With Passkey in iCloud Keychain, the iPhone maker advocates passwordless authentication with Microsoft and Google.
it’s part of the storyOur full coverage of the latest news from Apple HQ.
Apple has started testing Passkey, a new authentication technology it says is as easy to use as a password but is much more secure. Part of iCloud Keychain, a trial version of the technology will come with iPhone, iPad and Mac later this year.
To set up an account on a website or app using a passkey, you first choose a username for the new account, then use FaceID or Touch ID to confirm that it’s actually you who’s using the device. are using. You never choose a password. Your device handles the creation and storage of the passkey, which iCloud Keychain synchronizes across all your Apple devices.
To use the passkey for subsequent authentication, you’ll be prompted to confirm your username and verify yourself with FaceID or Touch ID. Developers will need to update their login processes to support Passkey, but this is an adaptation of existing WebAuthn technology.
“Since it’s just one tap to sign in, it’s easier, faster, and more secure than almost all common forms of authentication today,” Apple authentication experience engineer Garrett Davidson said Wednesday at the company’s annual conference..
The latest example of the growing interest in passkeys isIt’s designed to be more secure than the list of passwords you tap on the side of your monitor. Traditional password security suffers from shortcomings, primarily our inability to create and remember unique ones. So Apple is working with Microsoft, Google and other companies to come up with alternatives.
Moving beyond passwords is a significant effort, given how ubiquitous they are and how difficult it is for businesses and consumers to adopt the changes. However, in an age when our accounts are at risk from cyberattacks and phishing scams, this is important.
“The most common security vulnerability today is still bad passwords,” Jane Fitzpatrick, senior vice president of core systems at Google, said at the Google I/O developer conference in May. “Finally,“
Has over 200 million account holders. By comparison, the security site Have I Been Pwned has matched more than 613 million stolen passwords. The site’s operator, Troy Hunt, is an advisor to Microsoft and began linking passwords discovered by the FBI in May.
The technology behind Apple’s passkeys is built on WebAuthn technology that originated from the FIDO (Fast Identity Online) Alliance, a consortium that is overhauling authentication with hardware security keys. Apple’s approach includes a fundamental part of WebAuthn, a combination of public and private encryption keys already built deep into communications security and many other established processes.
The technology only works with Apple devices, but Apple recognizes that passkey’s success requires availability on Windows computers and Android smartphones as well. To this end, Apple is talking to industry partners in FIDO and the World Wide Web Consortium (W3C) about the technology.
stop phishing attacks
Phishing is a problem that FIDO, WebAuthn, and Apple’s passkeys are designed to fix. The login technology is tied to a specific app or website, so it doesn’t work if someone tries to fool you into signing in on a fake.
Such an approach means that the servers that handle logon no longer need to be filled with a treasure trove of secret logon information that entices hackers. “Servers are a less valuable target because there are no authentication secrets for an attacker to steal,” Apple’s Davidson said.
Hardware security keys also block phishing, but come with a number of drawbacks, for example the need to carry them around at all times and the difficulty of recovering account logon privileges if the fob is lost.
Passkeys get around both problems, Apple says. Everyone already carries their phone, face and fingers. Accounts can be recovered through Apple’s iCloud Keychain if a user’s devices are lost, damaged or stolen. It’s not yet clear how that aspect of the passkey will work beyond Apple devices. (Apple encrypts iCloud Keychain data, and re-creating it without a device may require a previously used password.)
Apple does not view Passkey as a form of two-factor authentication, a robust login security approach that typically combines passwords with other authentication steps such as a biometric scan. But the company believes that the passkeys are strong enough to obviate the need for two-factor authentication.
Apple is making a preview version of Passkey available in future developer builds of iOS, iPadOS, and macOS. It is disabled by default while Apple and external developers test the technology.