Move over passwords. The next generation Passkeys are finally here to usher in a more secure, password-less future
Passwords might have been a great way to secure accounts when they were first introduced ages ago. But it’s safe to say we are in dire need of more secure alternatives, and we have been for quite some time.
Using passwords to sign into accounts is not only a hassle, but they’re also rather vulnerable. Most of this vulnerability stems from users’ own inability to use a strong password. It’s astounding how many people still use passwords like 123456 or password. Then, there are those who are reusing passwords on every site.
But even if you’re using the strongest password possible on every site and not repeating them, they aren’t completely safe. They’re still prone to phishing attacks and data leaks. But with Passkeys, the password-less future we’ve been awaiting is finally here. Apple announced the passkeys at the WWDC this year and both iOS 16 and macOS Ventura support them.
What is a Passkey?
A Passkey will be a completely password-less solution that’ll use your biometrics to sign in to an account. If your device doesn’t support biometrics, you can also use your device passcode. Passkeys uses powerful cryptographic techniques – the details of which you can skip in the next couple of lines since it’s too technical – to keep an account safe.
Now, for the technical part: Passkey is based on the WebAuthentication (or “WebAuthn”) standard, which uses public-key cryptography. Public key cryptography uses two keys – a public key, which will be stored on the server and is visible to everyone, and a private key, which is a secret key that no one will know.
And since they won’t ever leave your device, neither will they be stored on a server – at least the private key – they’re immune to both phishing attacks and data leaks.
Passkeys will be unique to the website you’re signing in to. Potentially, they’ll be even easier to use than passwords and way safer.
Apple is working with other companies like Google, Microsoft, and many others in the FIDO alliance to make sure that passkeys will be implemented in a way that’ll work across platforms.
How Will Passkeys Work on Mac and iPhone?
You can immediately create a passkey when you try to create an account on devices running iOS 16 or macOS Ventura. All you’ll have to do is authenticate yourself using either Touch ID or Face ID. Once you complete the authentication, the operating system will create a unique pair of digital keys for the specific website.
Passkeys will work in both apps and websites in Safari on your Apple devices. And they’ll be synced across your Apple devices using the iCloud keychain. So, even if you create a passkey for an account on your iPhone, you’ll be able to seamlessly use it on your Mac, iPad, or Apple TV. Your passkeys will be stored in the iCloud keychain with end-to-end encryption, so not even Apple will know its contents.
More importantly, you’ll also be able to use Passkeys on non-Apple devices. Even when you want to log in to your account from a non-Apple device, you can use passkeys in both apps and on the web. To sign in, you’ll be able to view a QR code on your non-Apple device which you can scan from your iPhone or other Apple device. Then, as explained above, you’ll need to authenticate using Face ID or Touch ID to sign in.
But that’s the catch with Passkeys. Without your Apple device, you won’t be able to use passkeys to sign in on other devices. And the non-Apple device and the Apple device should be within physical proximity of each other since the process will be using Bluetooth. You can’t send photos of QR codes and scan them on your Apple device from far away.
If you want to sign in to your account on an iPhone or Mac that’s not yours, you can simply AirDrop your Passkeys.
To use Passkeys on your iPhone or Mac, you must also have two-factor authentication enabled for your Apple ID. If you don’t have it and you try to use Passkeys, you’ll first be prompted to enable it.
What Happens If You Lose your Device?
Since Passkeys will be synced across your Apple devices using the iCloud keychain, in the event that you lose one of your devices, you’ll still have access to your Passkeys. But what happens if you end up losing all your devices or if you only used the single Apple device you lost?
There’s no need to worry. Even if something like that happens, all your Passkeys will be recoverable. You can recover your Passkeys from iCloud keychain escrow. iCloud keychain escrow doesn’t let just anyone recover the data and has a strict process to authenticate the user. Only when these conditions are met and it’s established that you are the original user can you recover your Passkeys from escrow. This makes sure that escrow is protected against brute force attacks, even by Apple itself.
This makes Passkeys better than using external security keys since you end up losing all your credentials if you lose the external key.
Creating and Using Passkeys on iPhone and Mac
Creating and using Passkeys on your iPhone or Mac is a piece of cake. You can create them on any website or app that supports Passkeys. Since the API for Passkeys will have to be implemented by the developers, it’ll be some time before it’ll become the standard norm.
But here’s how the process will go. You can create a Passkey while creating an account on any supported website or app when running iOS 16 or macOS Ventura. After you click the ‘Sign Up’ or ‘Register’ button, a prompt will appear asking you if you want to save a Passkey for the associated account. Tap ‘Continue’ to use it.
Then, authenticate using Face ID or Touch ID and the passkey will be created. It’s that simple.
When you go on to sign in to an account for which you previously saved the passkey in the iCloud keychain, a prompt will appear again asking if you want to sign in using the saved Passkey. Tap ‘Continue’ and authenticate using your biometrics.
If you can’t authenticate on the current device, you’ll be able to select that you want to sign in using another device.
Once you select that option, a QR code will appear which you can scan on the other device and then authenticate yourself.
If you don’t have biometrics on your device, you can also your device passcode or login password to create and use Passkeys. Click ‘Continue with Password’ and authenticate by entering the device passcode or login password to create/ use the Passkey.
Since Passkeys are still so new, even when they are implemented widely, there will be a learning curve. Many potential problems will also arise that’ll need to be addressed. But Passkeys will still be easier and more secure to use than passwords. No hackers can trick you into sharing your passkey with them with phishing attacks, neither can it be compromised in a data leak.