iOS 18 and macOS Sequoia Let Websites and Apps Automatically Update Existing Logins to Passkeys

[MacRumors]

With the new Passwords app in iOS 18, iPadOS 18, and macOS Sequoia, there's a feature that is designed to allow websites and apps to upgrade existing accounts to passkeys automatically.

Enabled by default, the feature will speed up the adoption of passkeys, which are more secure than a traditional login and password. Passkeys log you in with Face ID or Touch ID rather than a password, and because on-device authentication is required, passkeys put a stop to online attacks like phishing. There's no password to steal or authentication code that can be intercepted.

Several popular websites and services have implemented Passkey support since Apple started using passkeys in 2022, including Twitter, Google, WhatsApp, TikTok, PayPal, Best Buy, Microsoft, PlayStation, and eBay.

Passkeys are supported in the new Passwords app that's available in iOS 18, iPadOS 18, macOS Sequoia, and Windows PCs through iCloud for Windows.


Article Link: iOS 18 and macOS Sequoia Let Websites and Apps Automatically Update Existing Logins to Passkeys

 

[LightProtector]

This is nice, but I hope it's a prompt that asks. I would really like it to not automatically do something without my consent.

I also wonder how this works? Seems like a good feature nonetheless.

 

[SpotOnT]

Not a fan of passkeys. They tie you to a specific piece of hardware…which is probably why Apple likes them so much.

I have been in numerous situations where I had to check email/airline accounts/etc from a different device.

 

[macduke]

If you are robbed and lose access to all of your Apple devices, how do you login to your insurance provider to file a claim? How do login to anything with only passkeys and no device? Genuinely curious. Can I login to iCloud and use that on a new device or from the web? I’ve been hesitant to upgrade.

 

[Tofupunch]

If you are robbed and lose access to all of your Apple devices, how do you login to your insurance provider to file a claim? How do login to anything with only passkeys and no device? Genuinely curious. Can I login to iCloud and use that on a new device or from the web? I’ve been hesitant to upgrade.

I've wondered the same thing. Granted, I haven't really researched passkeys all that much...yet.

 

[Eminemdrdre00]

If you are robbed and lose access to all of your Apple devices, how do you login to your insurance provider to file a claim? How do login to anything with only passkeys and no device? Genuinely curious. Can I login to iCloud and use that on a new device or from the web? I’ve been hesitant to upgrade.

They are sync'd with iCloud. So you can log into a new device with your Apple ID and then your passkeys will be available.

 

[diskrisk]

Not a fan of passkeys. They tie you to a specific piece of hardware…which is probably why Apple likes them so much.

They don't. Passkeys can theoretically be shared (1Password is working to allow this) and multiple passkeys can be generated attached to the same account.

 

[macduke]

They are sync'd with iCloud. So you can log into a new device with your Apple ID and then your passkeys will be available.

Question: If you login to a new Apple device after all of your devices are stolen, on what device do you receive a code to login to the new device? Seems like that could be a problem as well, and certainly someone has encountered that already. Not likely to happen, but I like to be prepared and knowledgeable for worst case scenarios.

 

[ApAx]

They are sync'd with iCloud. So you can log into a new device with your Apple ID and then your passkeys will be available.

I’m in trouble then because I rely on iCloud Keychain to sign into anything with my Apple ID

 

[jaytv111]

If you are robbed and lose access to all of your Apple devices, how do you login to your insurance provider to file a claim? How do login to anything with only passkeys and no device? Genuinely curious. Can I login to iCloud and use that on a new device or from the web? I’ve been hesitant to upgrade.

Passwords and Passkeys sync with iCloud. You can get into iCloud again. Even without any Apple devices. If you set a recovery key you would need that, if you didn’t they would let you in after a timeout period.

Question: If you login to a new Apple device after all of your devices are stolen, on what device do you receive a code to login to the new device? Seems like that could be a problem as well, and certainly someone has encountered that already. Not likely to happen, but I like to be prepared and knowledgeable for worst case scenarios.

You need a login method, and usually it would be good enough to get your SIM card transferred from your carrier to your new device. That’s how you would get login codes (Text message).

 

[DCIFRTHS]

They don't. Passkeys can theoretically be shared (1Password is working to allow this) and multiple passkeys can be generated attached to the same account.

Is this already in beta?

Edit: I see they have a beta that works through the browser. Is it available in their dedicated apps too?

 

[macduke]

Passwords and Passkeys sync with iCloud. You can get into iCloud again. Even without any Apple devices. If you set a recovery key you would need that, if you didn’t they would let you in after a timeout period.


You need a login method, and usually it would be good enough to get your SIM card transferred from your carrier to your new device. That’s how you would get login codes (Text message).

I thought the new method only uses codes sent via Apple with the map? So it still falls back to SMS? I thought that was less secure.

So where do I store my recovery key if not in a password app? Or is that the thing you store on a USB stick? I’ve been thinking about getting a bank vault lock box to store some important papers in such as our will and our car and home titles. Maybe I will make one of these USB keys after I set that up and before the Passwords app launches this autumn. I’m starting to feel like an old man with all this new technology crap I have to deal with. I guess I am quickly approaching 40, lol.

 

[Craiger]

Where is this setting?

