Think about it. If someone manages to obtain your password for a single service, through a data breach, social engineering, or phishing attack, your identity and personal information could be compromised. This can lead to anything from people spying on children’s cameras to hackers stealing money from your bank account.
Yes, there are alternatives to manually entering passwords, like the best password managers, but they can still leave users vulnerable. Now Apple, Google, Microsoft and others have joined through the FIDO Alliance (opens in a new tab) to try to replace the password forever. And Apple’s implementation is called Passkeys, which will arrive this fall in iOS 16, macOS Ventura, and iPadOS 16.
In an exclusive interview with Tom’s Guide, I had the chance to talk to Kurt Night, Apple’s senior director of product marketing, and Darin Adler, Apple’s VP of Internet Technologies, about how passkeys work and how they can really make passwords a thing of the past.
What the hell are passkeys and how do they work?
Passkeys are unique digital keys that are easy to use, more secure, never stored on a web server and that remain on your device. The best part? Hackers cannot steal passkeys in the event of a data breach or trick users into sharing them.
“Passwords are critical to protecting everything we do online today, from everything we communicate to all of our finances,” said Knight. “But they are also one of the largest attack vectors and security vulnerabilities users face today. “.
That’s why Apple has pushed so hard for an alternative. Passkeys use Touch ID or Face ID for biometric verification and iCloud Keychain for syncing across iPhones, iPads, Macs, and Apple TVs with end-to-end encryption.
Other companies have tried replacing passwords with dedicated hardware, such as a physical security key, but focused primarily on corporate users; it also added another layer of complexity. Passkeys have a real chance to take off because they take advantage of a device you already own.
Access keys rely on what is called public key cryptography. There is a private key, which is secret and stored on your device, and there is a public key that goes to a web server. Passkeys make phishing impossible because it never presents the private key; you simply authenticate using your device.
“People almost always have phones with them,” Adler said. “Face ID and Touch ID verification gives you the convenience and biometrics we can get with an iPhone. You don’t have to buy another device, but you don’t have to learn a new habit either. “
Wait, what if you’re not using an Apple device?
Let’s say you sign up for a streaming service on your iPhone but need to log into your Roku. What do you do when your Roku doesn’t have Touch ID or Face ID?
The other device generates a QR code that can be read by your iPhone or iPad. iOS uses Face ID or Touch ID to confirm that you are trying to sign in before confirming or denying the request to the app or website running on the other device.
Also, if someone is trying to access a service using an iOS device or a Mac that isn’t yours, the passkeys can be shared via AirDrop.
The cross-platform experience is super easy, “said Night.” So say you’re someone who has an iPhone, but you want to go and log in on a Windows computer. You’ll be able to get a QR code that you can then scan with your iPhone and then be able to use Face ID or Touch ID on your phone.
In other words, the computers will communicate with each other to make sure you are nearby for security reasons and will confirm that you are logged in.
An unbreakable keychain
For access keys to work on multiple Apple devices, including iPhones, iPads, Macs, and Apple TVs, something is required to synchronize information with end-to-end encryption. And that’s where iCloud Keychain comes in.
ICloud Keychain is already used to keep your passwords and other secure information (like credit cards) in sync across all of your devices. But the arrival of Passkeys takes things to the next level.
So what if you don’t have access to your iPhone? The iCloud Keychain also allows you to recover previous keys via iCloud if your Apple device is lost or stolen.
This is why it is so crucial that Apple created Passkey on top of iCloud Keychain.
“The iCloud Keychain made this possible, and the security that was previously limited to people who would be willing to carry additional hardware can be made available to everyone with the phone,” Adler said. “So I think these two things come together in a very special way.”
What are the prospects for passkeys
Passkeys will be built into operating systems for iOS 16, iPadOS 16, and macOS Ventura, but Apple is also working with developers to integrate Passkey support into their apps.
Apple has not yet been able to share which Passkey-compatible apps will be available at launch, but there seems to be momentum already in the background. And it’s not just about ease of use.
“These public keys really have no value. There is nothing worth stealing, “Adler said.” So this will reduce the liability for developers running services … and developers will want to take advantage of it because of less liability. ”
According to Adler, developers have everything they need to start rolling out passkeys now, and consumers will get support when they upgrade their Apple devices to the newly released software this fall.
So despite all the previous hype about killing the password forever, this time it could really happen.
“This is not a future dream to replace passwords,” Night said. “This is something that will be a road to completely replacing passwords and is starting now.”