How much time do you spend on your passwords? Do you create new security keys every year and pay attention to the security of strings of characters and numbers? Probably not, because security companies find way too insecure passwords in their databases every year. Most passwords are too simple, never changed, and could be “hacked” in minutes.
It is therefore commendable that Apple has announced a new authentication procedure with Passkeys, which should replace passwords. On the net, the new process is strongly associated with the Apple ecosystem, which is quite a shame. Indeed, with Passkeys, Apple has only presented its own way of using the new WebAuthn standard.
Why aren’t Apple Passkeys just for Apple users?
“Passkeys” are not an exclusive invention of Apple, even if it looked like it at WWDC 2022: they are the name of Apple’s implementation for a new type of standard connection developed by the FIDO Alliance. Apple is certainly not part of this alliance, but according to its own indications, it has collaborated among others with Google and Android to draw inspiration from the FIDO standards for its Passkeys. Sooner or later, almost all internet users* will therefore benefit from Passkeys.
The basic idea is to no longer make connections using passwords, but using security keys. From the user’s point of view, the identifiers will then be secured by biometric processes which will make it possible to compare the security keys with the server. If you already use Face ID and Touch ID for activating your iCloud Keychain, the handling won’t change that much.
Even though today’s logins in iOS are about as convenient as the eventual use of Passkeys, there is one major downside. Currently, it’s only possible to allow iCloud Keychain to copy your password to the login mask. From there it is then forwarded to the server operator. The risk of your passwords being spied on by “man-in-the-middle” (“MITM”) type attacks or by other means therefore always exists.
Phishing, i.e. stealing passwords by making it look like a super important service emergency or other social engineering tactics, is also possible with this procedure. Currently, it is indeed very easy to copy passwords from the keychain and paste them into any email if you have been tricked by a scam.
Passkeys and Apple’s use of them are more secure
In a way, using access keys even protects against the proverbial error that sits in front of the screen. They are based on two security keys, a public key and a private key. The public key is on the server after setup, while the private key still remains on the device used for login. The strong point lies in the mathematics on requiring rests the procedure.
Indeed, as written popular science, it was designed in such a way that the private key does not have to be transmitted to the server during connection attempts. Thus, your Passkey remains safe even in the event of an MITM attack or a successful hack of company servers. Passkeys are based on the WebAuthentification (WebAuthn) standard, which has been used for some time now for passwordless login to the network.
If all this is already available, one wonders why everyone acts as if Apple has reinvented the password.
Why is everyone pretending to believe that Apple reinvented the password?
Good question ! What Apple can really be commended for is that they are the first to use passkeys on all devices. At the same time, they offer a programming interface, an API, for their Passkeys. To enable login via Passkeys, websites and services will of course first have to create the prerequisites.
As Apple releases its new OS i.e. iOS 16, watchOS 9, iPadOS 16 and macOS 13 in developer beta six months before launch, availability could be ensured in many places upon launch. Anyway, Apple already introduced its own WebAuthn standards at WWDC 2021.
Passkeys are additionally linked to iCloud Keychain. You will be able to access it from any Apple device where you are registered with your Apple ID. Since Apple uses end-to-end encryption for their keychain and they claim they don’t know the security keys themselves, so this is a safe place to store Passkeys.
The system is further protected by two-factor authentication. So, if you want to register a new Passkey, you will have to confirm this procedure again on an Apple device or via the web browser by entering a six-digit code.
Apple has therefore not (re)invented passwordless login, but has simply implemented it in a smart and secure way. In addition, Apple devices are so abused that the advance of the Cupertino company will be a good incentive for services and websites to finally switch to WebAuthn.
Do Passkeys become impossible to switch to Android and Windows?
The direction taken by Apple with its Passkeys, however, worried me a bit during the keynote. We thus had the impression that Apple was once again going to cover its closed garden with the methylane fence. Doesn’t the introduction of Passkeys make it nearly impossible to use non-Apple devices?
It’s not entirely clear just how tight Apple’s Passkeys integration will be, but there are three arguments against my fears.
1: During its developer conference, Apple has already briefly shown how it will be possible to connect to devices from other brands. On the screen of a Windows laptop, we will have a QR code that we will have to scan to connect with an Apple device. It will therefore also be possible to connect under Windows and Android but you will need to have your iPhone or iPad with you for this.
2: It is already possible to access iCloud Keychain on Windows. For this, it is enough to install the iCloud application and a corresponding program will appear on your PC. Unlocking works via the Windows Hello authentication service and therefore also via biometric login procedures. However, I dare to doubt that this system is sufficiently secure for Apple Passkeys. Indeed, Windows relies on a PIN code which, in the worst case, consists of only four digits.
3: As already mentioned, the WebAuthn standard is not unique to Apple and will certainly be usable in the future natively with Android, Windows and other operating systems. You will therefore be able to assign new security keys for logins in order to access websites. Even though these differ from Apple’s synced keys, it won’t make any difference for use after setup. You log in anyway only with the fingerprint sensor or facial recognition.
Let’s sum things up again. Regardless of Apple, the WebAuthn standard returns more secure online logins. After too long, our data no longer depends on the time or energy we spend managing our passwords. In addition, the standard provides reliable protection against phishing, hacking and even against the companies we want to connect to.
Apple takes a big step forward and is the first company to launch this service on all devices. At the same time, the company takes advantage of the advantages of its closed ecosystem to make connections by Passkeys safe and intuitive.
The fact that Apple makes the implementation of Passkeys a major topic at its developer conference and drops its own name is furthermore a stroke of genius. In a way, Apple is reaping the laurels that the FIDO Alliance has sown and cultivated together.
Because if Android or Windows soon announce support for access keys, the public will certainly make the connection with Apple.
Touched, Apple! Hit !