Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS 18 and macOS Sequoia Let Websites and Apps Automatically Update Existing Logins to Passkeys

Has anyone actually found where that screenshot is from? The new Passwords app on my iPhone doesn't seem to have any options and I can't see anything left in the Settings app. I'm guessing it's meant to be somewhere in the app, given that it's in the Passwords app settings in Sequoia. (And yes, I know it's beta...)
 
  • Like
Reactions: armandxp
Jim Lahey said:
That is your view and of course you're entitled to hold it and make your own decisions. But I'm not here to discuss the merits or pitfalls of Passkeys. My only point is that in doing this, Apple will be de facto forcing Passkeys onto unsuspecting users. Many of whom will have already made their own informed choice not to use them. Apple doesn't, rather shouldn't, get to decide how I choose to handle my own web logins. It's none of their business.
Click to expand...
Are you sure your “only point” is in fact a valid case?
My interpretation so far is that passkeys are “automatically” implemented, not automatically accepted. So if you go to a website, you may get a prompt to “upgrade” to a passkey, and if you accept, it will automatically “install” the upgrade.

Where are you seeing that this transition will happen without user input? I’ve only read the transcript, not seen the video, so maybe there is an image that implies this?
 
FFabian said:
How do I use Passkeys on a Mac without the Apple Keyboard with Fingerprint sensor? Type in a password? I can autofill passwords with one click. How are passkeys easier to use than this? This isn’t snarky, plz explain because I don’t see the benefits.
Click to expand...

That's me. You can put in your Admin password to use it in that case, you can also authorize through your phone or watch. No autofill available there at all. You can also use a physical key - the USB keys (some of which also have NFC that's nice for phones) you may have seen people mention such as yubikey. Even if you're using things like the strong password generators iCloud Keychain, Bitwarden, 1password, etc have, these are safer in the long run as those can still be exposed.
 
matsan said:
Did 1Password and the like just got Sherlocked? If iOS automatically upgrades sites to use Passkeys, will 1Password be notified? Using 1Password to sync across iOS, Apples and PCs.
Click to expand...
Probably not. Remember Sherlocking is the idea that Apple took the features of another app an incorporated it. You could argue the Passwords app is sherlockng 1Password and Bitwarden, but for many of us, we prefer 1P or BW.

It is an open question how (or if) this feature will work with other password managers. I am assuming that Apple will incorporate some APIs. They already allow alternate password managers to be primary for both passwords and passkeys. I can see that they will provide vendors API calls for this feature as well.

If not (or maybe even if they did), I would just turn the feature off. I want control on my security. Apple does not need be my nanny.
 
What I want to know is who has access to my passkeys. It seems a little murky.

Also I don't use iCould, or store anything in the cloud that I don't control the encryption keys.

It seems to me that passkeys are just a good way for the government to have access to everything. Feel free to prove me wrong.
 
  • Like
Reactions: Sill
diskrisk said:
They don't. Passkeys can theoretically be shared (1Password is working to allow this) and multiple passkeys can be generated attached to the same account.
Click to expand...

Sure, but this all has to be preplanned.

Lets say I am traveling internationally, I have an unexpected layover in a country where my device does not work (or my device gets stolen, or whatever), how do I login on someone else's device?

I can’t, unless I could have seen into the future and known what hotel, computer cafe, etc I would be using.
 
LightProtector said:
This is nice, but I hope it's a prompt that asks. I would really like it to not automatically do something without my consent.

I also wonder how this works? Seems like a good feature nonetheless.
Click to expand...
Although a prompt is certainly reasonable, you’re giving your consent if you have the automatic updates on the first place, I guess. It IS odd that it’s on by default, though, meaning you never gave original consent. I wonder if that will change. I think it should be opt-in.

Also, it seems to say that the passwords are unaffected, so does that mean you can still log into those sites/services with a password if you choose, in lieu of the passkey?

(Edited because I made it seem that the feature is opt-in, while it’s on by default)
 
Last edited:
Earendil said:
I’m going to suggest you learn a bit more before making statements that read as uninformed and/or silly.

Here is but ONE solution.

Make your passkeys and passwords available on all your devices with iPhone and iCloud Keychain

Use iCloud Keychain on iPhone to keep website passkeys, passwords, credit card information, and other account information up to date across your other devices.
support.apple.com

If you have additional gaps in knowledge after checking out that link, I’d further suggest stating that gap in the form of a question.
Click to expand...

Oh dear. The condescension is strong with this one. As is the lack of imagination…or maybe it is lack of lived experiences?

But if you like questions: I am traveling internationally. My phone gets stolen. I need to login to my email to get my flight information, contact my husband and tell him to lock my phone, etc.

How do I log into my email account at the hotel, local internet Cafe, etc.?

