Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Google Announces Support for Account Passkeys

cyanite said:
No parts of iOS can work only with biometrics, because what they do is wrap other key material while the device is on, subject to various purge policies (such as with too many failed attempts, in some cases). In order to work again after that, the key material (such as the device passcode) needs to be entered.
Click to expand...
I don’t know what to say… this is exactly how I have the Bitwarden app configured today. The passwords in the Bitwarden vault can only be accessed via Face ID. When there are too many failed attempts, it prompts for the Bitwarden Master password. The iPhone passcode cannot be used to access the vault, ever. This is precisely why I have switched to storing banking and other critical passwords in Bitwarden as opposed to iCloud Keychain.
 

Attachments

  • IMG_0018.PNG
    IMG_0018.PNG
    206.7 KB · Views: 176
Last edited:
PR. said:
Doesn't seem to work for me, created the Passkey, can see it in the Google account and in the Apple Keychain but when you sign in to Google you just get the usual username/password box. On my iPad after signing in I'm asked to setup a Passkey, if I say yes it says one's already created!
Click to expand...

Where in the Apple Keychain is it? I've created a passkey on my Mac, but when I go to Apple Passwords and search for 'passkey,' nothing is found.
 
  • Like
Reactions: BigMcGuire
PR. said:
Doesn't seem to work for me, created the Passkey, can see it in the Google account and in the Apple Keychain but when you sign in to Google you just get the usual username/password box. On my iPad after signing in I'm asked to setup a Passkey, if I say yes it says one's already created!
Click to expand...

Have you tried enabling the setting for "Skip password when possible"? (Disclaimer: unsure if this link will take you directly to that option.)

Sign in - Google Accounts

myaccount.google.com

sniffies said:
Where in the Apple Keychain is it? I've created a passkey on my Mac, but when I go to Apple Passwords and search for 'passkey,' nothing is found.
Click to expand...

Is it stored under the entry for Google?
 
So with Passkeys, you always need to have access to your verified phone/device to scan the QR code and log in.
What do you do when you don't have access to that device like on travel or it's broken?
 
PR. said:
Doesn't seem to work for me, created the Passkey, can see it in the Google account and in the Apple Keychain but when you sign in to Google you just get the usual username/password box. On my iPad after signing in I'm asked to setup a Passkey, if I say yes it says one's already created!
Click to expand...
I had the same issue when I created the passkey on my Mac. I deleted that passkey (both in the keychain and in my google account) and started over with a passkey created on my iPhone. That new passkey works on my Mac, iPad, and iPhone.
 
  • Like
Reactions: PR.
What other sites support passkeys? All I find is a Dec 2022 list... probably hasn't changed much.
 
RogerWilco said:
It may be more convenient, but is Face ID access really more secure than a password+2FA? It’s easy to think of scenarios that defeat fingerprint or Face ID.
Click to expand...
Yes, they also have to take your phone. Things like SMS are vulnerable to number porting hacks, and are still vulnerable to active phishing attacks.

The big difference is that passkeys are way, way harder to phish, and if some site gets the password database dump it doesn't buy the attackers anything useful - not only can they not bridge that to try to log into other websites, it won't even let them log into the same site.
 
Will Co said:
Right? Why are so few websites supporting this stuff. Everyone should be all over this by now....
Click to expand...
It's still new, and larger sites have a lot of investment in a certain way of doing things. In some cases they feel passkeys can only replace the password, not their other steps in authentication - so it isn't worth them supporting yet.
 
TruthWatcher412 said:
So will this work with something like 1Password too?
Click to expand...
1Password has announced they plan to support this. Android has a beta system to let you enable potentially multiple systems for storing passkeys. On iOS the should feasibly be able to support it using a Web Extension until Apple hypothetically announces something
 
akashagrawal said:
That was just an example off the top of my head. But even if they get your info, passwords are still a goldmine, because a lot of people use the same password on multiple site. So an attacker with your email and password may try it on other popular sites, and there's a high chance it'll work (for a larger percentage of audience).
Click to expand...
You have to wonder what percentage of people use their corporate email and corporate password on LinkedIn.
 
melchior said:
Which specific key to buy for using passkey?
Click to expand...
Apple platforms, Android, and Windows Hello are all usable here with their built-in support. Something like a Yubikey or other FIDO-certified security key should work as well (although not under Safari)
 
sk1ski1 said:
The danger of using iCloud to store your passwords and passkeys due to Apple's security design flaw they refuse to fix. Best to use a 3rd party password manager.
Click to expand...
What security design flaw in iCloud is that?
 
  • Like
Reactions: 4nNtt
citivolus said:
I don’t know what to say… this is exactly how I have the Bitwarden app configured today. The passwords in the Bitwarden vault can only be accessed via Face ID. When there are too many failed attempts, it prompts for the Bitwarden Master password. The iPhone passcode cannot be used to access the vault, ever. This is precisely why I have switched to storing banking and other critical passwords in Bitwarden as opposed to iCloud Keychain.
Click to expand...

The original poster is correct. Face ID will still require a passcode after 48 hours or after the iPhone restarts. The poster was not saying it would fall back to a passcode.

I think you are confusing the way biometric security works on iOS with the way Bitwarden works which is a layer on top of Apple’s biometric security.
 
Last edited:
sk1ski1 said:
The danger of using iCloud to store your passwords and passkeys due to Apple's security design flaw they refuse to fix. Best to use a 3rd party password manager.
Click to expand...

There is no security design flaw. Third party password managers can still make sense for better cross-platform support or for enterprise/business features.

LastPass on the other hand had been hacked many times due to poor security practices within their company.
 
Last edited:
4nNtt said:
There is no security design flaw. Third party password managers can still make sense for better cross-platform support or for enterprise/business features.
Click to expand...

Yes, it's a security design flaw that Apple allows Keychain access by the phone's passcode. The Keychain should be better protected. It should have the option to be protected by a user defined password or biometrics. Apple's own Notes App has better protection than the Keychain. It allows notes to be locked by a user defined password.
 
dwaite said:
It's still new, and larger sites have a lot of investment in a certain way of doing things. In some cases they feel passkeys can only replace the password, not their other steps in authentication - so it isn't worth them supporting yet.
Click to expand...
Yes - I accept that. But also, if that's the case, it will not necessarily be an impediment to adoption. I suppose the question I'm asking is at what level does a technical barrier become a genuine blocker, or remain just an excuse. A groundswell of support is needed on this, to make it really happen.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back