In the years ahead, passwords, as we know them, will become a thing of the past. However, that change won’t happen overnight and will take a concerted effort from lots of different parties, including the major tech giants. At WWDC, Apple announced how it’s moving toward a more secure and easy-to-use passwordless authentication powered by WebAuthn and Face ID/Touch ID with the preview of passkeys in iCloud Keychain.
The preview of passkeys in iCloud Keychain comes with iOS 15 and macOS Monterey, but it doesn’t mean the feature is user-facing. The preview is actually just opening the doors for developers to start initial testing.
Like Google and Microsoft have been advocating and working on, Apple’s passkeys in iCloud Keychain is based on the WebAuthn standard which offers passwordless, biometrics-based re-authorization and low friction and phishing-resistant 2FA.
In its “Move beyond passwords” WWDC session, Apple’s Garrett Davidson covered how WebAuthn works based on a public and private key pair.
One of the biggest advantages of WebAuthn is it uses public/private key pairs instead of shared secrets.
If we examine how passwords work today, first you enter your password. Then, it’s usually obfuscated through something like hashing plus salting, and the resulting salted hash is sent to the server.
Now, both you and the server have a copy of the secret, even though the server’s copy is obfuscated, and you’re both equally responsible for protecting that secret.
This is what we’re getting rid of. With public/private key pairs, instead of a password, your device creates a pair of keys. One of these keys is public; just as public as your username. It can be shared with anyone and everyone, and is not a secret. The other key is private. This private key is a secret and is protected by your device. Your device never shares this key with anyone else, not even the server. When you create an account, your device generates these two associated keys. It then shares the public key with the server.
You can check out all the technical details in the full session and the getting started on how to connect a service with Apple’s passkeys here. But in the big picture, imagine being able to sign in to websites and services with just a user name and a Face ID or Touch ID scan.
With the security of WebAuthn plus the end-to-end encryption of iCloud Keychain, Apple says passkeys will be more secure than “most password-plus-second-factor solutions out there today.”
In most cases, it just takes a single tap or click to sign in. And they’re stronger than most password-plus-second-factor solutions out there today, thanks to the combined security of WebAuthn and iCloud Keychain. And because it’s just a single tap to sign in, it’s simultaneously easier, faster, and more secure than almost all common forms of authentication today.
The talk highlights there’s still a good amount of work to do in the tech industry for this solution to work across all devices – not just Apple’s – but it’s exciting that developers can start the groundwork in macOS Monterey and iOS 15 with passkeys.
A transition away from passwords is going to take time, and it’s important to get the details right.
In macOS Monterey and iOS 15, passkeys in iCloud Keychain is being released as a technology preview and is off by default. On iOS, there’s a new switch in the Developer settings section of the Settings app.
Turning this on will allow you to use these synced keys in both apps and on the web.
And on macOS, the switch lives in Safari’s Develop menu. First, you’ll need to turn on the Develop menu, in Safari’s Advanced settings. You’ll find the setting for this at the bottom of the Advanced pane in Safari’s preferences. Then, you can find the option to turn on the Syncing Platform Authenticator in the Develop menu. Make sure to turn the feature on when testing.
In macOS Monterey and iOS 15, these passkeys are only meant for testing, not for production accounts.
The emphasis of this preview is the authentication technology, an iCloud Keychain-backed WebAuthn implementation. An industry-wide transition away from passwords will need thoughtful and consistently applied design patterns, which are not part of this preview.
FTC: We use income earning auto affiliate links. More.