Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS 17 and macOS Sonoma Add Passkey Support to Your Apple ID
- Thread starter MacRumors
- Start date
- Sort by reaction score
Passkey is 2FA as it’s something you have (the authorised device with the passkey) and something you are (Face ID or Touch ID) or something you know (device passcode).
Oh so the website needs to suppose Passkey? If they don't, we're stuck with the old login + 2FA method?
This mainly solves the issue of insecure passwords, reused passwords and phishing.
If you manage your passwords correctly and think you will not fall victim to phishing, then I guess it is less compelling.
1Password already has Passkey support. You still need someplace to store and sync your Passkeys. You can use iCloud or another password manager.
Passkeys do mean you don’t need to use passwords very much. And eventually passwords will go away.
Again I repeat; it’s designed to *replace* your Apple ID password. Why is a passcode still necessary?
Because you need a way to authenticate access to the device the passkey is stored on.
The Apple ID password is still there, and it's used outside of the web sign in. Maybe it "replaces" the password in the long term but it's not 100% there yet.
Also, passcode != password. The passcode will still exist for individual devices and will be required to use the device fully, and we don't really know if biometrics will replace passcodes, it may be a little dangerous to try to rely 100% on biometrics, companies are worrying about law enforcement (they can't make you put in a passcode but can make you biometric authenticate), criminal gangs that might be able to 3D scan your face (just wear a headset that looks like the Vision Pro, with a similar camera array it can build a 3D model of your face, they just have to walk around you, then 3D print the model, then use the face model to get into your phone), so at the very least the phone can lock out biometrics if it thinks it's stolen (it knows it's somewhere it's never been). But someone can also see you put your passcode in or record it with said headset.
Solution to that? Require a passcode only when you manually lock the phone. You can do this by squeezing volume up and power buttons together
Passkeys are great, but personally, I'll stay away from using Apple Passkeys due to the fact that their implementation of authentication in iOS falls back to the Passcode after 3 failed biometric attempts.
We all know that we shouldn't be using the same password for different services, but with Apple's implementation of Passkeys, if a malicious actor has your phone and your passcode, now they can authenticate into the apps / services which you have configured to use with your iOS passkeys, too.
(That is in addition to what they could already do: sign you out of your other Apple devices and lock you out of your Apple ID account.)
Essentially, it's as if the Passcode is a password that you use for everything.
I'll wait until 1Password releases their version with support for Passkeys, which will probably have a more secure implementation than Apple's.
I would only use Apple passkeys if they make it possible to disable the fall back to the Passcode.
We all know that we shouldn't be using the same password for different services, but with Apple's implementation of Passkeys, if a malicious actor has your phone and your passcode, now they can authenticate into the apps / services which you have configured to use with your iOS passkeys, too.
(That is in addition to what they could already do: sign you out of your other Apple devices and lock you out of your Apple ID account.)
Essentially, it's as if the Passcode is a password that you use for everything.
I'll wait until 1Password releases their version with support for Passkeys, which will probably have a more secure implementation than Apple's.
I would only use Apple passkeys if they make it possible to disable the fall back to the Passcode.
Last edited:
This is the best approach, for now at least.
If someone can reset your Apple ID password if they spy your PIN passcode, then make your passcode your alphanumeric Apple ID password. It’s a lot harder to spy on and if they happen to see it, then your Apple ID password would’ve been compromised anyway.
Ultimately, the solution could be to set up a password reset hierarchy. Your Mac at home would have the capability to reset your Apple ID and override your iPhone as long as you know one of the old passwords from say within the last 48 hours. You could set up a physical passkey as the top of the hierarchy so that if you don’t have a Mac or it was stolen/lost along with the iPhone, you’d have this USB key in the bank or a safe or someone around the house.