Excellent point of contention. It would be great if Apple offered a separate app with features like Strongbox and or Bitwarden does (or 1Password for the MR enthusiasts).
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Aiming to Eliminate Passwords With Face ID/Touch ID Passkeys
- Thread starter MacRumors
- Start date
- Sort by reaction score
It isn't vendor lock on purpose.
"At the current time, passkeys only work with Apple devices, so Apple is talking to partners at FIDO and the World Wide Web Consortium about a wider solution that would allow users to eliminate passwords across non-Apple devices as well."
When you generate a complex password, you send it to the site each time you login. They encrypt it and compare it to an encrypted version of the password they have stored (if they are doing it right). That means the site you visit has either your actual password, or an encrypted version of it.
When that website gets hacked, the passwords (or encrypted versions) get to the bad guys, who can often decrypt the passwords, even if they are complicated, because of flaws in how the websites handle the encryption, etc.
This new system works by generating a pair of keys related by a mathematical function. The function is such that if you know one number, it’s essentially impossible to figure out the other number. Now the website you visit just has to store one of those numbers, and you have the other of those numbers. If their website is hacked, they only have a bunch of public keys which are essentially useless.
They are there to keep you safe. For example, if you are kidnapped and you are forced to look at the screen to open it. You can hold two buttons down as you take your phone out of your pocket and it will lock Facetime out and require a passkey that you type.
They you change the face associated with your iCloud account?
Personally I don’t see how this is any sort of usability win over the current system. I use FaceID and Safari logs me into the site, just like now.
It may be a security win, of course.
Seems kinda risky though, locking all your account access behind a single provider, be it Apple or anyone else. Mind you, in a sense you do that already with your email provider.
For so many years I have been baffled by public/private key encryption so thanks for that YouTube link. Even an old man with most of his brain cells retired could understand the paint analogy, and if I watch the video a few dozen more times I might even grasp the numbers.
Guys.... they want to REPLACE passwords... not manage them. And they want it open for all platforms not just Apple.
Exactly but nobody wants to actually read and research this. They would rather just complain or accuse Apple of trying to lock them in further.
I hope they add Touch ID in the Power Button to more iPads and the iPhone. I’d be glad to use Touch ID in lieu of passwords.
This is a good question, but the answer is based on legal reasons, not technological ones. Touch ID and Face ID are both stronger than (simple, 4- or 6-digit) passcodes.
The reason Apple will at times (after a restart, after pressing and holding the power and volume button, after a few failed attempts, etc) disable Touch ID or Face ID is to protect you. Legal precedent (in the US) has established that courts/police CANNOT legally require you to provide a passcode (for self-incrimination reasons, basically requiring you to testify/provide evidence against yourself) but they CAN force you to provide biometric data like a fingerprint or facial scan.
The issue isn’t that Touch ID and Face ID aren’t secure, it’s that Apple is trying to protect you from government overreach. This is very much a benefit, not a flaw.
Ummm..isn't that just a password manager, unlocked by face ID, with auto-paste/login enabled?
Be thankful that it does. I’ve spoken to more than a few people who forget their passcodes and had to erase their iPhones and start from scratch. And not all of them had backups! I love getting the regular reminder…especially at my age 😄🤣🙃
He said they might use this not that they currently do. Try being nice you might enjoy it
If Passkeys in iCloud Keychain is based on a non-proprietary implementation of public-private key cryptography, I probably would be willing to store login information in the cloud for the first time.
Why? Because if the private key never leaves the device that generated it and if only your public key is stored in the cloud, the system will be more secure than most sign-in methods currently offered.
Company-level breaches, such as what happened at Yahoo, will be more difficult to pull off. Individual level attacks, such as SIM swapping and phishing, won't work. No, it's not perfect security of course–there's no such thing–but let's face it, we gotta move away from SMS, voice calls, emails, "secret" questions+answers, and personal facts from credit reports for authentication. All of those are ridiculously insecure in an age of social media, VOIP, and automated hacking.
Why? Because if the private key never leaves the device that generated it and if only your public key is stored in the cloud, the system will be more secure than most sign-in methods currently offered.
Company-level breaches, such as what happened at Yahoo, will be more difficult to pull off. Individual level attacks, such as SIM swapping and phishing, won't work. No, it's not perfect security of course–there's no such thing–but let's face it, we gotta move away from SMS, voice calls, emails, "secret" questions+answers, and personal facts from credit reports for authentication. All of those are ridiculously insecure in an age of social media, VOIP, and automated hacking.
Last edited:
