Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
65,217
33,488


Apple in iOS 16, iPadOS 16, tvOS 16, and macOS Ventura is introducing a new "Passkeys" feature that replaces traditional passwords when signing into a website or an app. Passkeys are more secure than passwords, and protect users from phishing, malware, and other attacks aimed at gaining account access.

passkeys-ios-16-1.jpg

According to Apple, Passkeys are next-generation credentials that are safer and easier to use than standard passwords. As Apple explains in a support document on the feature, Passkeys are built on the WebAuthn standard and use a unique cryptographic key pair for each website or account.

One key is public and stored on the website server, while the second key is private and kept on-device. On the iPhone and other devices with biometric authentication, Face ID or Touch ID is used to authorize the passkey to authenticate the user to the website. The keys must match to allow for a log in, and because the second key is private and available only to the user, it cannot be stolen, leaked, or phished.

Passkeys rely on iCloud Keychain, which in turn requires two-factor authentication for further protection. Passkeys sync across all of a user's devices through iCloud Keychain, which is end-to-end encrypted with its own cryptographic keys.

Passkey synchronization across accounts provides redundancy in case an Apple device is lost, but should all of a person's Apple devices become lost and the passkeys along with them, Apple has implemented an iCloud keychain escrow function to recover passkey information. There is a multi-step authentication process to go through to recover an iCloud Keychain with passkeys, or users can set up an account recovery contact.

Though Passkeys sound complicated on paper, in practice, it will be as simple as using Touch ID or Face ID to create a passkey to go along with a login.

Apple has been working with members of the FIDO Alliance, including Google and Microsoft, to ensure that passkeys can also be used with non-Apple devices and across platforms. On non-Apple devices, Passkeys will work through QR codes that will authenticate using the iPhone, but it will require support from other companies, so it's a standard that needs to be adopted across the tech world.

passkeys-ios-16-2.jpg

There are unknowns about what happens to passkeys when transitioning away from Apple to another platform like Android, as Apple has not detailed what would happen in this situation.

Apple says that transitioning away from passwords is going to take some time, but it will be working with developers to create a passwordless future.

Article Link: Apple Aiming to Replace Passwords With New Passkey Feature
 

NT1440

macrumors Pentium
May 18, 2008
15,078
22,121
They will if some EU company objects.
This is all done under the FIDO alliance using their standards. There’s no way for that to happen as it’s an industry standard now. Microsoft, Google, and others are all in that alliance.

 

Shirasaki

macrumors P6
May 16, 2015
16,199
11,667
Nothing is perfect. I’m waiting for the gatchas. Web server needs to implement WebAuthn which is not a guarantee. Will they still support “fallback” password feature For quite a while?
 

jav6454

macrumors Core
Nov 14, 2007
22,303
6,262
1 Geostationary Tower Plaza
This is all done under the FIDO alliance using their standards. There’s no way for that to happen as it’s an industry standard now. Microsoft, Google, and others are all in that alliance.

I agree, but this is the EU. Who we all know likes to set their own standards.
 

munpip214

macrumors 6502a
Feb 21, 2011
892
2,524
I don't have to worry about my mom being Phished ever again
Unfortunately there are other ways to phish people without getting their passwords and they keep getting more sophisticated. If you haven’t watched Scammer Payback you should check it out.
 
  • Like
Reactions: Shirasaki

Shin-Ra

macrumors regular
Jan 3, 2008
147
199
You’ll notice already in iOS 15, if you tap and hold the laptop image with an onscreen QR code or scan it with the camera app, limited Passkey functionality’s already available.

PasskeyQRcode.png


That specific QR code and FIDO link’s probably a deactivated sample. With a real sample, the web browser and your (Apple) device communicate over a secure Bluetooth connection to share the Passkey login.
 

BradWI

Suspended
Aug 29, 2011
262
2,109
Passwords for websites will be required -for as long as you’re alive-.
There’s hundreds of millions of websites and most assuredly, a large percentage of them aren’t going to change their log in procedure.
Some will. A lot won’t.

Exactly. Like 2FA now, this may be implemented by 5-10% of the sites/apps/services you use. The rest of will continue to use passwords.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.