I can’t login to iCloud as that requires 2FA. I can’t login into my airlines account or email account because the passkeys are stored on my iCloud account.

Oh dear, what is a simple girl like me to do!? Please advise!
 
  • Like
Reactions: stephen82, M.T.Pelée and nottorp
Jim Lahey said:
That is your view and of course you're entitled to hold it and make your own decisions. But I'm not here to discuss the merits or pitfalls of Passkeys. My only point is that in doing this, Apple will be de facto forcing Passkeys onto unsuspecting users. Many of whom will have already made their own informed choice not to use them. Apple doesn't, rather shouldn't, get to decide how I choose to handle my own web logins. It's none of their business.
Click to expand...

Thats why there’s a toggle for people like you. The vast majority of people aren’t using passkeys not through some informed choice, but because they have no knowledge or understanding.
 
SpotOnT said:
Not a fan of passkeys. They tie you to a specific piece of hardware…which is probably why Apple likes them so much.

I have been in numerous situations where I had to check email/airline accounts/etc from a different device.
Click to expand...
Actually, passkeys don’t require a specific device to work. They’re designed to be super convenient, allowing you to log in to your accounts using biometrics or a PIN. It’s really about the software and operating system being up to date enough to handle them. Both iOS and Android devices can use passkeys as long as you’re running a relatively recent version of the OS
 
  • Like
Reactions: roronl
SpotOnT said:
Oh dear. The condescension is strong with this one. As is the lack of imagination…or maybe it is lack of lived experiences?

But if you like questions: I am traveling internationally. My phone gets stolen. I need to login to my email to get my flight information, contact my husband and tell him to lock my phone, etc.

How do I log into my email account at the hotel, local internet Cafe, etc.?

I can’t login to iCloud as that requires 2FA. I can’t login into my airlines account or email account because the passkeys are stored on my iCloud account.

Oh dear, what is a simple girl like me to do!? Please advise!
Click to expand...

I know I know! You need to travel with a backup laptop and a backup yubikey or whatever's in fashion now.

And rent two rooms at different hotels and store your yubikey in the safe of the room you're not using!
 
  • Haha
Reactions: Morod
SpotOnT said:
Sure, but this all has to be preplanned.

Lets say I am traveling internationally, I have an unexpected layover in a country where my device does not work (or my device gets stolen, or whatever), how do I login on someone else's device?

I can’t, unless I could have seen into the future and known what hotel, computer cafe, etc I would be using.
Click to expand...
Passkeys have backup methods, for example, Google allows you to revert to traditional login methods,
 
  • Like
Reactions: ebika
MacRumors said:


With the new Passwords app in iOS 18, iPadOS 18, and macOS Sequoia, there's a feature that is designed to allow websites and apps to upgrade existing accounts to passkeys automatically.

ios-18-passkey-upgrade.jpg

Enabled by default, the feature will speed up the adoption of passkeys, which are more secure than a traditional login and password. Passkeys log you in with Face ID or Touch ID rather than a password, and because on-device authentication is required, passkeys put a stop to online attacks like phishing. There's no password to steal or authentication code that can be intercepted.
Click to expand...


I see a problem with this "feature". It's enabled by default according to the article, and that toggle is set to allow automatic upgrades from passwords to passkeys. It then requires FaceID or TouchID. I don't use either of these biometrics, just like a lot of other folks. I could see upgrading to iOS18 only to be forced to add a biometric, because it will do the passkey conversion during the update and only notify the user after it's complete. Imagine finishing the update and then no longer being able to skip the FaceID/TouchID step.

I distrust cloud services, so I don't use any iCloud feature in iOS and never have, except for Mail. But if I log out of my iCloud account in Settings, and then log back in, every single service will be turned on. I also have to go to my Settings periodically to make sure those unused iCloud features stay turned off, especially after iOS updates. I have no idea how much data Apple - or Apple "partners" - has gathered from me because of this.

Because of this, I ask: how can you trust that Apple will not force biometrics on the minority of customers who have so far resisted such intrusions, using the passkey feature as a cattle prod?
 
gmanist1000 said:
Actually, passkeys don’t require a specific device to work. They’re designed to be super convenient, allowing you to log in to your accounts using biometrics or a PIN. It’s really about the software and operating system being up to date enough to handle them. Both iOS and Android devices can use passkeys as long as you’re running a relatively recent version of the OS
Click to expand...
Yes, but they still cause lock-in at the moment. Let's say I allow all my accounts to be automatically converted to passkeys on the iCloud keychain.

How do I save those passkeys to a disk for backup purposes? How do I move them away from iCloud if I decide to switch to Android? How do I log into those accounts on a Windows desktop PC (without bluetooth)?

