Apple Passkeys: Is this the end of passwords?

Apple is going in full hog in the battle against passwords with the introduction of passkeys. However, in an unexpected alliance, the willingness of other companies to also eradicate passwords may signal its end … for good! 

What are Apple Passkeys? 

This week, during Apple’s Worldwide Developer Conference (WWDC), Apple revealed a new login scheme that seeks to replace the use of traditional passwords with a passkey. Apple describe the new scheme as a “more secure, easier to use” alternative to passwords.  

Darin Adler, VP of Internet Technologies at Apple, said passkeys are: “A unique digital key that only works for the site it was created for.” Instead of using a password to log into a site, Apple users will be asked to verify their identity using biometric authentication – such as Face ID for facial recognition and Touch ID for fingerprint recognition.  

During the WWDC presentation, Apple showed a user creating a new account on a website. They follow the normal first step of entering an email address, but instead of being prompted to create a new password, a window pops up asking the user if they want to create a passkey instead – using Face ID or Touch ID as mentioned above.  

There are no further prompts for passwords, passphrases or 2FA (2-factor authentication) – only a passkey. This passkey works cross-platform, which means that user accounts can be synchronised across TVs, tablets, and phones due to the passkey existing on the iCloud Keychain. In this instance, if you are trying to log into an application on your tablet that you have previously verified on your biometric-locked phone, you will see a QR code pop up on your tablet instead. When you scan the QR code with your verified phone, you then validate the tablet. 

Apple also confirmed that passkeys are intended to not only operate in browsers as users surf the web but also in applications sold on the app store. Apple passkeys will be available on iOS 16 and macOS Ventura by late 2022.  

Passkeys vs phishing 

The main benefit of passkeys highlighted at the WWDC presentation is its staunch defence against phishing. Passkeys cannot be phished digitally as the passkey will never leave your device. They cannot be shared to hackers that are using a fake website nor can they be hacked directly as they are not stored on traditional web servers but the user’s device itself. Your data here is never uploaded to a web server, which makes it less prone to hacking.  

Passkeys are linked to the website or app they are set up for. This means that users can never be tricked into using their passkey on the wrong website. 

Garrett Davidson, Apple’s Lead Engineer on the Authentication Experience Team, said: “Because it’s just a single tap to sign in, it’s simultaneously easier, faster and more secure than almost all common forms of authentication today.” 

To create passkeys, Apple worked in conjunction with the FIDO Alliance. This is a trade group that has helped create the standards for not only multi-factor authentication but passwordless logins as well.  

The FIDO Alliance explains the security against phishing as follows: “The other important advantage is how no credential data is transmitted from the phone to the website during the login process. Instead, your phone will store a credential called a passkey, which is used to unlock your online account.” 

Technically, passkeys leverage the WebAuth protocol within the FIDO2 standard to verify login attempts. This means passkeys work on the public-key cryptography for authentication of logins. Like 2FA, this method involves pushing notifications to an authorised device to approve logins. However, these push notifications are end-to-end encrypted rather than passcode-based texts.   

Passkeys vs SIMjacking 

Passkeys would also stop SIMjacking attacks. SIMjacking attacks are conducted by hackers that intercept one-time passcodes that are sent to your phone via SMS. As passkeys do not use any MFA/2FA protocols, there are no one-time passcodes to be hacked by nefarious individuals.  

The joint battle against passwords 

The most important news here, however, is that FIDO is not only working with Apple on this passwordless future … they are also working with Google and Microsoft on the same thing.

Microsoft has been experimenting with passwordless logins for a while now. Microsoft Hello and Microsoft facial recognition on their laptops and PCs have purported to be precursors to this new reality. Google has been trialling and rolling out similar alternatives. 

The importance of this joint effort by the tech giants cannot be understated. If this were Apple waging the fight all on its own, we may have seen some pushback and a lack of adoption. However, now that Google, Microsoft, and Apple are working with FIDO Alliance on passkeys, a joint effort may finally see the password killed off.  

Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), calls the collaboration between the traditional tech rivals as “the type of forward-leaning thinking that will ultimately keep the American people safer online.” 

Apple, Google, and Microsoft are all looking to go live with their passkey protocols on their respective platforms within the next year.  

However, one must also head the warning presented by Apple at the end of their WWDC presentation: “The transition away from passwords will be a journey.” 

If you would like more information about how The Security Company can support you to minimise the password risks your organisation is facing, please contact Jenny Mandley.