Apple Aiming to Replace Passwords With New Passkey Feature

[ignatius345]

This! ^^^

All, day, long... this...

I would always want my password manager to be separate from Apple
It's a product that should really be a completely standalone paid (in some way) service folks are using.

I read a story a few years ago about this journalist who got totally and irrevocably locked out of his Apple ID. If I remember correctly a hacker talked some support person into giving him access and the journalist lost all his stuff. He couldn't even use his Apple devices because they were all locked. Obviously he should have had more stuff backed up, no question, but it was still chilling to consider.

What stuck with me was just how much of our tech is absolutely out of our control. Sure, we've all got 2FA turned on and all that, but it's not hard to imagine a situation where a company (Apple, Google, whoever) locks you out of your account for some reason and you're just cut off from your entire life.

Anyway, all that is to say it would make me pretty uneasy to put all the keys for logging into every website into that same Apple ID basket. As it is now, I have a viable recovery strategy in that (admittedly not likely) event. I could get my hands on another machine, log into 1Password and get back into my bank, my cell phone provider, my non-iCloud email accounts, etc.

 

[jav6454]

A lot of assumptions with no data backing it up. EU citizens have voted for the politicians, the parties, coalitions and heads of states supporting the Gate keeping clause used in DMA. It’s nothing to do about “open os” or standards. It’s anti competition laws.

The EU treats companies the same. It’s almost like you seriously believe EU never sues or drags big EU firms to court or implement same standards for everyone.

EU do not accept any ******** from any company. Just because your big doesn’t give you some new rights, only more obligations.

No assumptions, just looking at past EU behaviors. Granted, some companies have warranted such regulation. Any agenda can be wrapped around "anti-competition" laws. It be unwise to not see that. No the EU doesn't care to listen to any other company except EU ones.

 

[bobtem]

One Password to rule them all…

 

[JMacHack]

I dislike this, in the U.S. you can’t be compelled to give your passwords as protected by the fifth amendment. Biometrics are not protected though.

This would open the door to warrantless searches by law enforcement agencies without constitutional restrictions.

Sorry, I would like to opt out of this “future”

 

[_Spinn_]

So with iCloud even more Lock-in to Apple ecosystem.

No thanks, I'll keep my password thanks which I know works on any platform.

Good points. Will passkeys be transferable to other platforms or will this create vendor lock in? Hopefully passkey storage is opened up to third party services like Bitwarden so there isn't vendor lock in.

 

[brutusfly]

I love this, except for big tech ignoring Steve Gibson's SQRL which sounds superior to me. Very similar, but better in that SQRL stores nothing on the servers your visiting. The keys are formed with the website's URL.

 

[dk001]

I think I'm not understanding why you wouldn't remove the invalid entries?

You definitely remove them however:
1. Why am I getting multiple entries
2. You only know they are there when you find them or run into an issue and find them

 

[_Spinn_]

I love this, except for big tech ignoring Steve Gibson's SQRL which sounds superior to me. Very similar, but better in that SQRL stores nothing on the servers your visiting. The keys are formed with the website's URL.

Yeah this is a step in the right direction but SQRL is definitely better. The big problem I see with Passkey is the potential for vendor lock in if you aren't allowed to migrate your passkeys from Microsoft, Google, or Apple. I really wish SQRL would take off but without a big tech company behind it I don't see it ever happening.

I think Steve did a good job explaining Passkeys in episodes 870 and 874 of Security Now.

GRC | Security Now! Episode Archive

Security Now! Weekly Internet Security Podcast. This week describing the newly revealed SockStress TCP stack vulnerabilities.

www.grc.com

More on SQRL if anyone is interested

GRC's | SQRL Secure Quick Reliable Login

SQRL Secure Quick Reliable Login

www.grc.com

 

[DblHelix]

Passwordless Future. Nice!!! Not going to lie this does seem well encrypted and secured.

Yeah. I like the idea behind this. It was a mess a few years ago to shift to a unique password for each site/app I use. Took me months to update all of my passwords

 

[polyphenol]

You definitely remove them however:
1. Why am I getting multiple entries
2. You only know they are there when you find them or run into an issue and find them

I have one problem duplicate - but I suspect the contact actually started life on a Galaxy S2 many years ago!

 

[dk001]

I have one problem duplicate - but I suspect the contact actually started life on a Galaxy S2 many years ago!

I get them in bunches. I even had last time duplicate Apple.com entries.

 

[wwinter86]

Hopefully European Union won't object.

Of course they will (just because they can).

 

[inkswamp]

I don't need Big Pappy telling me what to do. Apple is the new Microsoft.

You do realize this is not Apple-specific and will likely be adopted by most technology companies as well, right?

 

[BvizioN]

They won’t because we already have this system in use for almost 10 years

That doesn't matter to hyper bureaucrats.

 

[Shirasaki]

I have to read more about this. I'm not at all sure about the "lost all electronic devices" scenario. What must you do to regain access to Keychain when you don't have access to your personal key? Currently, when you can't validate a sign-in to iCloud Keychain (can't provide the passcode for a previous device) the entire keychain has to be wiped before enabling iCloud Keychain again.

They have determined decades ago that losing access of all digital gadgets is a non-risk factor. So there will be no consideration of such scenario, and why I hold off Apple 2FA for 4 years before being forced to enroll.

