Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Aiming to Replace Passwords With New Passkey Feature

kingtj1971 said:
It's really about trade-offs, IMO.

With any of the "password managers", you gain the security of it becoming practical to use hard-to-guess, unique passwords for all the sites you visit. That means if (when, really!) a site has a security breach, the hacker doesn't obtain anything very useful by getting your login/password info stored there. It was just some randomized password your password manager generated for it, or at least a unique one you made up just for that one site.

The weak spot for your password security becomes the master password for the manager. The good thing about traditional PW managers (Bitwarden, LastPass, 1Password and so on) is that master password isn't stored in the cloud anyplace. It only exists on your local machine. So even if the cloud service that contains your password vault is hacked, they can't do anything with your password data. But ... if anyone gets ahold of that master password via a keylogger secretly installed on your computer or what-not? Well - it's "game over" for you!

Schemes like Apple proposes here just change things around so you can use biometric data in place of a master password you type in. Since they say they will back up your data to iCloud though? That means technically, they either have your biometric info OR some kind of equivalent password hash that it translates into, now stored in the cloud. So you'd be trusting Apple to some extent not to ever access your password vault contents. And yes, someone compromising your iCloud login would seem to be as bad as someone getting their hands on your master password to log into traditional password vaults.
Click to expand...

You're right about the compromise but to entrust one vendor to manage access to your identity and credentials together is dangerous even if they are competent and the system is well-designed and validated.

It's roughly speaking opting your existence into a zero trust model where there is one trustee who is not you. This is fine where corporates own their data and control their employee reach but it must be considered that an individual owns their own reach. But Apple owns it here thus you are subordinate to Apple always.

This is one reason I don't use the hide my email feature as well. These are distributed tangible identities which are permanently tied to @icloud.com suffixed addresses.
 
jav6454 said:
I agree, but this is the EU. Who we all know likes to set their own standards.
Click to expand...
Yea…
BradWI said:
Exactly. Like 2FA now, this may be implemented by 5-10% of the sites/apps/services you use. The rest of will continue to use passwords.
Click to expand...
Until the platforms people build websites incorporate them, then it’s basically free to implement when company X commissions someone to build their website. FIDO is a big deal, I think the adoption is going to be pretty quick all things considered (probably 3-5 years).
 
turbineseaplane said:
Yeah - I'm not sure where all these bad reports about 1P are coming from

The subscription discussion is what it is -- but the product itself I find to be fantastic, on all platforms
Click to expand...
People will find anything to complain about. I actually like 1P8 and I didn’t want to like. It’s night and day from beta to now, and I’m shocked how smooth it is.
 
  • Love
Reactions: turbineseaplane
nottooshabby said:
Can all this security be bypassed by simply entering in the 4 digit pin code that unlocks most people's iPhones?
Click to expand...
In my opinion, everyone that can, should be using 6 pin codes. Even if you had someone your phone, if that person were to try and go to a site or app that required Face ID or Touch ID to authenticate, they wouldn't be able to get past that wall, unless said person was an identical twin (which would raise the chances).
 
Mr. Heckles said:
People will find anything to complain about. I actually like 1P8 and I didn’t want to like. It’s night and day from beta to now, and I’m shocked how smooth it is.
Click to expand...
They removed various settings for no reason. Such as the ability to have auto-fill just enter the text without loading the page. Depending on the website, auto-loading can be very obnoxious, especially with multiple accounts on the same website. People don't just complain about things arbitrarily ... and just because you don't understand the complaints, doesn't make them invalid. People have different use cases.
 
Can anyone explain how this will work if you're on a desktop (for example, signing in to your bank) and your keyboard doesn't have a fingerprint reader? Will Face ID be incorporated into the OS, or is there some clunky requirement to grab your phone and point it at some QR code? The explanation on the WWDC video whipped through this part so fast, I was totally confused.
 
Sign In with Apple was one of my long time favourite features. I couldn't wait to a) Delete all my Facebook Sign In accounts, even when it meant deleting a website account and starting anew with SIWA, and b) Not using passwords.

This takes it a big step further. I have yet to read in detail, but I'm assuming and hoping that PassKeys will have a transition for Sign In with Apple accounts?
 
NT1440 said:
Yea…

Until the platforms people build websites incorporate them, then it’s basically free to implement when company X commissions someone to build their website. FIDO is a big deal, I think the adoption is going to be pretty quick all things considered (probably 3-5 years).
Click to expand...

Probably not. Having spent the last decade or so managing identity providers, SAML, OpenID and all sorts of nasty hot garbage all I can tell you is the identity providers are the one group of companies you do not want managing your identity regardless of who they are or what protocol or standard they comply with.

I have yet to find one that hasn't done something which is utterly incompetent and dangerous and compromises the whole idea. Recently one of them who I shall not name but they should more than know better, emailed a certificate private key to someone in non password protected plain text, revoked it, lied to their client. Instead of telling the client they blamed the CA, who they subcontracted everything other than outsourced admin to, after requesting that the CA added the private key to the CRL. I went a little balder that week.

