Raise your hand if you hate entering passwords. Alright, now keep your hands up if you’re using the same password for multiple accounts or services. Yes, a lot of people do, and it’s one of the main causes of user hacking.
Think about it. If someone can obtain your password for a single service, either through a data breach, social engineering, or phishing attack, your identity and personal information could be compromised. This can lead to anything from people spying on baby cams to hackers stealing money from your bank account.
Yes, there are alternatives to entering passwords manually, such as the best password managers, but they can still leave users vulnerable. Now Apple, Google, Microsoft and others have banded together through the FIDO Alliance (opens in a new tab) to try and replace the password for good. And Apple’s implementation is called Passkeys, which will arrive this fall in iOS 16, macOS Ventura, and iPadOS 16.
In an exclusive Tom’s Guide interview, I had the opportunity to speak with Kurt Night, Senior Director of Platform Product Marketing at Apple, and Darin Adler, Vice President of Internet Technologies at Apple, about how keys work. and how they could really make passwords a thing. the past.
What are Passkeys and how do they work?
Access Keys are easy-to-use, more secure, unique digital keys that are never stored on a web server and stay on your device. The best part? Hackers cannot steal access keys during a data breach or trick users into sharing them.
“Passwords are critical to protecting everything we do online today, from everything we share to all of our finances,” Knight said. “But they are also one of the greatest attack vectors and security vulnerabilities facing users today.”
That’s why Apple pushed so hard for an alternative. Passkeys use Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across iPhone, iPad, Mac, and Apple TV with end-to-end encryption.
Other companies have tried replacing passwords with dedicated hardware, such as a physical security key, but this was primarily focused on corporate users; it also added another layer of complexity. Passkeys have a real chance of taking off because they leverage a device you already own.
Security keys are based on what is called public key cryptography. There is a private key, which is secret and stored on your device, and there is a public key which goes to a web server. Security keys make phishing impossible because you never present the private key; you simply authenticate using your device.
“People almost always have phones with them,” Adler said. “Face ID and Touch ID verification gives you the convenience and biometrics that we can get with an iPhone. You don’t need to buy another device, but you don’t even need to learn a new habit. »
Wait, what if you’re not using an Apple device?
Say you sign up for a streaming service on your iPhone but need to log in on your Roku. What do you do when your Roku doesn’t have Touch ID or Face ID?
The other device generates a QR code that can be read by your iPhone or iPad. iOS uses Face ID or Touch ID to confirm that it is you trying to log in before confirming or denying the request to the app or website running on the other device.
Also, if someone tries to sign in to a service using an iOS device or Mac that isn’t yours, access keys can be shared via AirDrop.
The cross-platform experience is super easy,” said Night. “So let’s say you’re someone who has an iPhone, but you want to log in on a Windows machine. You will be able to access a QR code which you will then only have to scan with your iPhone and can then use Face ID or Touch ID on your phone.
In other words, the computers will communicate with each other to ensure that you are nearby for security reasons and they will confirm that you are connected.
An unbreakable keyring
For Passkeys to work on multiple Apple devices, including iPhone, iPad, Mac, and Apple TV, something is needed to sync information with end-to-end encryption. And that’s where iCloud Keychain comes in.
iCloud Keychain is already used to sync your passwords and other secure information (like credit cards) across all your devices. But the arrival of Passkeys takes things to the next level.
So what if you don’t have access to your iPhone? iCloud Keychain also allows you to recover your old keys via iCloud if your Apple device is lost or stolen.
That’s why it’s so important that Apple created passkeys on top of iCloud Keychain.
“iCloud Keychain has made this possible, and the security that was previously limited to people who would be willing to carry extra gear can be made available to everyone with the phone,” Adler said. “So I think those two things come together in a really special way.”
What’s next for Passkeys
Passkeys will be built into operating systems for iOS 16, iPadOS 16, and macOS Ventura, but Apple is also working with developers to build passkey support into their apps.
Apple hasn’t yet been able to share which Passkey-enabled apps will be available at launch, but it looks like there’s already momentum in the background. And it’s not just about ease of use.
“These public keys don’t really have any value. There’s nothing to steal,” Adler said. “So it’s going to reduce the liability of developers running services…and developers will want to take advantage of that because of the reduced liability.”
According to Adler, developers have everything they need to start implementing passkeys now, and consumers will get support when they update their Apple devices with the newly released software this fall.
So, despite all the previous hype around permanently removing the password, this time it might be happening for real.
“It’s not a future dream to replace passwords,” Night said. “It’s something that’s going to be a pathway to completely replacing passwords, and it’s starting now.”