Raise your hand if you hate entering passwords. Okay, now if you use the same password for multiple accounts or services, raise your hand. Yes, many people do this, and it is a major cause of users getting hacked.
Think about it. If someone can obtain your password for a single service, whether through a data breach, social engineering or phishing attack, your identity and personal information could be compromised. This could be anything from people spying on baby cameras to hackers stealing money from your bank account.
Yes, there are alternatives to manually entering passwords like the best password managers, but they can still leave users vulnerable. Now Apple, Google, Microsoft and others have united through the FIDO Alliance (opens in new tab) to try and replace the password for good. And Apple’s implementation is called Passkeys, coming this fall in iOS 16, macOS Ventura, and iPadOS 16.
In an exclusive Tom’s Guide interview, I had the opportunity to speak with Kurt Night, Apple’s senior director of platform product marketing, and Darin Adler, VP of Internet technologies at Apple, about how Passkeys work and how they can make passwords real from the past.
What the hell are Passkeys and how do they work?
Passkeys are unique digital keys that are easy to use and more secure, are never stored on a web server and remain on your device. The best part? Hackers cannot steal access keys in a data breach or trick users into sharing them.
“Passwords are key to protecting everything we do online today, from everything we communicate to all of our finances,” says Knight. “But they are also one of the biggest attack vectors and security vulnerabilities facing users today.”
That’s why Apple is pushing so hard for an alternative. Passkeys use Touch ID or Face ID for biometric authentication and iCloud Keychain to sync between iPhone, iPad, Mac, and Apple TV with end-to-end encryption.
Other companies have tried to replace passwords with special hardware, such as a physical security key, but that has mainly targeted business users; it also added another layer of complexity. Passkeys have a real chance of taking off because they use a device you already have.
Access keys are based on what is called public key cryptography. There is a private key, which is secret and stored on your device, and there is a public key which is on a web server. Passkeys make phishing impossible because you never present the private key; you only authenticate with your device.
“People almost always carry phones with them,” Adler says. “Face ID and Touch ID authentication give you the convenience and biometrics that we can achieve with an iPhone. You don’t have to buy another device, but you don’t even have to get into a new habit.”
Wait, what happens if you don’t use an Apple device?
Let’s say you sign up for a streaming service on your iPhone, but need to sign in to your Roku. What do you do if your Roku doesn’t have Touch ID or Face ID?
The other device generates a QR code that can be read by your iPhone or iPad. iOS uses Face ID or Touch ID to confirm it’s you trying to sign in before confirming or declining the request to the app or website on the other device.
In addition, if someone tries to sign in to a service using an iOS device or Mac that doesn’t belong to you, passkeys can be shared via AirDrop.
The cross-platform experience is super easy,” says Night. “Suppose you’re someone who has an iPhone, but you want to log in to a Windows computer. You’ll get a QR code that you scan with your iPhone and then Face ID or can use Touch ID on your phone.”
In other words, computers will communicate with each other to ensure that you are nearby for security reasons and they will confirm that you are logged in.
An unbreakable key ring
In order for Passkeys to work on multiple Apple devices, including iPhone, iPad, Mac, and Apple TV, it needs something to sync the information with end-to-end encryption. And that’s where iCloud Keychain comes in.
iCloud Keychain is already used to keep your passwords and other secure information (such as credit cards) in sync across all your devices. But the arrival of Passkeys takes things to the next level.
So what happens if you can’t access your iPhone? iCloud Keychain also makes it possible to recover your old keys via iCloud if your Apple device is lost or stolen.
That’s why it’s so important that Apple built passkeys on top of iCloud Keychain.
“iCloud Keychain made it possible, and security previously limited to those willing to carry extra hardware with them can be made available to anyone with the phone,” said Adler. “So I think those two things come together in a very special way.”
What’s next for Passkeys
Passkeys are built into iOS 16, iPadOS 16, and macOS Ventura operating systems, but Apple is also working with developers to integrate Passkey support into their apps.
Apple couldn’t share yet which Passkey-compatible apps will be available at launch, but it sounds like there’s already momentum in the background. And it’s not just about ease of use.
“These public keys have no real value. There’s nothing worth stealing,” Adler said. “So that will reduce liability for developers running services… and developers will want to take advantage of this because of the reduced accountability.”
According to Adler, developers have everything they need to implement Passkeys now, and consumers will receive support when they update their Apple devices to the newly released software this fall.
So despite all the previous hype around password killing for good, it could actually happen this time around.
“It’s not a future dream to replace passwords,” Night said. “This is going to be a path to completely replacing passwords, and it’s starting now.”