You'd be forgiven for missing the Passkey announcement that came as part of Apple's WWDC 2022 keynote. There was a lot of information there, even for a well-versed tech journalist to follow. Among MacOS Ventura features might not be as flashy as the new continuity camera or stage manager but it's arguably far more important.
Passkeys have the potential to completely change web security by eliminating the need for you (or even your password manager) to enter a password on a website. The theory is that if there's no password exchanged, there's nothing that can be compromised.
Perhaps the most important factor though is that Passkeys aren't a Mac-only technology. It is part of the work being done by the FIDO Alliance, which also includes Microsoft and Google, to create a passwordless internet. Apple's version, however, will be synced between your devices using the iCloud Keychain – that's also secured using end-to-end encryption.
How does Passkey work?
The process of using a Passkey won't feel that different to using Apple's Keychain or Google's Password manager. When you sign up to a site, or update your security settings on an account, you will be given the option to use a Passkey instead of a password. Then each time you visit that site, instead of inputting a password, you will be asked to use your TouchID or FaceID to verify – much as you can at the moment to access those stored passwords.
The difference is happening behind the scenes. With Passkeys, no information is actually exchanged. It's all based on a clever WebAuthn standard that includes a public key and a private key and the cryptography between them. The private key never leaves your device, it is simply verified for the site by your own device. This means it can't be phished or leaked as it isn't stored on a web server.
While Apple's Passkeys are designed to work across all Apple devices, the collaboration with the FIDO alliance means that you will be able to access websites on non-Apple devices too. In the keynote, Apple shows a QR code on a website, which can then be scanned by your iPhone to access your passkey – again, without sharing it with the website or third-party device.
The beauty of this is that it mean you can still use the security on your work machine, or even a shared computer in a hotel lobby, without worrying about hackers.
While Apple admits the move to Passkeys is a journey, it's a significant one that brings genuine benefits to users. It will take time for websites to provide the facility for one, but I can't wait to ditch my password manager and use it.