Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
would be nice if every website just asked your iphone for confirmaiton its you. no passwords ever again
Except the majority of phones on this planet are not iPhones. And let’s not forget that some people still like to, you know, log into websites on an actual computer.

At least the article states that apple is working to find a way to do this with all systems.
 
Potential accidental slip that the new iPhone will have both Touch ID and Face ID.

(Touch ID anywhere under the screen)
Face ID is only available on certain iPhones and the iPad Pro. The iPad, iPad Air, iPhone SE, all Mac laptops and now the M1 iMac still use Touch ID.
 
I love the idea of touch/face ID replacing all my passwords. But the fact that I still have to enter a 4/6 digit simple password to get into my Iphone every week or two concerns me. Why aren't these features good enough to remove the simple passcode on our own devices?
Passcode is literally the door key of your device. Touch ID or Face ID is there to make your daily life easier. Are you willing to give your door key to a stranger?
 
I bet that gets complicated when signing in on a non-Apple device... I have found Sign in with Apple to be difficult enough at times.
Yeah, and a huge swath of windows devices that don’t have at least a Touch ID thing, let alone windows hello. Does Linux support fingerprint sensor and facial recognition?
Password authentication will be around for eternity, in one form or another.
 
Guys.... they want to REPLACE passwords... not manage them. And they want it open for all platforms not just Apple.
Then they have to figure out a way for cheap devices to incorporate secure authentication methods. Or are they going to lock those devices out because they can’t use fingerprint sensor, Face ID or smart card? Until then, password will exist for a long time.
 
Then they have to figure out a way for cheap devices to incorporate secure authentication methods. Or are they going to lock those devices out because they can’t use fingerprint sensor, Face ID or smart card? Until then, password will exist for a long time.
They can just make it passcode enabled to do the same thing.
 
They can just make it passcode enabled to do the same thing.
Heh.
Consumer version of windows 10 already supports passcode login but that’s just a convenient way to do daily signin. Password is still required. Picture password? Roughly the same deal. Unless they can figure out the proper replacement for “what you know” and implement “what you have” properly across devices of all tiers, password will not go away.
 
Heh.
Consumer version of windows 10 already supports passcode login but that’s just a convenient way to do daily signin. Password is still required. Picture password? Roughly the same deal. Unless they can figure out the proper replacement for “what you know” and implement “what you have” properly across devices of all tiers, password will not go away.
A passcode for this isn’t the same thing as a password. It’s the equivalent of using a passcode on your phone instead of FaceID. The passcode isn’t credentialing you into a site, the private key is. The passcode is just authorizing the use of the private key.
 
Yeah, so where are all the disappointed people again who think this WWDC was lackluster? Please. It’s been like a week straight of some of the most substantial platform changes they’ve ever put out, especially with regard to authentication.
 
I bet that gets complicated when signing in on a non-Apple device... I have found Sign in with Apple to be difficult enough at times.

Microsoft has already implemented an option to go passwordless (for Microsoft/Outlook Accounts) via the Authenticator App. Apple could go this route and just authenticate using the biometrics of the nearest trusted iDevice a user has (same as iCloud 2FA notifications).

With MS’ implementation, 1. you request a login, 2. your phone/Apple Watch gets notified. 3. The app requests your biometrics first before giving you 3 random numbers select the same number displayed by the website.

Its tedious at first esp with set up and the number of things you need to physically do but the peace of mind I have with this method makes me excited if more apps and website follow suit.

Sign in with Apple will get easier if this option is launched + cross platform support is technically possible If you have at least one iDevice w/ biometrics.
 
Last edited:
The problem is those 3% of times I'm on a non-Apple device and I bet this is a pain, especially logging in with my Apple ID and the subsequent 2-factor code.
Did you read the article? It clearly stated that Apple: “At the current time, passkeys only work with Apple devices, so Apple is talking to partners at FIDO and the World Wide Web Consortium about a wider solution that would allow users to eliminate passwords across non-Apple devices as well.”
The problem is those 3% of times I'm on a non-Apple device and I bet this is a pain, especially logging in with my Apple ID and the subsequent 2-factor code.
 
Potential accidental slip that the new iPhone will have both Touch ID and Face ID.

(Touch ID anywhere under the screen)

Not necessarily a slip up or hint of anything. Apple still selling new devices with Touch ID. The iPhone SE, iPad Air, iMac Magic Keyboard and some Macbooks.
 
I bet that gets complicated when signing in on a non-Apple device... I have found Sign in with Apple to be difficult enough at times.
The problem is those 3% of times I'm on a non-Apple device and I bet this is a pain, especially logging in with my Apple ID and the subsequent 2-factor code.
Sounds like a great idea, but what happens outside of the Apple ecosystem? For example logging into an account from an employer’s Windows machine or if (heaven forbid) a user leaves Apple’s world?
The underlying standard (Web Authentication) is well supported across all modern browsers and platforms. It is about devices which the user chooses to authenticate with, called authenticators. They have public/private cryptography underneath - they give each site a unique public key, then the authenticator locally authenticates the user (such as with FaceID on iPhone) and "proves" you are the same user to the site. Since it is a unique key pair per site, using the system does not leak that you are the 'same' person on different sites. Since it goes through the browser/platform, it becomes _very_ difficult for someone to phish you - Google reported after they deployed this technology to their employees, they completely eliminated all corporate phishing incidents.