 

[Eminemdrdre00]

I’m in trouble then because I rely on iCloud Keychain to sign into anything with my Apple ID

Yeah that's not good. Your Apple ID is the only password you need to know. The rest can be super secure and impossible to remember.

 

[Eminemdrdre00]

Question: If you login to a new Apple device after all of your devices are stolen, on what device do you receive a code to login to the new device? Seems like that could be a problem as well, and certainly someone has encountered that already. Not likely to happen, but I like to be prepared and knowledgeable for worst case scenarios.

I think they send you a text message with a code if you don't have a device.

 

[jaytv111]

I thought the new method only uses codes sent via Apple with the map? So it still falls back to SMS? I thought that was less secure.

I don’t know what you mean by map, but SMS is always the fallback if you don’t have any other Apple devices signed in. The setting is your trusted phone number(s) on your account (you can even have more numbers if you need).

If you had Apple devices it would automatically send login codes to them, but you can elect to send a code to your trusted number. It’s “secure enough”, in the sense that SMS goes to where the number is registered. But if someone can access your texts (ie they take your SIM card out and you have no SIM PIN) then they can get into your account. So just make sure you got SIM PIN and you transfer your SIM in a reasonable amount of time, or use eSIM which can’t be removed from the device.

So where do I store my recovery key if not in a password app? Or is that the thing you store on a USB stick? I’ve been thinking about getting a bank vault lock box to store some important papers in such as our will and our car and home titles. Maybe I will make one of these USB keys after I set that up and before the Passwords app launches this autumn. I’m starting to feel like an old man with all this new technology crap I have to deal with. I guess I am quickly approaching 40, lol.

Your recovery key has to be written down. They tell you to do that.

You can alternatively use USB devices, but you do need at least 2. Neat thing is they can have NFC too so you can tap it to an iPhone as well as plug in USB.

 

[ebika]

Question: If you login to a new Apple device after all of your devices are stolen, on what device do you receive a code to login to the new device? Seems like that could be a problem as well, and certainly someone has encountered that already. Not likely to happen, but I like to be prepared and knowledgeable for worst case scenarios.

I think you might be going pretty far down the edge case route, but I agree with being prepared. I use layered options, like a list of one-time recovery keys for my google accounts, a pair of physical security keys (one in the safe, one with me) for AppleID, and fallback to using password for a lot of the accounts. Filing a claim if all your devices were stolen can happen in person or over the phone too.

In general, I advocate for passkeys because passwords represent millions in ATO (account takeover) and support costs for companies, let alone the aggravation and vector for other attacks of having your account taken. I have firsthand knowledge of these millions of dollars in fraudulent transactions at my company due to people creating crappy passwords, reusing passwords involved in breaches, and phishing attacks. Passkeys are by no means perfect, but they significantly shrink the risks. While on-device passkeys seems safest, I prefer trusting some sync provider like Apple to replicate the passkeys (balancing risk of single point of failure with necessary redundancy).

 

[bevel]

This is going to be seen as forced adoption and there is going to be pushback against it

Look at all the confusion in these comments about how passkeys work. A password is easy to understand. Passkeys are the unknown. This will make them difficult to defend

I am not sure what Apple has done is the best idea here. It is at least going to polarise a bunch of people against them

 

[ebika]

This is going to be seen as forced adoption and there is going to be pushback against it

Look at all the confusion in these comments about how passkeys work. A password is easy to understand. Passkeys are the unknown. This will make them difficult to defend

I am not sure what Apple has done is the best idea here. It is at least going to polarise a bunch of people against them

I sort of understand what you mean, but the toggle for it means it's not forced, right? I think Apple can make the description under the toggle more clear that upgrading to passkey doesn't remove the ability to use password. I would hope that would allay some of the FUD scaring some folks away from the better technology.

 

[owidhh]

Look at all the confusion in these comments about how passkeys work. A password is easy to understand. Passkeys are the unknown. This will make them difficult to defend

I've seen plenty of confusion about passwords and usernames and multi-factor authentication as well. The advantage of passwords is they've been around longer and are somewhat more familiar, while passkeys are new and being shoved at people and they have no idea what's going on.

Hopefully this will all shake out and we'll end up somewhere more secure for everyone in the long run.

 

[Jim Lahey]

Enabled by default + automatic 'upgrade' = forced Passkeys for a lot of users who get caught unawares. What a nasty little company Apple has become.

 

[matsan]

Did 1Password and the like just got Sherlocked? If iOS automatically upgrades sites to use Passkeys, will 1Password be notified? Using 1Password to sync across iOS, Apples and PCs.

 

[FFabian]

How do I use Passkeys on a Mac without the Apple Keyboard with Fingerprint sensor? Type in a password? I can autofill passwords with one click. How are passkeys easier to use than this? This isn’t snarky, plz explain because I don’t see the benefits.

 

[Jim Lahey]

I assume this won't work for those who still choose not to use iCloud Keychain? Or is that going to be enforced now as well?

 

[matsan]

How do I use Passkeys on a Mac without the Apple Keyboard with Fingerprint sensor? Type in a password? I can autofill passwords with one click. How are passkeys easier to use than this? This isn’t snarky, plz explain because I don’t see the benefits.

Works pretty well for me. You can test here https://www.passkeys.io/