iOS 17 and macOS Sonoma Add Passkey Support to Your Apple ID

[Eric_WVGG]

“more secure alternative to passwords” that is… a pretty loaded claim

useful, necessary, probably the future: sure. more dummy-proof, quite likely. more secure… hmmmmmmm… wellllll…

 

[Shirasaki]

Ok, passkey, nice.
except when it is unavailable. For example, one already points out windows PC login issue.
Also, things happen. What would be the backup in case passkey is lost/destroyed? Will password still be available?
Using passkey to replace password is like replacing a lock that can only have battery replaced from inside the room and no mechanical fallback, then battery dies One way while you are out.
To me, a strong password is still the cornerstone of a secured Apple ID, and it cannot be replaced by Face ID, Touch ID, or passkey. Even after all these years, Apple still doesn’t completely ditch passcode or password just because biometric seems powerful and amazing, which I think is not a bad thing.

 

[CraigJDuffy]

Sounds like a very good idea, but what do you do to get support on a Windows machine? We will have to see exactly how it works. I don’t fancy copying 2048 bit cryptographic keys by hand though.

iCloud password sync app should sort you out there

 

[CraigJDuffy]

“more secure alternative to passwords” that is… a pretty loaded claim

useful, necessary, probably the future: sure. more dummy-proof, quite likely. more secure… hmmmmmmm… wellllll…

Passkeys remove the biggest threat to passwords - phishing.

 

[btallada9870]

Do pass keys help solve the issue of your passcode being the key to your wallet/keychain? I’m fine with Touch ID and FaceID security but once someone lifts your passcode it’s game over.

I just want a guest PIN so people can get into my phone without access to the sensitive areas of the phone.

 

[smelly feet]

I don't get passcode, passphrases or any of this security stuff. It strikes me that having a single password for a device which allows access to all my apps, web sites, etc actually lowers security. If someone gets my device password and can log into my device, they then have access to everything.

What am I missing here? Must be something important, because everyone is very excited about passcodes. Please explain how this is 'more secure'.

In the meantime, I will continue to use separate passwords and non email address user names, for all my apps, web sites etc.

 

[MallardDuck]

I hope that you can't use the iPhone PIN code to activate the passcode. Otherwise the shoulder surfing issue just got worse.

 

[MallardDuck]

Do pass keys help solve the issue of your passcode being the key to your wallet/keychain? I’m fine with Touch ID and FaceID security but once someone lifts your passcode it’s game over.

I just want a guest PIN so people can get into my phone without access to the sensitive areas of the phone.

Don't use apple keychain. Use a separate password manager - at least until Apple stops using an easily guessed PIN code to unlock the keychain.

 

[jaytv111]

Ok, passkey, nice.
except when it is unavailable. For example, one already points out windows PC login issue.
Also, things happen. What would be the backup in case passkey is lost/destroyed? Will password still be available?
Using passkey to replace password is like replacing a lock that can only have battery replaced from inside the room and no mechanical fallback, then battery dies One way while you are out.
To me, a strong password is still the cornerstone of a secured Apple ID, and it cannot be replaced by Face ID, Touch ID, or passkey. Even after all these years, Apple still doesn’t completely ditch passcode or password just because biometric seems powerful and amazing, which I think is not a bad thing.

Pretty sure they're not getting rid of passwords.

Do pass keys help solve the issue of your passcode being the key to your wallet/keychain? I’m fine with Touch ID and FaceID security but once someone lifts your passcode it’s game over.

I just want a guest PIN so people can get into my phone without access to the sensitive areas of the phone.

Doesn't do anything to passcodes, meaning someone sees your passcode and steals your device it's the same problem as before.

We don't know how to really solve this issue without creating other issues, simply put. Like if you can't take your phone off your account without a USB security on your account, what happens if you move across the country and forgot your key for some reason, or lost it on the way? You have your devices but you can't do anything with your account now. Some people can live with this limitation, and some people can't, so it's hard to decide which way to go, and if we let people have the option then people might not understand the limitations of the system they went with.

Of course something should be done about the issue, just saying it's more complicated than just "Apple should do this once and for all!"

What am I missing here? Must be something important, because everyone is very excited about passcodes. Please explain how this is 'more secure'.

The way it's more secure is it's impossible to get phished, the tech simply doesn't allow it. A site could fake out Apple's site and your device will not allow any information to get into the fake site that could be used to log in to your account.

And that's passkeys, not passcodes, by the way. Passcodes are the PIN you enter to get into Apple devices. It doesn't affect passcodes to support passkeys, the issue is still there that people could "shoulder surf" and get into your device if they clearly see your passcode. Passcode security will take some careful consideration to fix, as I say above it's complicated, someone can still be negatively affected no matter what you do.

Passkeys are for online security, and not device security. They are basically equivalent to 2-factor in terms of security level, but only need to be supplied once.

 

[Brad7]

Pretty sure they're not getting rid of passwords.


Doesn't do anything to passcodes, meaning someone sees your passcode and steals your device it's the same problem as before.

We don't know how to really solve this issue without creating other issues, simply put. Like if you can't take your phone off your account without a USB security on your account, what happens if you move across the country and forgot your key for some reason, or lost it on the way? You have your devices but you can't do anything with your account now. Some people can live with this limitation, and some people can't, so it's hard to decide which way to go, and if we let people have the option then people might not understand the limitations of the system they went with.

