phone or laptop, that doesn’t mean they can access your passkeys. You still need to enter your biometrics or master password to access your Keychain. For now at least, the one master password will remain – after all, you can’t access passkeys with a passkey.
What do I need to use passkeys?
Any device running iOS 16 can support passkeys, it doesn’t even need to have touch or face ID. Just a camera and Bluetooth. And thanks to the FIDO alliance, you will be able to take your passkeys with you, even if you switch to an Android device.
“We're working with FIDO Alliance so that you'll be able to migrate your passkeys from one platform to another,” adds Knight. “And in addition to working with websites, across Apple products and across platform, we're also bringing this technology to support apps, with all of the same benefits for users and developers.”
Kurt and Darin expect that the rollout of passkeys in third-party websites and apps will be fast, partly because it can run in parallel with passwords. While this is unlikely to be the big feature people are talking about when iOS 16 / iPad OS 16 and Mac Ventura launch, it is perhaps the one that will have the biggest effect on your online safety.