Because you want to keep that private key private (it is literally the key to the kingdom) , nearly all implementations have authenticators (like USB key fobs, or built-in platform support like the currently shipping Safari support) keep that key private and non-exportable.

So typically the idea would be that you have multiple keys registered (one for my android phone, one for my windows laptop, one for my iPad) the same way you might tell a site that password, Sign in with Apple, and Google Authentication are all ways you are willing to sign in. A site would likely also need a recovery mechanism if none of those work.

This announcement isn't that apple is supporting these standards, but that they are going to expand this concept (which has already been shipping since iOS 13) so that the private keys aren't necessarily for a single hardware device - but synchronized between all your devices. That makes it a lot easier, since you don't need to add each device to each website in order to use this simple, strong authentication system.

The standards also allow for a phone to work as an authenticator for another device by acting like a key fob (so via USB, Bluetooth, or NFC). So far, neither Google nor Apple have deployed these - too many computers do not have NFC, not enough people carry a set of appropriate USB cables around with them, and BLE has a nasty trade-off with battery drain vs user experience.

This would be soooo good. eBay might be using this feature; you can sign in with Touch ID rather than a password on their home website.
eBay is already using the underlying standard, so whether they support this really comes down to if (or more likely, when) they can create a good enough user experience.

Siri can already detect who is speaking, so why not throw in this as a third authentication possibility?

Especially as Siri is now moving 'on device' to the Secure Enclave........
You could! But such a system is "lighter" on authentication strength (even compared to things like PIN code), so they would also need to have an ability for sites/apps to opt out of that and mandate a "stronger" authentication form.

You typically see home "voice" authentication on the automation devices, because then it is somewhat multi-factor (you have to physically be in the home first, then do the voice-based biometric). There's also a difference in UX - an iPhone doesn't need voice authentication because they expect you are looking into the screen, and the abyss^HHHH camera is looking back.

Also, the underlying standard being leveraged pushes hard for user consent for authentication - you would likely want something where all you had to do is speak your request, without first prefixing that with saying "my voice is my password" or other consent phrase.

I love the idea of touch/face ID replacing all my passwords. But the fact that I still have to enter a 4/6 digit simple password to get into my Iphone every week or two concerns me. Why aren't these features good enough to remove the simple passcode on our own devices?
Because you actually aren't authenticating into your device with TouchID/FaceID - you are authenticating with the password/pin! The device then caches that in the secure enclave, and uses biometrics to decide when to 'unlock' the device.

The process of turning a passcode into cryptographic keys to unlock your device is long-proven technology, while trying to get a consistent key out of a biometric scan (where the fingerprint/facial read is always slightly different) is a topic of ongoing research.

There are benefits to them not authenticating you with just TouchID/FaceID, such as the ability to put a phone in emergency mode until the PIN is entered. This keeps you being forced to give a glance/fingerprint to unlock your phone while under duress, and changes the legal stance of forcing release of information in some jurisdictions.

Is this any different from a user just setting a longer, more complicated password when making their account? When I'm making an account for a new site, I can have iCloud Keychain generate a complicated password and store it. This sounds like the same thing, but with a "WebAuthn credential" instead of a complicated password.

If it's different, can someone explain how?
Sure, this is using a system called public/private cryptography, where instead of a single user-chosen secret you have a pair of computer-generated values. I can give out the public value to everyone as part of my identity, but I never give out the private value value.

With passwords, I always have to share my secure secret password with the other site, which means they could potentially lose it. Also, most users are unfortunately not using super secret secure passwords, but using their Dog's name and anniversary year on everything from recipe sites to their bank - so in the case of a data breach, their email address and that password gets tried against every other site.

With public/private key paids, a site can ask me to prove I hold the corresponding private key to the public key I shared with them. This means that nobody can imitate me unless I decide to give out my private key - even if the site gets hacked and my public key gets stolen. For Apple's system, they would need to get a device on my iCloud account.

Since this isn't a password however, it won't leave the phone. So sites need some way to add other methods of authentication (such as the WebAuthn support build into android and windows), and/or to recover access if you completely lose access to your apple devices.

Finally, most sites want multiple factors - holding an iPhone or key fob might count as one (physical), but they still want another (knowledge or biometric). You see sites that ask for a username and password and then use a yubikey as a second factor, as well as sites that will let you just log in with your phone and faceID.

For keys like Yubikeys, I might do a PIN entry to the computer to unlock the device - other than the operating system or browser seeing my PIN locally, thats still not a secret shared with the remote server. My key shares that I did additional 'user verification' with the site, which will use that potentially to decide to let me in without any other challenges. Having that PIN not be shared and having it only being usable if someone steals my physical key fob (plus the fob will factory wipe itself given enough bad guesses) means I can use much simpler passwords.
 