 

[tofagerl]

They have determined decades ago that losing access of all digital gadgets is a non-risk factor. So there will be no consideration of such scenario, and why I hold off Apple 2FA for 4 years before being forced to enroll.

Yeah, but to be fair - who's ever heard of anyone's house burning down, or even someone begin robbed of phone, tablet AND laptop at the same time? It only happens all the time...

 

[Shirasaki]

Yeah, but to be fair - who's ever heard of anyone's house burning down, or even someone begin robbed of phone, tablet AND laptop at the same time? It only happens all the time...

But it does happen and it’s not low chance enough to ignore, even though fallback idea itself has its own flaws. One thing I hate is when unfortunate happens I lose access to my own stuff for situations beyond My control.

 

[tofagerl]

But it does happen and it’s not low chance enough to ignore, even though fallback idea itself has its own flaws. One thing I hate is when unfortunate happens I lose access to my own stuff for situations beyond My control.

Right... I see my sarcasm wasn't quite obvious enough...

 

[jaytv111]

I dislike this, in the U.S. you can’t be compelled to give your passwords as protected by the fifth amendment. Biometrics are not protected though.

This would open the door to warrantless searches by law enforcement agencies without constitutional restrictions.

Sorry, I would like to opt out of this “future”

It should let you use a passcode for passkey. It doesn't need biometrics because in all other Apple features they never block you out from using a feature if you rely on passcodes instead of setting up biometrics.

If you do want to use biometrics, press the power key for 5 times or press and hold power and volume up. The phone will lock out biometrics (and Watch unlock). Do this before any search.

 

[jaytv111]

So even if somebody loses all his Apple devices, Apple still has a copy of the passkeys on their servers? Could they in theory give those passkeys to the FBI if they are forced to by one of those "secret courts"? If they can recover those passkeys without any private key that is stored on my devices, would they technically still need the user to give his permission to do that?

Also if Apple really works with the Fido Alliance, why do you still need an iPhone to use Passkey on a Windows or Android device? Doesn't that go against the principles of the Fido alliance?

Apple isn't keeping the passkeys in the clear on their servers. It's on the device, then the device syncs with other devices you've signed in with another key (which keeps anyone from impersonating a device, etc). This is according to their support document. But they have device backups that, described below, can recover the keys but it's programmed not to allow brute force attacks, and they use an escrow process for recovery, using device passcodes to prevent anyone, even Apple, from recovering the data.

You need an iPhone because this is an Apple feature, and currently they don't say if they will be able to send keys to non-Apple devices, just that with your iPhone available you can get other devices signed in on the web. I think in the coming years they should announce a key transfer service with partners that will commit to protecting the keys as well.

About the security of passkeys - Apple Support

Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.

support.apple.com

Passkey synchronization provides convenience and redundancy in case of loss of a single device. However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple.

iCloud Keychain escrows a user's keychain data with Apple without allowing Apple to read the passwords and other data it contains. The user's keychain is encrypted using a strong passcode, and the escrow service provides a copy of the keychain only if a strict set of conditions is met.

To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After they authenticate and respond, the user must enter their device passcode. iOS, iPadOS, and macOS allow only 10 attempts to authenticate. After several failed attempts, the record is locked and the user must call Apple Support to be granted more attempts. After the tenth failed attempt, the escrow record is destroyed.

Optionally, a user can set up an account recovery contact to make sure that they always have access to their account, even if they forget their Apple ID password or device passcode.

By the way it's not a secret court, we actually know all about them. Look up FISA court, and national security letters on Wikipedia. Their proceedings are secret (we can't get FISA court records). But we know about it. They actually can't force Apple to change their code or practices, that isn't part of the law currently, what they can do is get Apple to surrender information they have in the clear on a user. The information being encrypted by the user means Apple doesn't have anything but cipher data to give. The whole debate about encryption is about forcing companies to not be allowed to encrypt user data away from themselves. And governments all over want to change their laws to force this.

 

[bushman4]

Not going to pass judgement till I see this up and running
If it’s secure and works as stated it could be good

 

[dk001]

…

You need an iPhone because this is an Apple feature, and currently they don't say if they will be able to send keys to non-Apple devices, just that with your iPhone available you can get other devices signed in on the web. I think in the coming years they should announce a key transfer service with partners that will commit to protecting the keys as well.
…

If true this would be a no-go for me from the start. I do not live in an Apple world. They are one of many OS’s I use daily.
If this can be made to work across OS’s .. that would be a benny.

 

[maternidad]

I relied on iCloud keychain, and have lost passwords. The worst instance was when I reset my Windows AD password, and when it sync'd to my mac, it determined that the password I had used, wasn't my current AD password, and deleted all of my credentials, which included my iCloud stored credentials. And then sync'd those credentials when I signed back in.

I disagree!

 

[Apple_Robert]

I disagree!

How can you disagree with his personal experience as stated? You weren't there to see his problems. People have lost iCloud Keychain passwords before. He isn't the only one. Your reply makes no sense.

 

[Sophisticatednut]

How can you disagree with his personal experience as stated? You weren't there to see his problems. People have lost iCloud Keychain passwords before. He isn't the only one. Your reply makes no sense.

That have happened multiple times to me. Loosing some saved passwords when cross syncing between my mac, iPhone and iPad, that I didn’t discover until months later that a website saved no longer exist in the keychain. Extremely frustrating and I don’t know what’s triggering it.