Apple Aiming to Replace Passwords With New Passkey Feature

[inkswamp]

I relied on iCloud keychain, and have lost passwords. The worst instance was when I reset my Windows AD password, and when it sync'd to my mac, it determined that the password I had used, wasn't my current AD password, and deleted all of my credentials, which included my iCloud stored credentials. And then sync'd those credentials when I signed back in.

Not sure what the specific issue was for you but it's curious to me how often claims of the Mac platform's failures are coupled with connecting it to something Windows-related. Not saying anything in your case, but I have seen it a little too often not to wonder.

 

[canadianreader]

Slightly off topic, but I was really hoping we were going to see an increase in the storage in each of the tiers announced at WWDC. I'm upped to 200GB, but am pushing that now-a-days. Always felt you should get a "free" 5GB for each active device you have rather than by account. So say you own two Macs, an iPhone, and two iPads. Your "free" tier should be 25GB not 5GB.

They make more money on that free 5gb than on 25gb if you had 5 devices. They’re pushing the whole Apple ecosystem as a service I’d bet soon enough they’ll have subscription for macs and iPhones just like you rent a car or an appartement. I’d be their biggest move and it’ll be very popular. People won’t own anything and they’ll be happy.

 

[So@So@So]

I like the private/public key technology behind passkeys but I don't like Apple's implementation using iCloud. Hopefully this will be opened so that users can organize their keys without being locked into iCloud. I also would like being able to use my password manager app to create and distribute this keys.

 

[steve333]

If Apple forces this on us I will switch to a PC.

 

[Apple_Robert]

If Apple forces this on us I will switch to a PC.

This will be an option. No force will be involved.

 

[steve333]

This will be an option. No force will be involved.

I hope so, it's annoying enough that I can't get rid of the red alert because I don't use two factor authorization.

 

[canadianreader]

I have my doubts with this assessment. They seem to have a superior product and are hugely popular in the marketplace, and involved in these Fido alliance things too.

I do agree the 1P8 UI and design is great, though Bitwarden, also member of Fido alliance, offers similar security and privacy plus they're open source and quite well audited piece of software I think it's $10 per year or you can choose to self-host it.

 

[inkswamp]

If Apple forces this on us I will switch to a PC.

Wow. Some people are just in love with their accounts being insecure. Windows is your best path for that anyway. 😂

 

[aParkerMusic]

If it provides value, convenience, and security, not really sure why anyone would be upset with “lock-in”. Apple provides package solutions, that’s their thing, their ecosystem. I don’t understand why people seem surprised or upset when the components of the ecosystem are designed to work well within as opposed to outside. It’s not a matter of “fairness”, it’s a matter of “what type of arrangement do you want?” If you like fragmented, go elsewhere, thats fine, there are great choices out there. If you want what Apple provides, go for it.

It's the "as opposed to outside" that's the issue. Why not both? Wherever possible they should be building on top of existing standards.

Wasn't that long ago you could use the messaging service of your choice in iChat, for example. Now it's evolved into Messages and we consider ourselves lucky it works with SMS. Not that Apple is the only culprit here -- every platform is closed and wants to lock you in. Net result, you get to hop between Messages, Whatsapp, Messenger... it's dumb and annoying and driven by "engagement" ($$$).

It sounds like you don’t like the solution Apple is offering. You should find one that makes you happy, there are many nice ones out there.

Do you really think it’s reasonable to tell every company they have to do everything the same way?

You are hoping for an unreasonable and uneconomical fantasy, sorry.

“I want every I want and I want it to work always and no matter where i use it and can go to a totally different platform and there’s no inconvenience !!!”

Unreasonable expectations will lead to unhappiness.

EDIT: “I should be able to play my X-Box games on my PlayStation, this isnt fair!!!!!!”

 

[Trusteft]

People will accept anything if it is to save a few calories, including typing or thinking.
Meh.
Glad I won't be around for much longer.
Now where did I put the Idiocracy DVD?

 

[kingtj1971]

This is such a bad idea. Same as Apple sign in is a bad idea.

You should always possess and control your identity and credentials independent of any vendor or provider. Thus I will always use my domain specific email address when registering for something. And I will always use passwords generated and stored in keepass. Granted I keep them in keychain too.

This is to mitigate the risk exposure of my apple ID being destroyed or locked intentionally or otherwise. I would instantly lose access to both my identity and all my credentials which means more than just losing stuff I signed up for but my online banking, AWS, HMRC (tax), ebay seller account, mobile phone provider, internet provider, github, credit file etc.

To put it bluntly with this dependency on passwordless in place I would be utterly and totally screwed and entirely at the mercy of one vendor.

It's really about trade-offs, IMO.

With any of the "password managers", you gain the security of it becoming practical to use hard-to-guess, unique passwords for all the sites you visit. That means if (when, really!) a site has a security breach, the hacker doesn't obtain anything very useful by getting your login/password info stored there. It was just some randomized password your password manager generated for it, or at least a unique one you made up just for that one site.

The weak spot for your password security becomes the master password for the manager. The good thing about traditional PW managers (Bitwarden, LastPass, 1Password and so on) is that master password isn't stored in the cloud anyplace. It only exists on your local machine. So even if the cloud service that contains your password vault is hacked, they can't do anything with your password data. But ... if anyone gets ahold of that master password via a keylogger secretly installed on your computer or what-not? Well - it's "game over" for you!

Schemes like Apple proposes here just change things around so you can use biometric data in place of a master password you type in. Since they say they will back up your data to iCloud though? That means technically, they either have your biometric info OR some kind of equivalent password hash that it translates into, now stored in the cloud. So you'd be trusting Apple to some extent not to ever access your password vault contents. And yes, someone compromising your iCloud login would seem to be as bad as someone getting their hands on your master password to log into traditional password vaults.