  • Like
Reactions: jamdex
Excellent point of contention. It would be great if Apple offered a separate app with features like Strongbox and or Bitwarden does (or 1Password for the MR enthusiasts).
Yes, but I think Apple has decided they want to get users away from needing to manage or think about authentication at all. In macOS 12 I've heard (but not yet tested) that they moved it out of Safari into the System Preferences app.

Similarly, I've heard there have been several attempts to kill "Keychain Access" over the years, but too many additional use cases sprung up from having user access and too many corner cases with keys being shared between apps.

And what if I have a MVA need a face surgery —- and Face ID don’t recognize me. Not a joke, happened to a friend
The authentication into your phone and with this system will still work with your underlying passcode. You can also use that passcode to set up Face ID, but it may not work well depending on where you are with your face surgery (wrappings, scar tissue/swelling).

I'd love someone to call AppleCare when they have this problem and publicly share their experience honestly - I know that once you escalate enough they have _crazy_ tools to diagnose and help with FaceID issues.

Personally I don’t see how this is any sort of usability win over the current system. I use FaceID and Safari logs me into the site, just like now.

It may be a security win, of course.

Seems kinda risky though, locking all your account access behind a single provider, be it Apple or anyone else. Mind you, in a sense you do that already with your email provider.
It is definitely a security win and a privacy win. It is basically phishing proof (technically called phishing resistant, but that is because they take into account state actor attacks - like DNS attacks in concert with getting a CA to issue false TLS certificates).

The API they are using in Safari is a web standard supported by all browsers. However, it is for sites to be able to talk to "authenticators" like your iPhone - lose access to that, you can't prove who you are. But to deescalate that a bit, it is no different than if you completely forget a password.

The expectation is that sites will have some other way to log in, that they will support registering multiple authenticators so that you can use various different options (including similar support built into Android and Windows today), and that the site will have some plan for recovery if someone gets completely locked out.

The challenge is if the recovery is as hokey as most sites are today (e.g. I'll send you an email with a password) then you aren't seeing all the security wins from this that you could.

This is a good question, but the answer is based on legal reasons, not technological ones. Touch ID and Face ID are both stronger than (simple, 4- or 6-digit) passcodes.
Close - but what they do is use your passcode as a 'master secret'. Once you restart your device (or go into SOS mode) it purges all of the keys from memory, and only has encrypted versions of them stored in flash. It takes your passcode and operates on it in order to generate the key that every other key is encrypted with.

This is also the approach just about every password manager takes - changing your 'master password' means they write a new vault with the protected master key or keys. Otherwise, they would have to completely rewrite your vault when you changed your password.

Trying to generate a key with something "soft" like biometric data has been in research for decades. We might see something like this in the future - but as you point out, there are currently legal distinctions in some places between being forced to release a password and being forced to use a biometric.

If Passkeys in iCloud Keychain is based on a non-proprietary implementation of public-private key cryptography, I probably would be willing to store login information in the cloud for the first time.

Why? Because if the private key never leaves the device that generated it and if only your public key is stored in the cloud, the system will be more secure than most sign-in methods currently offered.

Company-level breaches, such as what happened at Yahoo, will be more difficult to pull off. Individual level attacks, such as SIM swapping and phishing, won't work. No, it's not perfect security of course–there's no such thing–but let's face it, we gotta move away from SMS, voice calls, emails, "secret" questions+answers, and personal facts from credit reports for authentication. All of those are ridiculously insecure in an age of social media, VOIP, and automated hacking.
Exactly, and it is indeed leveraging standards (from the javascript API to the message exchanges and use of standardized elliptic curves).

The big difference is that other implementations have considered the private keys completely private and bound to a single piece of hardware, while Apple has the ability to synchronize between hardware via iCloud. So while the Android implementation of this Web Authentication standard only turns your phone into an authenticator, this will synchronize the ability to log in locally across all of your devices just like a password manager.
 
might become tight for 1password
The reality is that 1P has been adding more features for IT/enterprise needs for a while, while living off that recurring individual/family subscription revenue. So I suspect they will double-down on business needs if consumer revenue starts to dwindle.

The problem with 1P and other password managers here is that while Apple is willing to add support for their password vaults to have the same integration options as Apple's built-in vault, these modern passwordless schemes are an entirely separate animal. Passwords are user managed and thus sites have to work around user error (like using the same password everywhere) by having password heuristics, requesting additional factors, risk monitoring systems, breach lists, etc.

These systems are being sold as a way to simplify and strengthen authentication and eliminate the need for all that extra infrastructure. In addition to public/private key cryptography, there are attestations that say information about the implementation. Apple's implementation will be integrated into the secure enclave of a battle-hardened device. 1Password's implementation fundamentally would not have the same security guarantees because it is ultimately a pure software implementation using cloud synchronized vaults.

So while many sites would not care about the limitations of 1P, the sites which most need security (employers, banks, government, etc.) would reject the use of 1P's implementation. After all - your iPhone, mac, windows desktop, android, etc all have hardware-based implementations already integrated, and those _did_ pass the security review.
 
  • Like
Reactions: joecomo
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.