Apple in iOS 16, iPadOS 16, tvOS 16, and macOS Ventura is introducing a new “Passkeys” feature that replaces traditional passwords when signing into a website or an app. Passkeys are more secure than passwords, and protect users from phishing, malware, and other attacks aimed at gaining account access.
According to Apple, Passkeys are next-generation credentials that are safer and easier to use than standard passwords. As Apple explains in a support document on the feature, Passkeys are built on the WebAuthn standard and use a unique cryptographic key pair for each website or account.
One key is public and stored on the website server, while the second key is private and kept on-device. On the iPhone and other devices with biometric authentication, Face ID or Touch ID is used to authorize the passkey to authenticate the user to the website. The keys must match to allow for a log in, and because the second key is private and available only to the user, it cannot be stolen, leaked, or phished.
Passkeys rely on iCloud Keychain, which in turn requires two-factor authentication for further protection. Passkeys sync across all of a user’s devices through iCloud Keychain, which is end-to-end encrypted with its own cryptographic keys.
Passkey synchronization across accounts provides redundancy in case an Apple device is lost, but should all of a person’s Apple devices become lost and the passkeys along with them, Apple has implemented an iCloud keychain escrow function to recover passkey information. There is a multi-step authentication process to go through to recover an iCloud Keychain with passkeys, or users can set up an account recovery contact.
Though Passkeys sound complicated on paper, in practice, it will be as simple as using Touch ID or Face ID to create a passkey to go along with a login.
Apple has been working with members of the FIDO Alliance, including Google and Microsoft, to ensure that passkeys can also be used with non-Apple devices and across platforms. On non-Apple devices, Passkeys will work through QR codes that will authenticate using the iPhone, but it will require support from other companies, so it’s a standard that needs to be adopted across the tech world.
There are unknowns about what happens to passkeys when transitioning away from Apple to another platform like Android, as Apple has not detailed what would happen in this situation.
Apple says that transitioning away from passwords is going to take some time, but it will be working with developers to create a passwordless future.