Apple Aiming to Replace Passwords With New Passkey Feature

[dk001]

That have happened multiple times to me. Loosing some saved passwords when cross syncing between my mac, iPhone and iPad, that I didn’t discover until months later that a website saved no longer exist in the keychain. Extremely frustrating and I don’t know what’s triggering it.

Ran into that this morning with Pinterest. Went to my Android to get it.
Also crazy is when you find numerous duplicates in keychain up to and including your Apple id / iCloud login.

 

[_Spinn_]

I love this, except for big tech ignoring Steve Gibson's SQRL which sounds superior to me. Very similar, but better in that SQRL stores nothing on the servers your visiting. The keys are formed with the website's URL.

Not sure if you listened to this week's Security Now podcast but Steve indicated that it might actually be possible to adapt SQRL to work with passkeys in the future.

https://www.grc.com/sn/sn-875-notes.pdf

So I suspect that the biggest effect of Apple’s, Google’s and Microsoft’s support may be to induce websites to bring up their own support for WebAuthn.

...

Let’s talk a bit about WebAuthn. The heavy lift that FIDO will face and the SQRL would have faced, was the need for backend web server support.

...

The adoption of WebAuthn, which was approved and formalized by the W3C consortium three years ago, back in 2019, represents a massive and long needed update to username and password authentication. As I mentioned last week, FIDO and SQRL work essentially the same: They both give a web server a public key. The web server generates a random nonce which it sends to the browser. The browser, holding the matching private key, signs and returns that nonce to the web server, and the web server uses the public key it has on file to verify the returned signature. What WebAuthn is and does is provide all of the mechanics, definitions, protocols, specifications and implementations of that new form of interchange between a web server and a web client.

...

But WebAuthn is the key. It provides a complete replacement for the insecure mess of usernames and passwords. And, interestingly, WebAuthn optionally supports SQRL’s chosen 25519 elliptic curve, with its special properties that allow for non-random deterministic private key synthesis. So it might be possible, someday in the future, to transparently run a modified SQRL solution to use SQRL-style deterministic passkeys on the server infrastructure that FIDO built.

 

[8CoreWhore]

I couldn't even imagine the stress inducement of counting on Apple for all my passwords and secure info

Versus counting on what? Your brain? Your browser (Apple)? 1Password? Passkeys are a zillion times more secure.

 

[dk001]

Maybe I will look at this from Apple in a year or so.
I don’t have enough faith in Apple’s ability to execute this out of the gate without a major oops or two.

Then again, not sure about Google either.

 

[ipedro]

Looks like Sign In With Apple was the precursor for Passkeys. From the way it's engineered, I believe that all Sign In With Apple supported sites and apps will also work with Passkeys from the get go. Others that didn't give into Sign In With Apple will likely join since Passkeys is endorsed by Google and Microsoft via the FIDO Alliance.

I've created a new wiki thread for Passkeys supported sites and apps. If you've found apps and sites that support Passkeys, please edit the Wiki.

 

[compwiz1202]

The passcode is 1234, that’s amazing, I have the same combination on my luggage.

All hail President Skroob!!!

 

[compwiz1202]

I have exactly one password to remember: the one that opens my password manager.

And I only need it somewhere secure just in case since the Manager can be opened with FaceID

 

[Sophisticatednut]

Versus counting on what? Your brain? Your browser (Apple)? 1Password? Passkeys are a zillion times more secure.

Well versus loosing password and websites unknowingly as apple’s keychain can have its own life

 

[Heat_Fan89]

I have a Mac Mini. I’ve read you either need a device with Touch ID or a camera. So how does this really work or what do I need hardware wise?

 

[katbel]

I have a Mac Mini. I’ve read you either need a device with Touch ID or a camera. So how does this really work or what do I need hardware wise?

Good question! Probably using a webcam on your display
I have a similar problem: can't update to Ventura . How is it going to work on my old Mac? Passkey only on iPad and iPhone, SQRL on Mac? SQRL= SecureQR Login

 

[jaytv111]

Good question! Probably using a webcam on your display
I have a similar problem: can't update to Ventura . How is it going to work on my old Mac? Passkey only on iPad and iPhone, SQRL on Mac? SQRL= SecureQR Login

All iCloud devices you sign in get synced Passkeys. Any Mac or PC just displays a QR code if you don’t have your Passkey on device, you scan the QR code on your phone, they communicate and the browser gets signed in.

 

[MacNchedder]

Does anyone know whether the current password feature will remain available? Wouldn’t Passkey - by using TouchID - allow a malicious person to force a log-in by placing a sleeping or unconscious person’s finger on the screen, for example? Or a mugger physically forcing a victims hand onto the screen? Current law typically prevents someone from divulging a password without a court-order. Not so with physically forcing someone to touch a screen. Unless password use is still allowed, this seems like a major step towards increased insecurity.

 

[jaytv111]

Does anyone know whether the current password feature will remain available? Wouldn’t Passkey - by using TouchID - allow a malicious person to force a log-in by placing a sleeping or unconscious person’s finger on the screen, for example? Or a mugger physically forcing a victims hand onto the screen? Current law typically prevents someone from divulging a password without a court-order. Not so with physically forcing someone to touch a screen. Unless password use is still allowed, this seems like a major step towards increased insecurity.

Yes, passwords are still available and will remain available, and you can always choose to use passwords and not use Passkeys, it's up to you.

Many people use password autofill on their devices. So whether it's password via autofill, or passkey, it's still the same idea, you get it when you have access to the device.

If you just remember your passwords, chances are your password security is actually pretty bad. You should read up on how to make sure your passwords are strong, but generally if you: reuse passwords, use a low-complexity password, use a variation of an old password, etc, all that and more are bad for security.

However, a Passkey can't be any better or worse than any other Passkey. So there are never weak Passkeys like there are passwords, they are always strong.

That's the essential difference for security, you no longer have people using "password1234" as their password, which is abysmal for security.

As for the court orders, remember that your online accounts are still subpoena-able by court order as well. If you use major services: email, social media, etc, they will have your data in clear text and a court can subpoena the provider and get everything regardless of what you do. So stop freaking out about passwords vs Passkey because that doesn't matter when they just go to the online providers of the world and get your data straight from them.

And for things on your phone, simple little trick for you: press the power button 5 times and it locks out biometrics. You can't be compelled to enter your device passcode. So that's all you need to do, power button 5 times, do it in your pocket.