think about it. If someone managed to get hold of your password for a single service — either through a data breach, social engineering, or phishing attack — your identity and personal information could be compromised. This can lead to anything from people spying on kids’ cameras to hackers stealing money from your bank account.
Yes, there are alternatives to entering passwords manually, such as the best password managers, but they can still leave users vulnerable. Now, Apple, Google, Microsoft and others have come together via the FIDO Alliance (Opens in a new tab) To try to replace the password forever. Apple’s app is called Passkeys, which will be released this fall in iOS 16, macOS Ventura, and iPadOS 16.
In an exclusive interview with Tom Guide, I had the opportunity to speak with Kurt Night, Apple’s Senior Director of Platform Product Marketing, and Darin Adler, VP of Internet Technologies at Apple, about how Passkeys work and how they can really make passwords a thing of the past.
What are passkeys and how do they work?
Passkeys are unique numeric keys that are easier to use, more secure, and are never stored on a web server and remain on your device. The best part? Hackers cannot steal passwords in a data breach or trick users into sharing them.
“Passwords are central to protecting everything we do online today, from everything we transmit to all of our finances, but they are also one of the biggest attack vectors and vulnerabilities that users face today,” Knight said.
This is why Apple is pushing so hard for a replacement. Passkeys use Touch ID or Face ID to verify biometrics, and iCloud Keychain to sync across iPhone, iPad, Mac, and Apple TV with end-to-end encryption.
Other companies have attempted to replace passwords with dedicated hardware, such as a physical security key, but that has mostly been focused on enterprise users; It also added another layer of complexity. Passkeys have a real chance to boot because they take advantage of a device you already have.
Passkeys are based on what is called public key cryptography. There is a private key, which is a secret and stored on your device, and there is a public key that is placed on the web server. Passkeys make phishing impossible because you never provide the private key; You are just authenticating using your device.
“People often have phones with them,” Adler said. “Face ID and Touch ID verification give you the convenience and biometrics we can achieve with an iPhone. You don’t have to buy another device, but you don’t even have to learn a new habit.”
Wait, what happens if you’re not using an Apple device?
Let’s say you signed up for a streaming service on your iPhone but need to sign in on your Roku. What do you do when your Roku doesn’t have Touch ID or Face ID?
The other device generates a QR code that can be read by your iPhone or iPad. iOS uses Face ID or Touch ID to make sure it’s you trying to sign in before you confirm or decline a request to an app or website running on the other device.
Additionally, if someone is trying to sign into a service using an iOS device or Mac that isn’t yours, passkeys can be shared via AirDrop.
Knight said that experimenting with the platforms is very easy. “Let’s say you are someone with an iPhone, but you want to go and sign in on a windows device. You will be able to get a QR code that you can scan with your iPhone and then you can use Face ID or Touch ID on your phone.”
In other words, the computers will communicate with each other to ensure that you are in close proximity for security and they will confirm that you are logged in.
Unbreakable key chain
For passkeys to work across many Apple devices — including the iPhone, iPad, Mac, and Apple TV — you need something to sync information with end-to-end encryption. This is where iCloud Keychain comes in.
iCloud Keychain is already used to keep your passwords and other secure information (such as credit cards) in sync across your devices. But the Passkeys’ access takes things to the next level.
So what happens if you don’t have access to your iPhone? iCloud Keychain also allows you to restore your previous keys through iCloud if your Apple device is lost or stolen.
This is why it is so important for Apple to build passkeys on top of iCloud Keychain.
“iCloud Keychain makes this possible, and can provide security that was previously limited to people who want to carry additional devices to everyone who has the phone,” Adler said. “So I think those two things come together in a really special way.”
What’s next for passkeys
Passkeys will be included in the operating systems of iOS 16, iPadOS 16, and macOS Ventura, but Apple is also working with developers to integrate Passkey support into their apps.
Apple has not yet been able to share the Passkey-compatible apps that will be available at launch, but it appears that there is already momentum in the background. And it’s not just about ease of use.
“These public keys don’t really have any value. There is nothing worth stealing,” Adler said. “So that will reduce liability for developers running the services…and developers will want to take advantage of that because of the reduced liability.”
According to Adler, developers have everything they need to get started with Passkeys now and consumers will get support when they update their Apple devices to the newly released software this fall.
So despite all the previous hype about killing the password for good, this time it might just happen for real.
“This is not a futuristic dream of replacing passwords,” Knight said. “This is something that would be a pathway to completely replace passwords, and it has now begun.”