 

[canadianreader]

If Apple forces this on us I will switch to a PC.

I don't think Apple will force it but Governments could, since some of them are members of the Fido Alliance. Kinda Big Tech is opening the door for more of this stuff. With this kind of technology an abusive husband for example could access everything, bank, social media etc just by holding his wife’s phone to her face for authentication hence the importance of a manual master password in combination with passkey.

 

[Feek]

Considering Touch ID doesn’t work for 10-15% of the American population, I guess this means Face ID has to come to the Mac and iPad.

Doesn't it? Why not?
What about Europeans? What about Aussies? What about Africans? (etc etc) Does it not work for 10-15% of those as well? Why not?

 

[planteater]

1Password will be forgotten soon. Not because of this Fido stuff but because they chose to build an average app that has a lot of issues, from reading their reddit support page. Plus they went subscription only and lost many loyal customers in the process.

I just unsubscribed to 1Password earlier this morning. They lost me when I could no longer store my password database on iCloud with version 8. Good riddance to them. Strongbox is better anyway.

 

[macsplusmacs]

Wow. Some people are just in love with their accounts being insecure. Windows is your best path for that anyway. 😂

sssh don't tell him but... Windows is going to have this too. 😂😂

With this kind of technology an abusive husband for example could access everything, bank, social media etc just by holding his wife’s phone to her face for authentication hence the importance of a manual master password in combination with passkey.

NOT IF THEY USE iOS 16 thankfully.

Safety Check is a new iOS 16 feature to help people in abusive relationships

Apple's big new iOS 16 update will include a new feature called Safety Check that's designed to help people who are in an abusive relationship and need a way to ensure they can't be tracked, revoke ac

www.imore.com

 

[planteater]

If Apple forces this on us I will switch to a PC.

It won't be up to Apple, it will be up to individual sites. They will determine which authentication methods they support.

 

[Apple_Robert]

It's really about trade-offs, IMO.

With any of the "password managers", you gain the security of it becoming practical to use hard-to-guess, unique passwords for all the sites you visit. That means if (when, really!) a site has a security breach, the hacker doesn't obtain anything very useful by getting your login/password info stored there. It was just some randomized password your password manager generated for it, or at least a unique one you made up just for that one site.

The weak spot for your password security becomes the master password for the manager. The good thing about traditional PW managers (Bitwarden, LastPass, 1Password and so on) is that master password isn't stored in the cloud anyplace. It only exists on your local machine. So even if the cloud service that contains your password vault is hacked, they can't do anything with your password data. But ... if anyone gets ahold of that master password via a keylogger secretly installed on your computer or what-not? Well - it's "game over" for you!

Schemes like Apple proposes here just change things around so you can use biometric data in place of a master password you type in. Since they say they will back up your data to iCloud though? That means technically, they either have your biometric info OR some kind of equivalent password hash that it translates into, now stored in the cloud. So you'd be trusting Apple to some extent not to ever access your password vault contents. And yes, someone compromising your iCloud login would seem to be as bad as someone getting their hands on your master password to log into traditional password vaults.

If people want to be safe with Apple access, don't do iCloud backups. That way Apple won't have any key to open up items in your Cloud.

I bet most people don't realize that when they do a backup, that backup is creating a backdoor key for Apple, which Apple makes known, although a lot of people probably don't bother reading the security fine print from Apple.

 

[canadianreader]

NOT IF THEY USE iOS 16 thankfully.

Safety Check is a new iOS 16 feature to help people in abusive relationships

Apple's big new iOS 16 update will include a new feature called Safety Check that's designed to help people who are in an abusive relationship and need a way to ensure they can't be tracked, revoke ac

www.imore.com

How many taps compared to dialling 911 ?

 

[Edsel]

At birth, inject babies with a lifetime coded RFID chip. (Apple circa 2084)

 

[macsplusmacs]

How many taps compared to dialling 911 ?

It's more to cut off phone, location, and other app data.

So the abusive partner can not track the other via app or phone data. A 9-1-1 call won't turn all that information off.

 

[nottooshabby]

Can all this security be bypassed by simply entering in the 4 digit pin code that unlocks most people's iPhones?

 

[E.Lizardo]

So with iCloud even more Lock-in to Apple ecosystem.

You have a choice.

 

[Mr. Heckles]

They do have a lot of issues. The app itself has been in beta for year or more now. It went from a native mac app with 1P7 to an electron app where you have to login in every single 1P8 instance before that you used to type your master password once, the mac app is unlocked as well as 1P browser extensions. Now that's no longer possible. Correct me if I'm wrong.

I have 1Password 8 and I type my master password once and that’s it, just like 7. Both the desktop app and extension unlock at the same time. It’s also not in beta for MacOS.

1P8 was released in beta in July of 2021 and it’s been out of beta for at least a month, maybe longer.

 

[turbineseaplane]

I have 1Password 8 and I type my master password once and that’s it, just like 7. Both the desktop app and extension unlock at the same time. It’s also not in beta for MacOS.

Yeah - I'm not sure where all these bad reports about 1P are coming from

The subscription discussion is what it is -- but the product itself I find to be fantastic, on all platforms

 

[Cognizant.]

No more 1Password for me if this looks to be secure.

I'm already migrating all my passwords back to Apple. 1Password has become a dumpster fire with every new update. The day they stopped making the app native to macOS was the day I started to move away. macOS is also on the back burner now and not a priority. Windows has had version 8 of 1Password for a very long time now. They don't care about the Mac, so I don't care to continue my business with them.