I'm not even getting into the amount of SAML bypass flaws I've personally found...
 
kingtj1971 said:
Schemes like Apple proposes here just change things around so you can use biometric data in place of a master password you type in. Since they say they will back up your data to iCloud though? That means technically, they either have your biometric info OR some kind of equivalent password hash that it translates into, now stored in the cloud. So you'd be trusting Apple to some extent not to ever access your password vault contents. And yes, someone compromising your iCloud login would seem to be as bad as someone getting their hands on your master password to log into traditional password vaults.
Click to expand...
No, Apple doesn’t store your biometrics, all biometrics are handled on-device. If you read how this works, it uses a device with the Secure Enclave to store the private keys (Secure Enclave is used for authenticating biometrics or passcode). Then, when you sign into another device with the same iCloud, they exchange another key on top of it, creating a chain that keeps the private keys private. It’s not going to move the keys to iCloud, it will keep keys on device, or use encrypted backups. And Apple’s document says that Apple employees won’t be able to access your keys. They will be encrypted away from Apple, your device still handles that layer. But if you need to recover your keys, you will supply your device passcode, your username and iCloud password, short of that you won’t be able to access on-device keys. Or you have a recovery key, which is highly recommended. A recovery key stored in a secure location means you can always get your iCloud account back.
 
Mr. Heckles said:
People will find anything to complain about. I actually like 1P8 and I didn’t want to like. It’s night and day from beta to now, and I’m shocked how smooth it is.
Click to expand...

As if you're not complaining about people complaining. The irony. That aside I am happy for you you're satisfied with 1P8 and it's out of beta at last! I still dislike it.
 
  • Like
  • Haha
Reactions: planteater, TheYayAreaLiving 🎗️ and Cognizant.
Apple_Robert said:
If a website or app has been hacked or has a problem with its cert, will the passkey process recognize a problem and stop the process?
Click to expand...
It can already figure out with TLS that a site is not what it says it is. If TLS gets broken it’ll probably not bother with the pass key for a site. This is elementary TLS security, and Safari will already warn you about broken TLS (Or with an app it would freeze up or crash or whatever).

If theoretically TLS is there let’s say, and the public key record isn’t there, then it can’t establish a trusted chain with the site. This can happen, like if their DB doesn’t have real backups. But then I guess your account is gone. Chances are they also lost other user data anyway. I don’t think the iPhone has its requisite public key stored so it can’t supply the key back to the server. But similarly, if they also lost the password hash table on the site, they would also have no ability to confirm who you are, the password hash is used for passwords like the public key is used for passkey.
 
  • Like
Reactions: Apple_Robert
jaytv111 said:
It can already figure out with TLS that a site is not what it says it is. If TLS gets broken it’ll probably not bother with the pass key for a site. This is elementary TLS security, and Safari will already warn you about broken TLS (Or with an app it would freeze up or crash or whatever).

If theoretically TLS is there let’s say, and the public key record isn’t there, then it can’t establish a trusted chain with the site. This can happen, like if their DB doesn’t have real backups. But then I guess your account is gone. Chances are they also lost other user data anyway. I don’t think the iPhone has its requisite public key stored so it can’t supply the key back to the server. But similarly, if they also lost the password hash table on the site, they would also have no ability to confirm who you are, the password hash is used for passwords like the public key is used for passkey.
Click to expand...
Thank you for taking the time to respond.
 
Dan From Canada said:
No more 1Password for me if this looks to be secure.
Click to expand...

sorta... from what I gather websites have to enable this functionality so until it becomes near universal there will always be a need for a central hub of passwords. I was hoping Apple would do something more with regular passwords this year and create a dedicated app that makes working with iCloud passwords easier but it seems they want to skip right to the future, as they often do. that like means we have to deal with the inconveniences of keychain or keep using LastPass, 1Password etc. until 5+ years down the line where some future of the internet has decided what they want to use to replace passwords and designed nearly everything to support it...
 
Feek said:
Doesn't it? Why not?
What about Europeans? What about Aussies? What about Africans? (etc etc) Does it not work for 10-15% of those as well? Why not?
Click to expand...

Some people - because of genetics, profession, age, etc - have very low fingerprint ridges. Personally, whenever I wash my hands/shower/do the dishes/go to bed for the night etc. Touch ID no longer works for me and I have to reset the stored fingerprint. I have tried every finger, on various iPhones/iPads over the years and, nope, it just doesn’t work for my body.

This is something that surely impacts the global population, but all the studies I came across were done in the USA. So I have no idea if say 90% or 1% of people in Asia, Africa, Australia etc. are similarly impacted and I don’t want to give out false numbers.

Currently it is easy to bypass Touch ID with a passcode (or Face ID). But it sounds like Passkey requires biometric input, which could pose a significant problem to many people if the only input on a Mac is Touch ID.
 
  • Like
Reactions: Feek
SpotOnT said:
Currently it is easy to bypass Touch ID with a passcode (or Face ID). But it sounds like Passkey required biometric input, which could pose a significant problem to a significant number of people if the only input on a Mac is Touch ID.
Click to expand...
I don’t think they’ll require biometrics, they’re just saying people will (often) use biometrics to authenticate on-device. If you use passcode only you’re not supposed to have a degraded experience. Like my iPad Pro’s FaceID actually broke and it’s entirely disabled, but I get all the same capabilities using the device passcode.

Certainly the secure enclave is not supposed to discriminate against people not using biometrics.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back