Raise your hand if you hate entering passwords. Well, now if you use the same password for multiple accounts or services, raise your hand. Yes, many people do and this is the main reason why users get hacked.
Think about it. If someone can get your password for a service – either through a data breach, social engineering or phishing attack — your identity and personal information may be intercepted. It can cause anything people spy on baby cams to hackers stealing money from your bank account.
Yes, there are alternatives to entering passwords manually, e.g the best password managers, but they can still leave users vulnerable. Now Apple, Google, Microsoft and others have come together FIDO Alliance (opens in new tab) trying to change the password for good. Apple’s app is called Passkeys, coming this fall iOS 16, macOS Ventura and iPadOS 16.
In an exclusive Tom’s Guide interview, I had the chance to speak with Kurt Night, Apple’s senior director of platform product marketing, and Darin Adler, Apple’s vice president of Internet technologies, about how Passkeys work and how they can turn passwords into something real. of the past.
What are Passkeys and how do they work?
Passkeys are easy-to-use, more secure, unique digital keys that are never stored on a web server and remain on your device. The best part? Hackers cannot steal passkeys or trick users into sharing them during a data breach.
Face ID and Touch ID authentication give you the convenience and biometrics we can get with an iPhone. You don’t need to buy another device, and you don’t even need to learn a new habit.
– Darin Adler, Apple
“Passwords are key to protecting everything we do online today, from everything we communicate to all our finances,” Knight said, “But they’re also one of the biggest attack vectors and security vulnerabilities facing users today.”
That’s why Apple is pushing hard for an alternative. Passkeys use Touch ID or Face ID for biometric authentication and iCloud Keychain to sync with end-to-end encryption on iPhone, iPad, Mac, and Apple TV.
Other companies have tried to replace passwords with special hardware such as a physical security key, but this has mostly been aimed at enterprise users; added another layer of complexity. Toggle switches have real punch because they use the device you already have.
Passkeys are based on what is called public key cryptography. There is a private key that is secret and stored on your device and a public key that runs on the web server. Because you never provide the private key, passkeys make phishing impossible; you just authenticate using your device.
“People almost always have their phones,” Adler said. “Face ID and Touch ID authentication give you the convenience and biometrics we can get with iPhone. No need to buy another device, and no need to learn a new habit.”
Wait, what if you’re not using an Apple device?
Let’s say you signed up for a streaming service on your iPhone, but you need to sign in on Roku. What do you do if your Roku doesn’t have Touch ID or Face ID?
The other device generates a QR code that can be read by your iPhone or iPad. iOS uses Face ID or Touch ID to verify that you’re the one trying to access an app or website running on another device before approving or denying the request.
Additionally, if someone tries to access the service using an iOS device or Mac that isn’t yours, the passkeys can be shared via AirDrop.
The cross-platform experience is very easy,” said Night. “Say you’re someone with an iPhone, but you want to go and log into a Windows machine. You’ll be able to get a QR code, and then you’ll just scan it with your iPhone, and then you’ll be able to use Face ID or Touch ID on your phone.”
In other words, the computers will communicate with each other to make sure you are nearby and confirm your login for security purposes.
Unbreakable Keychain
In order for passkeys to work across multiple Apple devices, including iPhones, iPads, Macs, and Apple TVs, something is needed to synchronize data with end-to-end encryption. And that’s where iCloud Keychain comes in.
“This is not a future dream to replace passwords. This will be the way to completely replace passwords, and it’s starting now.”
Kurt Night, Apple
iCloud Keychain is already used to sync your passwords and other secure information (like credit cards) across your devices. But the arrival of Passkeys takes things to the next level.
But what if you don’t have access to your iPhone? iCloud Keychain also allows you to recover your past keys through iCloud if your Apple device is lost or stolen.
That’s why it’s so important that Apple creates passkeys on top of iCloud Keychain.
“iCloud Keychain has made this possible, and security that was previously limited to people willing to carry additional hardware can be made available to anyone with a phone,” Adler said. “So I think those two things come together in a really special way.”
What’s next for Passkeys?
Passkeys will be built into the operating systems for iOS 16, iPadOS 16, and macOS Ventura, but Apple is also working with developers to integrate Passkey support into their apps.
Apple hasn’t yet shared which Passkey-compatible apps will be available at launch, but there’s already momentum in the background. And it’s not just about ease of use.
“These public keys don’t really have any value. There is nothing worth stealing,” Adler said. “So it will reduce the liability of the developers running the services … and the developers will want to benefit because of the reduced liability.”
According to Adler, developers now have everything they need to start implementing Passkeys, and consumers will receive support when they update their Apple devices to the newly released software this fall.
So despite all the previous hype about killing the password forever, it might be real this time.
“It’s not a future dream to replace passwords,” Night said. “It’s going to be a way to completely replace passwords, and it’s starting now.”
