So how do I get into my Apple ID if all my Apple devices are lost/stolen/destroyed and/or I can’t get to them?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS 17 and macOS Sonoma Add Passkey Support to Your Apple ID
- Thread starter MacRumors
- Start date
- Sort by reaction score
Username, password and 2FA code sent to your backup options.
You alreay have options for a long pin. As usual, it is the customer/User that is the problem.
You should not be using 4 digit pins(except for ATMs of course)
So if I'm selling my old iPhone, then buy a new one. How would I sign into my Apple ID/iCloud when setting up my new iPhone?
I know people are saying "well passwords are still supported, for now", but if that's the case, then passkeys can never really replace passwords since we'll always require them "in certain scenarios".
I guess I don't really understand the future vision of passkeys if they always require passwords as a fallback, maybe someone can explain?
I know people are saying "well passwords are still supported, for now", but if that's the case, then passkeys can never really replace passwords since we'll always require them "in certain scenarios".
I guess I don't really understand the future vision of passkeys if they always require passwords as a fallback, maybe someone can explain?
Here's a question that is never answered anywhere:
Are Passkeys exactly like passwords in that they aren't inherently tied to a person? Because if not, get ready for a dystopian future where people can get banned and never be able to create a new account on the site they were banned from. Is it even possible to create multiple accounts on the same site using Passkeys?
Even tying it to a device or account (Apple account) would remove anonymity.
Are Passkeys exactly like passwords in that they aren't inherently tied to a person? Because if not, get ready for a dystopian future where people can get banned and never be able to create a new account on the site they were banned from. Is it even possible to create multiple accounts on the same site using Passkeys?
Even tying it to a device or account (Apple account) would remove anonymity.
It should be noted that it also needs a bluetooth connection, in order to prove proximity.
Nope.
Yup.
It's more secure because each passkey can only be used to log in at one site, and since it's using asymmetric crypto, can't be eavesdropped or similar.
Sure.. but most people don't bother with that, and it's also possible to slip up there.
If this is a concern for you, just use a longer device password.
Assuming you have no other Apple devices, you sign in with your username and password, and as long as your phone service works, you can 2-factor confirm your identity over a text message from Apple.
Passkeys aren’t used for signing into Apple devices (Settings) themselves, this article says it’s on the web sign in, unless this changes and they give you the QR code option to scan, BUT there’s already a “scan a sphere to sign in” option, that does the same thing in a different way, presumably.
I don’t think anyone was saying passwords are 100% going to be replaced by passkeys. It’s just another sign in option, most websites will still have passwords even with passkeys available, and Apple specifically has other options for device sign in, trusted devices for instance, and the aforementioned ”sphere” sign in.
You always need some backup method, whether it’s a password, another device at home, USB key, etc.
Passkeys are not inherently tied to a person. It’s a private key that resides on device, and the device authenticates the person accessing the passkey, but biometrics and passcodes can be changed, as long as there’s some authentication it works, but it’s not by itself a biometric, it just uses them if you use biometrics (you can use a passcode instead if you don’t use FaceID or TouchID).
You can create multiple accounts on the same site with a passkey. It just makes another passkey for your other account. You do have to specify which one to use when signing in.
👶🪜 - you know, baby steps.I'm using Passkeys as much as I can. It's one so far... Google.
If someone has my bank card PIN, and they use it, they'll probably end up in jail and whatever money they withdrew will usually be recovered. All of the places you can use the PIN are closely monitored by CCTV and the banks have well established partnerships with law enforcement.
If someone has my phone and PIN, they probably won't be caught and can do far more damage.
1) You don't ever type in your Passkey
2) Your private Passkey is stored on your device, not the site you're logging into
3) The website can get hacked and that never exposes your private Passkey
4) The Passkey isn't transmitted to the website when you log in
Australian ATM already allows for up to 12 digit pin and I am using one myself for about 10 years.
4digit pin should be the one phasing out.
I just hate to see people yelling “get rid of password” “disable passcode“, so on and so forth, as if nothing else would happen in their life or something.
I get the sentiment of that kind of statement, passwords have their limitations and in my fantasy I am all passkey all the time and never phished and I get the best security possible on all apps (and no more 2-factor code stuff!) It’s not gonna happen for years and years though, and many websites still have passwords they just use it alongside passkeys so you can technically still be phished. Then again even if you had only a passkey and password-deleted account you can still downgrade an account to a password and get phished if someone social-engineered the daylights out of you.
Yeah, we are ALWAYS the weakest link. Those tech companies have tried so hard to make techs as fool proof as possible, but with consideration of the lowest denominator, you don’t have much choice. I bet most users don’t even know what passkey means, let alone going out to buy them and use them. As long as we remain the weakest link, even the fanciest security tech won’t save an account being hacked.
Don't worry, they'd be 256 bit private keys.
The passkey stuff is just a feature-set and renewed push for Web Authentication (WebAuthn), which came out in 2019. I imagine once you are signed in on windows you can just register a _different_ machine-specific passkey.
