Apple’s passkeys could be better than passwords. Here’s how they’ll work.
Can a new system improve the way we sign into websites and apps?
Passwords stink as a security system. Humans are flat out terrible at creating long, unique, secure passwords. Most of us reuse the same short strings of meaningful information again and again—and even secure passwords aren’t very good. Social engineering attacks like phishing can con people into giving up even the longest of passwords, or they can be leaked if an entire unencrypted database gets hacked. This is a big problem for tech companies who are on the hook for keeping your data safe, not to mention the individuals themselves who suffer a privacy breach. So, Apple, Microsoft, Google, and the other companies in the FIDO Alliance have set out to develop a better solution called “passkeys.”
At its Worldwide Developers Conference (WWDC) this week, Apple announced its implementation of the newly agreed upon passkey standards. It will roll out with iOS 16 and macOS Ventura, so it’s the first real-world look we’ve had at the long-promised password-less future (the FIDO Alliance, which is an industry group dedicated to “solving the World’s password problem,” has been working on this for a decade).
In the WWDC keynote, Apple’s vice president of internet technologies, Darin Adler, called passkeys a “next generation credential that’s more secure, easier to use, and aims to replace passwords for good.” That’s actually a pretty good summary—and doesn’t even oversell it.
So how will they work? Passkeys are built on the WebAuthentication, or WebAuthn, standard. It uses a cryptographic principle called public-key cryptography to secure your accounts. It’s the same idea that’s used for end-to-end encryption in iMessage, Signal, and other secure communications apps. Instead of creating a password for an account, your device will create a unique pair of mathematically related keys: a public key and a private key. The public key is stored on the server (because, as the name suggests, it’s not a secret) and will allow the website or app to verify your account—as long as you have the matching private key. The trick is that because of how the math works, the private key never needs to get shared with the server. Your device can do all the authentication without ever revealing it. It’s neat tech, and it has serious security implementations.
Although passkeys might sound complicated (and the underlying cryptography is indeed complex), in practice, they will make signing up for new accounts even simpler. You will just use Touch ID or Face ID, and your iPhone, iPad, or Mac will do the rest. You don’t have to come up with a long password, add in a few $s and &s, and then try to remember it. You won’t even see your public or private keys. It’s all done in the background, which takes the squishy, unreliable human element out of things.
Also, passkeys can’t be phished. Your public key for any given site isn’t privileged information. All that matters is the private key, which never leaves your device. A fake website designed to impersonate your bank, Ebay, or some other account can’t trick you into giving it up. It can set up a login prompt, but it just won’t do anything.
Apple’s implementation of passkeys—at least in the supporting docs and WWDC talk—sounds solid. They will be synced between your devices using iCloud Keychain (which is end-to-end encrypted itself). Even Apple won’t have access to your private keys.
The system has been designed so that your logins are safe, even if your Apple ID is compromised, you lose all your devices, or a rogue Apple employee tries to hack the iCloud Keychain servers. It requires you to use two-factor authentication with your Apple ID, which makes it much harder for an attacker, even one with your iCloud password, to set things up on a new device. There’s also a system called iCloud Keychain escrow that handles restoring your passwords if you lose your devices. It’s resistant to brute force attacks even by Apple.
While we’re still waiting to see how Microsoft, Google, and the other big tech companies roll out passkeys, they have all pledged to make them interoperable across as many different devices as possible. We got a hint of that in the WWDC announcement when Adler demonstrated using an iPhone to login to a website by scanning a QR code. This would allow you to do things like check your email on a friend’s computer or print something in a hotel without a password.
In short, this looks to be as secure a system as can reasonably be designed. There are always going to be attack vectors, and dedicated hackers targeting specific individuals may find and use them, but for regular people this system should solve three of the biggest problems: weak passwords, leaked passwords, and phishing.
Watch the relevant bit of WWDC, below: