Apple Aiming to Replace Passwords With New Passkey Feature

[thejadedmonkey]

Why? I don’t agree really.

I don’t use it, I use keepass/strongbox. But sometimes I’m at a loss for some obscure credentials I made years and years and years ago, and there they are, still sat in iCloud Keychain.

I relied on iCloud keychain, and have lost passwords. The worst instance was when I reset my Windows AD password, and when it sync'd to my mac, it determined that the password I had used, wasn't my current AD password, and deleted all of my credentials, which included my iCloud stored credentials. And then sync'd those credentials when I signed back in.

 

[hagar]

Relies on iCloud keychain? Not very reliable!

How many of your passwords have been exposed through iCloud Keychain?

 

[cupcakes2000]

Exactly. Like 2FA now, this may be implemented by 5-10% of the sites/apps/services you use. The rest of will continue to use passwords.

But that’s ok as long as there are pushes like this to normalise secure password creation and storage. Every little helps, and at least it seems they’re making strides to work with others on something more open than the normal Apple MO of completely proprietary.

 

[Shin-Ra]

This WWDC 22 video’s aimed at developers but shows the process of creating a Passkey for an existing account, logging in with a Passkey on Apple devices with iCloud Keychain sync and logging into a Windows laptop with Google Chrome using the QR code method.

Meet passkeys - WWDC22 - Videos - Apple Developer

It's time for a security upgrade: Learn how to add support for passkeys to create a quick and easy sign in experience for people, all...

developer.apple.com

You can also play around with the account creation and login flow with this website: https://webauthn.io/

 

[heystu]

One day we'll be explaining to our grandchildren what a 'password' was, along with Blu-ray Discs, gas-powered cars and Intel processors...

 

[Realityck]

There are unknowns about what happens to passkeys when transitioning away from Apple to another platform like Android, as Apple has not detailed what would happen in this situation.

I wonder how this will work out?

 

[8CoreWhore]

I am all-in... I am so sick of passwords.

 

[bobmans]

I wonder how this will work out?

Easy, you're just signing something (aka a challenge) with a private key to prove that it's you. It's really nothing more than a standard protocol and it's even older than passwords themself. By signing something with your private key, you're giving proof to the other party that you're who you're claiming to be without revealing your private key (aka long ass 128/256bit password) to them. Transferring from device -> device (iphone -> android phone for example) is nothing more than transferring your private keys.

 

[HobeSoundDarryl]

Passwords for websites will be required -for as long as you’re alive-.
There’s hundreds of millions of websites and most assuredly, a large percentage of them aren’t going to change their log in procedure.
Some will. A lot won’t.

Look where you are. Do you recall opinions of NFC payments before and then after Apple Pay:

• Before: "who needs that?", "problem in search of a solution", "my plastic works everywhere", etc
• After: "I refuse to buy anything that doesn't accept ApplePay", "Let's boycott any stores that won't take ApplePay", etc.

Now extrapolate...

You know it's coming.

 

[zecanard]

Exactly. Like 2FA now, this may be implemented by 5-10% of the sites/apps/services you use. The rest of will continue to use passwords.

Two-factor is an additional step that makes logins more cumbersome, and difficult for non-tech-savvy people to understand/set up/adopt. I’ve even seen techies forgo 2FA because they found the extra step annoying. Services had little incentive to implement something the majority of users wouldn’t bother with. It was merely a stopgap transition measure while waiting for a real solution.

Passkeys, on the other hand, make logins transparent and frictionless (at least on your own devices—but the process is simple enough for the platform to hold your hand). It may take a while, but I’d be surprised if WebAuthn didn’t end up completely replacing passwords. There is real incentive for services to devote resources for implementing this.

 

[Mr. Dee]

How did Apple even get Windows 11 to install on this thing from 2006. 😄

 

[nquinn]

This is one of those things that the big name companies will support, but the rest of the web will take somewhere between 10years and ... never ... to implement.

We couldn't even get banks to implement yubikey/hardware type auth for a decade+.

 

[TruthWatcher412]

Yeah 1Password is the antithesis of what FIDO is trying to accomplish.

Just curious why, not agreeing or disagreeing with you. They just recently joined the FIDO alliance per their blog:

We’ve joined the FIDO Alliance to build a better future for authentication | 1Password

1Password has joined the FIDO Alliance to help build safer, simpler, and faster login solutions for everyone.

blog.1password.com

 

[SpotOnT]

Considering Touch ID doesn’t work for 10-15% of the American population, I guess this means Face ID has to come to the Mac and iPad.

 

[DotCom2]

One day we'll be explaining to our grandchildren what a 'password' was, along with Blu-ray Discs, gas-powered cars and Intel processors...

And cars that didn't fly! ( maybe our great grandchildren)

 

[mi7chy]

Knowing about Pegasus don't know if I can trust Apple devices as a webauth authenticator. Better off with something like YubiKey.

 

[Heat_Fan89]

For me this was the HIGHLIGHT of the WWDC. No one else is doing this method so kudos to Apple.

 

[JosephAW]

Hopefully this will eliminate the need for 2FA

 

[DHagan4755]

You know what's great about this picture Apple used? Not only does it show a dated, thick HP laptop, it shows the PC laptop using Chrome instead of Edge.

 

[turbineseaplane]

I couldn't even imagine the stress inducement of counting on Apple for all my passwords and secure info

 

[alpi123]

Hopefully this will eliminate the need for 2FA

It certainly is more secure than standard password, but having 2FA will always be more secure than Passkeys.

 

[ApfelKuchen]

Nothing is perfect. I’m waiting for the gatchas. Web server needs to implement WebAuthn which is not a guarantee. Will they still support “fallback” password feature For quite a while?

I'd expect there would be no fallback password as it completely undermines this security method. Fallback password gets phished...

Consider how Apple implemented the conversion to 2FA. No chance of resetting password with email or security questions once 2FA is in effect.

I think adoption will be faster and more widespread than some folks think. I'd expect that once the banks/credit card companies are on board they'll begin requiring that e-commerce logins be secured in this manner. That will pull a lot of other sites along.

I have to read more about this. I'm not at all sure about the "lost all electronic devices" scenario. What must you do to regain access to Keychain when you don't have access to your personal key? Currently, when you can't validate a sign-in to iCloud Keychain (can't provide the passcode for a previous device) the entire keychain has to be wiped before enabling iCloud Keychain again.

 

[bobmans]

It certainly is more secure than standard password, but having 2FA will always be more secure than Passkeys.

Tell me you know nothing about security without telling me you know nothing about security.

 

[MallardDuck]

This is interesting, and the FIDO design is compelling. The one question I haven't heard clearly answered is 'how do you recover if you lose *all* your devices?'

Most strong authentication systems break down when the fall back to a flimsier solution.

 

[bobmans]

I'd expect there would be no fallback password as it completely undermines this security method. Fallback password gets phished...

Consider how Apple implemented the conversion to 2FA. No chance of resetting password with email or security questions once 2FA is in effect.

I think adoption will be faster and more widespread than some folks think. I'd expect that once the banks/credit card companies are on board they'll begin requiring that e-commerce logins be secured in this manner. That will pull a lot of other sites along.

I have to read more about this. I'm not at all sure about the "lost all electronic devices" scenario. What must you do to regain access to Keychain when you don't have access to your personal key? Currently, when you can't validate a sign-in to iCloud Keychain (can't provide the passcode for a previous device) the entire keychain has to be wiped before enabling iCloud Keychain again.

You can already login on your bank using this method, it's all standard protocols. Logging in at the moment happens with a security key like a yubikey. This will just make your phone act as that security key (aka your phone will hold your private key).