Advantage here is that the log in/register new passkey flow is automated on Apple devices.
Google also has a similar feature, where your Android phone will automatically create a passkey once you log into your Google account at the system level.
<snip>
In terms of technology, it is far more secure than passwords in a password manager. Its phishing resistant, there's no secret people may share across sites a la password reuse, and the sites never see your real 'secret' - so if they get hacked, there's significantly less useful information to use to compromise other sites. The phishing resistance may mean sites decide they don't need to do SMS/email challenge codes, which saves them money and you a bit of headache.
In terms of local compromise, it is the same as any other password vault. if someone steals your device and knows the secrets to unlock the vault, they can see/use/export your credentials. If the cloud account used to sync the vault is compromised and any secondary secrets needed to unlock the vault are known, they can do all that remotely as well.
From a site perspective, it is the same browser API used for interacting with something like a Yubico Security Key. So you don't need to necessarily use Apple or Google or 1Password's syncing software implementation. Some sites may change how they treat a USB/NFC key fob though, since they will need to have a way for you to recover access to the site if you lose it.
Windows supports passkeys. With chrome on windows, you can choose to log in with your phone it will pop up a QR code, you scan it with your android or iPhone, and you've logged in.
You can then register an _additional_ passkey thats from the Windows machine so you can log in via Windows Hello next time you come back.
If the site is set up to let you log in with a password, yes.
If the site wants you to only sign in with passkeys, you'll go through an account recovery step. This would be like the 'forgot password' link today.
The passkeys are synced on iPhone exactly the same as the passwords work today with iCloud Keychain. So you would need to lose access to your iCloud account and to all your currently logged in devices.
Not really. I _only_ know my Mac, iPhone and watch local passwords/passcodes, and my AppleID account. I do not know any other passwords. Those are all autogenerated and saved by my password manager.
I used to use the same 6 and 8 character passwords on just about every site. Now every site with a password has a unique 15+ character password. Also, I can't easily get phished because the password manager just won't prompt based on a site "looking like" the real site - it has to be on the correct domain.
Passkeys are turning that 15+ character password into a cryptographic key pair. I won't be able to hit 'reveal' and see it, but its already meaningless encoded nonsense to my eyes anyway as a generated password today.
But yes, if I lose my phone, my watch, my laptop, and I also manage to get locked out of my Apple account, I'm in trouble.
The interesting piece will be - how do they encourage people to remember their AppleID password, if they are eliminating so many excuses to ask the user to repeat it?
Biometrics are used as a user experience shortcut for reentering a passcode/password. The data of the biometric itself is unreadable until unlocked by the passcode. People need passcodes as a fallback if e.g. a hand injury prevents TouchID from working.
Thats somewhat orthogonal when you use a password manager though - the same device passcode or biometric will be used to release a password or passkey.
Mostly just the private key, but there is other associated information such as which site it was meant for and what user name to display in the system UI when prompted to log in.
There's certainly parallels to a certificate chain during registration, where some authenticators will release attestations about the passkey (such as the manufacturer of the USB key fob you are using).
It is a good question. It is really going to depend on Apple's policy for setting up a new device.
For migrating from an old phone in your left hand to a new phone in your right hand, there's no reason you have to use an Apple username/password. They already are doing crazy secure handshake data transfers. So you would likely need to enter your old device's passcode as part of approving the transfer of accounts and secrets.
For migrating to a new phone from a LOST phone, without any other devices, you would likely go through one of the already existing recovery mechanisms. Hit up your recovery contact, go into the Apple Store, pull the recovery key you wrote down out of the safe.
I would expect that the vault that holds passkeys will have more complicated requirements for signing in than websites. That might mean you go through a multi-factor process, a recovery process, and yeah that it might include a recovery key or password.
The thing that holds all your _other_ credentials is going to be more complicated. Some future Macrumors won't need that sort of complexity. They'll take passkeys, and fall back to email-based recovery.
The goal is just to build off of the user experience and common knowledge of what password are and how they work - particularly in the context of the password managers that browsers/platforms have been pushing people to use for nearly a decade.
Instead of registering and the system generates you a strong garbage-looking password, it generates a passkey. When logging in, the option to fill in my user account may have an icon next to it, but otherwise I do whatever biometric/passcode/gesture needed to release the credentials and I've logged in.
The goal is to have a user experience that you don't even have to explain to people. It works like how your password manager already works, but is more secure.
Passkeys are just data, same as passwords. You could use the system vault, a third party vault like 1Password or Dashlane, or buy a hardware security key from someone like Yubico or Feitian. I don't expect consumers to go buy the hardware - I expect companies to buy them for their employees (so they can get particular guarantees against things like cloud sync to non-work devices), and suspect certain classes of users like security professionals and journalists to use them.
My big thing is to never blame the user. Things like anti-phishing corporate training/tests drive me crazy, because we've had technical solutions to solve phishing for years. https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/