Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Along with 2FA, this is a great stuff.

However, I wish Apple would make an app for managing passwords, credit cards, and passkeys. Burying them in the Settings app (or Safari Passwords Preferences or awful Keychain Access utility in macOS) is just not scalable.
Excellent point of contention. It would be great if Apple offered a separate app with features like Strongbox and or Bitwarden does (or 1Password for the MR enthusiasts).
 
So... if you create an account for something on an Apple device you will be unable to use it on something non Apple?

Vendor lock in anyone?
It isn't vendor lock on purpose.

"At the current time, passkeys only work with Apple devices, so Apple is talking to partners at FIDO and the World Wide Web Consortium about a wider solution that would allow users to eliminate passwords across non-Apple devices as well."
 
Is this any different from a user just setting a longer, more complicated password when making their account? When I'm making an account for a new site, I can have iCloud Keychain generate a complicated password and store it. This sounds like the same thing, but with a "WebAuthn credential" instead of a complicated password.

If it's different, can someone explain how?

When you generate a complex password, you send it to the site each time you login. They encrypt it and compare it to an encrypted version of the password they have stored (if they are doing it right). That means the site you visit has either your actual password, or an encrypted version of it.

When that website gets hacked, the passwords (or encrypted versions) get to the bad guys, who can often decrypt the passwords, even if they are complicated, because of flaws in how the websites handle the encryption, etc.

This new system works by generating a pair of keys related by a mathematical function. The function is such that if you know one number, it’s essentially impossible to figure out the other number. Now the website you visit just has to store one of those numbers, and you have the other of those numbers. If their website is hacked, they only have a bunch of public keys which are essentially useless.
 
And what if I have a MVA need a face surgery —- and Face ID don’t recognize me. Not a joke, happened to a friend
 
I love the idea of touch/face ID replacing all my passwords. But the fact that I still have to enter a 4/6 digit simple password to get into my Iphone every week or two concerns me. Why aren't these features good enough to remove the simple passcode on our own devices?
They are there to keep you safe. For example, if you are kidnapped and you are forced to look at the screen to open it. You can hold two buttons down as you take your phone out of your pocket and it will lock Facetime out and require a passkey that you type.
 
And what if I have a MVA need a face surgery —- and Face ID don’t recognize me. Not a joke, happened to a friend
They you change the face associated with your iCloud account?

Personally I don’t see how this is any sort of usability win over the current system. I use FaceID and Safari logs me into the site, just like now.

It may be a security win, of course.

Seems kinda risky though, locking all your account access behind a single provider, be it Apple or anyone else. Mind you, in a sense you do that already with your email provider.
 
  • Disagree
Reactions: FindingAvalon
Yes, it's different. It's like how SSH keys are handled. Your actual key is never sent to the remote site, so even if that site is somehow compromised, they won't get your key.

The "paint" analogy is my favorite:

For so many years I have been baffled by public/private key encryption so thanks for that YouTube link. Even an old man with most of his brain cells retired could understand the paint analogy, and if I watch the video a few dozen more times I might even grasp the numbers.
 
Siri can already detect who is speaking, so why not throw in this as a third authentication possibility?

Especially as Siri is now moving 'on device' to the Secure Enclave........
Too easy to fake, just play back a recording.
 
I love the idea of touch/face ID replacing all my passwords. But the fact that I still have to enter a 4/6 digit simple password to get into my Iphone every week or two concerns me. Why aren't these features good enough to remove the simple passcode on our own devices?
This is a good question, but the answer is based on legal reasons, not technological ones. Touch ID and Face ID are both stronger than (simple, 4- or 6-digit) passcodes.

The reason Apple will at times (after a restart, after pressing and holding the power and volume button, after a few failed attempts, etc) disable Touch ID or Face ID is to protect you. Legal precedent (in the US) has established that courts/police CANNOT legally require you to provide a passcode (for self-incrimination reasons, basically requiring you to testify/provide evidence against yourself) but they CAN force you to provide biometric data like a fingerprint or facial scan.

The issue isn’t that Touch ID and Face ID aren’t secure, it’s that Apple is trying to protect you from government overreach. This is very much a benefit, not a flaw.
 
Only if didn’t have to enter iCloud password all the time to reenable Face ID.
 
They are there to keep you safe. For example, if you are kidnapped and you are forced to look at the screen to open it. You can hold two buttons down as you take your phone out of your pocket and it will lock Facetime out and require a passkey that you type.
It is to protect you, but not from kidnappers 😂
 
I love the idea of touch/face ID replacing all my passwords. But the fact that I still have to enter a 4/6 digit simple password to get into my Iphone every week or two concerns me. Why aren't these features good enough to remove the simple passcode on our own devices?
Be thankful that it does. I’ve spoken to more than a few people who forget their passcodes and had to erase their iPhones and start from scratch. And not all of them had backups! I love getting the regular reminder…especially at my age 😄🤣🙃
 
  • Like
Reactions: jamdex
If Passkeys in iCloud Keychain is based on a non-proprietary implementation of public-private key cryptography, I probably would be willing to store login information in the cloud for the first time.

Why? Because if the private key never leaves the device that generated it and if only your public key is stored in the cloud, the system will be more secure than most sign-in methods currently offered.

Company-level breaches, such as what happened at Yahoo, will be more difficult to pull off. Individual level attacks, such as SIM swapping and phishing, won't work. No, it's not perfect security of course–there's no such thing–but let's face it, we gotta move away from SMS, voice calls, emails, "secret" questions+answers, and personal facts from credit reports for authentication. All of those are ridiculously insecure in an age of social media, VOIP, and automated hacking.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.