Passkeys are a “new biometric sign-in standard”. Biometrics in security circles are used for things like identity cards, building access, and so on. This typically involves scans of your fingerprints, or face. Either of these may be physically used on a device or through a readable card scanned into a system.
Every so often, they’re hailed as a possible replacement to the passwords you’re likely using on websites and systems right this very second. One of their biggest benefits is that they’re totally unique to you. The downside of this is that they’re…totally unique to you. A big argument against biometrics for security purposes is that once they’re stolen, your biometrics are out there forever. You can’t exactly change them, but then not having to change them is a key selling point in the first place.
With this caveat out of the way: Passkeys aren’t about tying your biometrics to an ID card. You’re not going to do anything you aren’t already doing with biometrics via your Apple devices. If you’re already happy with using biometrics for everyday activities on your iPhone, this probably won’t be a concern.
Let’s take a look at what Apple is doing with its passkeys.
Pass the passkey
Some of Apple’s primary concerns about the kind of passwords we use currently:
- Difficult to use correctly
- Easily phished/reusable
- The trade-off between security versus convenience
Using a passkey involves signing in to a service you normally use, and then selecting the “Create passkey” option. The passkey is saved to your iCloud Keychain, and is then available to sign in on all of your devices. A few taps has given you “a unique, cryptographically strong key pair” for your account. All you need is to be running macOS Ventura and iOS 16.
It’s designed to work across as many platforms as possible. It also allows you to login on other people’s machine via your phone and a QR code. Want to share a passkey with people you trust? Airdrop can do that for you. Apple wants this working across, and with, as many of their services and features as possible.
Breaking up the password flow
Eventually, the idea is to exist as a replacement for passwords. The passkey option being added into the username field as an additional popup option seems to be the goal. No password entering, no username entering: just the passkey.
Of course, not everyone is going to be using this feature. Not all sites and services will make the leap. Traditional passwords can’t exactly just vanish any time soon, so this is realistically an addition to password flows for the time being.
How secure is the passkey?
When you sign in with a password, it is (hopefully) hashed and salted. These are encryption processes which make it more difficult for people to compromise your details should a data breach occur. The obfuscated output is sent to, and stored on, the server. When you visit the service at a later date and produce the same hashed salted value, it grants you access.
With Apple’s new creation, instead of a single typeable string the passkey is a pair of related keys generated by your devices. They’re unique for every account. One key is stored on the server and is public. The other, private key, is stored on your device and the server is never actually told what it is. From the Apple support document:
“On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible.“
On top of all this, Apple IDs using iCloud Keychain require two-factor authentication. There’s also protection against rogue devices accessing a Keychain via syncing identities and their “circle of trust“.
All hail the single-tap sign in?
Anything promising to combine good security with actual convenience is always a strong sales pitch. Google and Microsoft are also eager to solve the password problem forever. Support for the FIDO standard of passwordless sign-ins is definitely the direction passwords are headed in.
What remains to be seen is the buy-in rate from sites, services, and apps. Apple spends quite a bit of time explaining to developers how easy it is to integrate passkeys into their sites. We just have to hope that, as with all the passwordless proposals, developers will listen.