Raise your hand if you hate typing passwords. Okay, now raise your hand if you use the same password across multiple accounts or services. Yes, many people do this and it is one of the top causes of users getting hacked.
Think about it. If someone can get your password for a single service – either through a data breach, social engineering or phishing attack — Your identity and personal information could be compromised. This can lead to anything People spying on baby cams to hackers stealing money from your bank account.
Yes, there are alternatives to manually entering passwords, such as The best password managers, but they can still leave users vulnerable. Now Apple, Google, Microsoft and others have joined forces through the FIDO Alliance (opens in new tab) to try to permanently replace the password. And Apple’s implementation is called Passkeys and it’s coming this fall iOS 16, macOS Ventura and iPad OS 16.
In an exclusive Tom’s Guide interview, I got the chance to talk to Kurt Night, Apple’s senior director of platform product marketing, and Darin Adler, Apple’s VP of Internet Technologies, about how passkeys work and how they really transform passwords into a single user thing can make the past.
What the heck are passkeys and how do they work?
Passkeys are unique digital keys that are easy to use and more secure, are never stored on a web server and stay on your device. The best part? Hackers cannot steal passkeys in a data breach or trick users into sharing them.
“Passwords are key to protecting everything we do online today, from everything we communicate to all of our finances,” Knight said, “but they’re also one of the biggest attack vectors and security vulnerabilities that users face today.” are confronted with.”
That’s why Apple has been pushing so hard for an alternative. Passkeys use Touch ID or Face ID for biometric verification and iCloud Keychain to sync between iPhone, iPad, Mac and Apple TV with end-to-end encryption.
Other companies have tried replacing passwords with dedicated hardware like a physical security key, but that’s mostly focused on enterprise users. It also added another layer of complexity. Passkeys stand a real chance because they use a device you already have.
Passkeys are based on what is known as public key cryptography. There is a private key, which is secret and stored on your device, and a public key, which is stored on a web server. Passkeys make phishing impossible because you never present the private key; You just authenticate yourself with your device.
“People almost always have phones with them,” says Adler. “Face ID and Touch ID verification give you the convenience and biometrics that we can get with an iPhone. You don’t have to buy another device, but you don’t have to develop a new habit either.”
Wait, what happens when you’re not using an Apple device?
Say you sign up for a streaming service on your iPhone but need to sign in to your Roku. What do you do if your Roku doesn’t have Touch ID or Face ID?
The other device generates a QR code that can be read by your iPhone or iPad. iOS uses Face ID or Touch ID to confirm that you’re trying to sign in before the request to the app or website running on the other device is accepted or denied.
Additionally, if someone tries to sign in to a service using an iOS device or Mac that you don’t own, passkeys can be shared via AirDrop.
The cross-platform experience is super easy,” said Night. “Suppose you have an iPhone but want to log in on a Windows machine. You can go to a QR code, which you can then just scan with your iPhone and then use Face ID or Touch ID on your phone.”
In other words, computers talk to each other to make sure you’re nearby for security, and they confirm you’re logged in.
An unbreakable keychain
For passkeys to work across multiple Apple devices — including the iPhone, iPad, Mac, and Apple TV — there needs to be something in place to sync the information with end-to-end encryption. And that’s where iCloud Keychain comes in.
iCloud Keychain is already used to keep your passwords and other secure information (like credit cards) in sync across your devices. But the introduction of Passkeys takes things to the next level.
So what happens when you don’t have access to your iPhone? iCloud Keychain also allows you to restore your old keys via iCloud if your Apple device is lost or stolen.
This is why it is so important that Apple created passkeys on iCloud keychain.
“iCloud Keychain has made it possible, and security that was previously limited to people willing to carry extra hardware can be made available to anyone with the phone,” Adler said. “So I think those two things come together in a very special way.”
What’s next for Passkeys
Passkeys will be built into the iOS 16, iPadOS 16, and macOS Ventura operating systems, but Apple is also working with developers to add Passkey support to their apps.
Apple hasn’t been able to share which Passkey-compatible apps will be available at launch, but it sounds like there’s already some momentum in the background. And it’s not just about usability.
“These public keys have no real value. There’s nothing worth stealing,” Adler said. “So that will reduce liability for developers running services… and developers will want to take advantage of that because of the reduced liability.”
According to Adler, developers have everything they need to start implementing Passkeys now, and consumers will have support when they update their Apple devices to the newly released software this fall.
Despite all the previous hype about permanently deleting passwords, it could really happen this time.
“This isn’t some future dream to replace passwords,” Night said. “This will be a way to completely replace passwords, and it’s starting now.”