Of course something should be done about the issue, just saying it's more complicated than just "Apple should do this once and for all!"


The way it's more secure is it's impossible to get phished, the tech simply doesn't allow it. A site could fake out Apple's site and your device will not allow any information to get into the fake site that could be used to log in to your account.

And that's passkeys, not passcodes, by the way. Passcodes are the PIN you enter to get into Apple devices. It doesn't affect passcodes to support passkeys, the issue is still there that people could "shoulder surf" and get into your device if they clearly see your passcode. Passcode security will take some careful consideration to fix, as I say above it's complicated, someone can still be negatively affected no matter what you do.

Passkeys are for online security, and not device security. They are basically equivalent to 2-factor in terms of security level, but only need to be supplied once.

Good explanation. To (somewhat) solve the passcode thief issue, what if Apple provided people a toggle option to not let FaceID fallback to passcode? We can enable it if we want higher device security.

 

[jaytv111]

Good explanation. To (somewhat) solve the passcode thief issue, what if Apple provided people a toggle option to not let FaceID fallback to passcode? We can enable it if we want higher device security.

People turn off FaceID (using the passcode). If they made it use both it could cause problems, like maybe something about your face changed (I know it sounds stupid but if you shave or something or grow a mole it could screw up FaceID, and you should get that mole checked out, lol).

 

[Robert.Walter]

I don’t trust it, nothing apple ever does with passwords works as advertised. I have a lock with HomeKey, I tried to get into my house the other day. I have “express mode” turned on.
What is the “express mode” setting?
“Express Keys work automatically without requiring Face ID or your passcode and may be available when your iPhone needs to be charged.”

So I get to the door, wave my iPhone near the lock… what happens? Starts asking me for my full device password while I’m stuck standing there and holding everything unable to get into my house or even reasonably type on my phone.


Nice one Apple!

Buy a better lock? 😉

 

[rebelrogue42]

So what do you do if you decide to go away from iOS and need to log in to a site that was set up with a passkey while you were using your iPhone

 

[Brad7]

People turn off FaceID (using the passcode). If they made it use both it could cause problems, like maybe something about your face changed (I know it sounds stupid but if you shave or something or grow a mole it could screw up FaceID, and you should get that mole checked out, lol).

Hmm if in the rare case that FaceID fails, it could ask for the full AppleID password instead?

 

[Brad7]

So what do you do if you decide to go away from iOS and need to log in to a site that was set up with a passkey while you were using your iPhone

Password is still required (at this point, at least; not sure how things will unfold in the future).

 

[jaytv111]

Hmm if in the rare case that FaceID fails, it could ask for the full AppleID password instead?

And you can use the passcode to reset your AppleID password, back to square one.

 

[Brad7]

And you can use the passcode to reset your AppleID password, back to square one.

Christ, that’s true. Guess treating it like your bank PIN is the only way.

 

[macos9rules]

I never really understood the advantages of using Passkey over a regular password.

 

[Robert.Walter]

Good explanation. To (somewhat) solve the passcode thief issue, what if Apple provided people a toggle option to not let FaceID fallback to passcode? We can enable it if we want higher device security.

Why not just use a complex alpha numeric passcode? With TID and FID It’s not like you have to enter it very often (we use our AID as our device passcode, that way nobody forgets either one.)

 

[Brad7]

Why not just use a complex alpha numeric passcode? With TID and FID It’s not like you have to enter it very often (we use our AID as our device passcode, that way nobody forgets either one.)

Agreed. I heard that at one point in the early days, Apple used to do it that way, but people complained because FaceID would fail and it would irritate people. But now FaceID has improved quite a bit and failure is rare.

 

[sk1ski1]

What needs to be done is the Passkey and Keychain backup to Face-ID needs to be something else besides the phone's passcode, such as maybe the Apple ID password. But of course Apple also needs to stop allowing the Apple ID password being changed by the phone's passcode.

 

[MrRom92]

Buy a better lock? 😉

The lock is fine, more than fine actually - clearly this is an iOS issue

 

[Yptcn]

How does this work if you have more than one apple id?

I was wondering the same .

 

[mrochester]

What needs to be done is the Passkey and Keychain backup to Face-ID needs to be something else besides the phone's passcode, such as maybe the Apple ID password. But of course Apple also needs to stop allowing the Apple ID password being changed by the phone's passcode.

That doesn’t make any sense. Face ID and Touch ID are by definition ways to authenticate access to the device, and on that basis are analogous to the device passcode. That is why the fallback option for biometrics is the device passcode. At no point do you ever unlock your device with your Apple ID password (and if your Apple ID password were the fallback for Face ID or Touch ID, that’d be what the shoulder surfer would know and could therefore unlock the device).

What you need to do is prevent anyone from knowing what your device passcode is.

 

[mrochester]

“more secure alternative to passwords” that is… a pretty loaded claim

useful, necessary, probably the future: sure. more dummy-proof, quite likely. more secure… hmmmmmmm… wellllll…

Passkeys are absolutely more secure than passwords. They are phishing proof, aren’t transmitted online and therefore can’t be hacked, and are an automatic form of 2FA as passkeys are something you have (the trusted device) and something you are or know (Face ID, Touch ID, passcode).