Passwords can be saved and used for all three easily.
 
SpotOnT said:
Not a fan of passkeys. They tie you to a specific piece of hardware…which is probably why Apple likes them so much.

I have been in numerous situations where I had to check email/airline accounts/etc from a different device.
Click to expand...
Not just hardware, but platform as well. You have a lot of passkeys, have fun switching over to Android.
 
  • Like
Reactions: Riff_Raff
nottorp said:
So what's the point of passkeys when they can always be overriden? Inconvenience?
Click to expand...
Each time a passkey is used it means the password isn't used, so it reduces the times phishing might be successful, a keylogger on a public machine could work, or some bad design of a website authentication sends the password in a way that could be intercepted (rare).

AstonSmith said:
Yes, but they still cause lock-in at the moment. Let's say I allow all my accounts to be automatically converted to passkeys on the iCloud keychain.

How do I save those passkeys to a disk for backup purposes? How do I move them away from iCloud if I decide to switch to Android? How do I log into those accounts on a Windows desktop PC (without bluetooth)?

Passwords can be saved and used for all three easily.
Click to expand...
I guess it's sort of lock-in, but more that switching is just annoying. Anyone can always choose to not use passkey syncing and have the keys exist only on the devices. You can have more than one passkey per account, so you could have it on your phone and PC separately. If you choose to change sync providers (or never used syncing to begin), it would mean deleting all the old passkeys and creating new ones.
 
  • Like
Reactions: AstonSmith
I'm not ready to move to passkeys just yet. I feel like it relies too heavily on a piece of hardware, making that device so critical to my digital safety and security. I guess at the end of the day 1pwd is that single fatal flaw to my digital safety and security too...
 
  • Like
Reactions: nottorp
Wouldn’t a password and a hardware (Yubikey) be more secured?

Someone gets into your Apple ID (because it does happen) and now they have your passkeys, and access to your accounts.

But if someone gets into your Apple ID and your passwords, they would still need the hardware key.
 
aParkerMusic said:
Although a prompt is certainly reasonable, you’re giving your consent if you have the automatic updates on the first place, I guess. It IS odd that it’s on by default, though, meaning you never gave original consent. I wonder if that will change. I think it should be opt-in.

Also, it seems to say that the passwords are unaffected, so does that mean you can still log into those sites/services with a password if you choose, in lieu of the passkey?

(Edited because I made it seem that the feature is opt-in, while it’s on by default)
Click to expand...
Maybe they'll ask first run post-upgrade? Same as set up Siri etc?
 
Mr. Heckles said:
Wouldn’t a password and a hardware (Yubikey) be more secured?

Someone gets into your Apple ID (because it does happen) and now they have your passkeys, and access to your accounts.

But if someone gets into your Apple ID and your passwords, they would still need the hardware key.
Click to expand...
I think so. I see physical security keys as really effective at the cost of maintaining access and safety of physical things (and resulting loss of convenience). I see passkeys as a bit more convenient with almost the same amount of secure, and more attack-resistant than passwords.

A lesson that I keep with me is an incident I had at work last year. Someone built a visually-identical web application to our authentication page for our internal systems at work. They also created one of those almost-identical URLs for it (things like swapping out the l for a 1 or something). They then emailed a phishing email to most of our org with a template that looked like our official change-password reminder. They even set up SMS messages to try to capture the MFA code to go with it. Clearly done by someone with inside knowledge.

Scarily enough, they did this the day before a major holiday when people's minds weren't fully in the game. Several highly trained staff fell for it, much to the horror of myself and our CTO. These folks rotate strong passwords, go through annual data security/OWASP training, have mandatory MFA, and our sec team regularly sends out phishing attempts to keep attention up. This wasn't a hypothetical attack, and it wasn't basic. Passkeys would be effective against this. Passwords are vulnerable (well people using the passwords are vulnerable).

Do I think passwords are always bad? Not at all, they can be managed responsibly. I also recognize that sometimes tech approaches like passkeys can handle some of the burden of constant vigilance, even if it becomes a bit more complicated. Balancing things to work most of the time while minimizing inconvenience is really tricky. So many attempts have been made, and personally I find passkeys to strike an "ok" balance. I guess time will tell.
 
Jim Lahey said:
Thanks for the info. Though my question is pertaining to those, like myself, who choose not to use iCloud Keychain. Passkeys currently require iCloud Keychain in order to setup and function, so I'm wondering if Cook & Co are planning on somehow ramming that 'upgrade' down my throat 'by default' as well.
Click to expand...
You can use any password authentication app and iPhone will give you a choice of where to save a password/pass key. Eg if your employer has a rule you have to use MS authenticator and you have some passwords in keychain they can exist simultaneously
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back