Passkey follows the Fido standard to replace passwords. For users, logging in should be easier and more secure from autumn.
With the introduction of With iOS 16, iPadOS 16 and macOS Ventura, users will have to enter passwords less and less in the future. Thanks to a new feature called “PassKey” Logging into websites and apps should be faster and more secure at the same time, Apple promised at the keynote at the WWDC developer conference. In one of the sessions for the developers, it became clear what exactly this will look like.
PassKey is based on the extended FIDO standard, which Apple joined with Google and Microsoft. When the user creates an account, a cryptographic key pair is created in the operating system. These keys are generated individually by each device and for each account. One key, the public key, is stored on the access provider’s server. The second key, the private one, remains on the device and is never disclosed to the server.
This is what the login will look like in the future
Login is similar to unlocking the Apple device: the user identifies himself with Face ID, Touch ID or a passcode. In the background, the server sends the device a so-called challenge. If the biometric confirmation is successful, the device uses the private key to generate a digital signature that is transmitted to the server. Once the comparison has been made, the user is logged in. You can see this in the video in the WWDC session.
According to Apple, passwordless login ensures that phishing attacks – i.e. the accessing of passwords by manipulated or fake websites – are no longer possible. In addition, users tend to use recurring or simple passwords. Data theft from servers is also uncritical with Passkey, since the public keys cannot be used to break into accesses.
Automatically on all devices
The passkeys are synchronized with all of the user’s Apple devices via the iCloud keychain (keychain). It is also possible to use devices from other manufacturers. In this case, a Windows or Android device would display a QR code that is photographed with the iPhone or iPad. If Face ID or Touch ID has been compared, the iPhone confirms to the server that the login request is legitimate.
Well secured according to Apple
Apple emphasizes that the iCloud keychain is over -is end-encrypted and uses strong cryptographic keys unknown to Apple. There is also a limit on the number of attempts to log in to prevent brute force attacks.
If a user ever loses all of their Apple devices, there is a way to recover them. To do this, the user must log in with their iCloud user name and password and answer an SMS. The device passcode must also be entered. There are only 10 attempts for this. Additionally, there is the option to set an emergency contact so that access can also be restored if you forget your Apple ID password and device passcode.
iOS 16, iPadOS 16 and macOS Ventura have been upgraded to presented at the WWDC developer conference and are currently in the beta phase. According to Apple, the final versions should appear in the fall.