Apple 'passkeys' support in macOS Ventura and iOS 16 promise a passwordless future

Cal Jeffrey

Posts: 4,154   +1,416
Staff member
In context: Apple highlighted many new features coming to the next major iteration of macOS — Ventura — and iOS16 at WWDC 2022. One of the more intriguing ones is Passkeys, which look to replace passwords for any websites and apps requiring authentication.

Just about anyone will tell you that creating and maintaining safe, hard-to-break passwords is a pain in the backside. Password managers are helpful for remembering and automatically entering credentials, but even still are not 100-percent foolproof. Even the most secure passwords are worthless if leaked in a data breach, especially if the password to your password manager leaks!

Apple thinks it has a way to authenticate users securely without the need to remember complicated passwords and worry about changing them frequently. Passkeys rely on biometrics to sign Safari users into websites without the possibility of having their credentials stolen.

"Passkeys are unique digital keys that stay on-device and are never stored on a web server, so hackers can't leak them or trick users into sharing them," Apple said. "Passkeys make it simple to sign in securely, using Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across Mac, iPhone, iPad, and Apple TV with end-to-end encryption."

However, Apple says that the technology is not limited to just Safari users. It works in apps and on non-Apple devices --that is, as long as you have an iPhone with Touch ID or Face ID. In other words, you could sign in to your bank's website from your PC running Chrome by scanning a QR code with your iPhone.

The feature essentially turns your device into a physical authentication key. Although passkeys sync across all a user's Apple devices via iCloud Keychain, they remain on-device when logging into a website or app and are never stored in a database to be leaked or breached.

There are some limitations to the feature, however. Mainly, it is only compatible with Macs built later than 2017 or 2018 running Ventura, and iPhone 8 and iPhone SE second generation or later with iOS 16 installed.

Passkeys are part of an initiative started by Apple, Google, and Microsoft last month to switch to passwordless authentication methods developed by the FIDO Alliance, which is part of the reason it works across different platforms. Google and Microsoft should be close to revealing their versions of the technology since all three companies promised implementation before year's end.

Passkey availability began on Monday with the macOS Ventura beta release to those in the Apple Developer Program. A public beta begins next month, with the final stable release of Ventura following this fall.

Permalink to story.

 
...And then what happens when someone hacks Apple themselves? Or forget hacking, what happens when government agencies force Apple to give out passwords? And Apple saying they'll fight them in court to not do so it's all well and good if we even get to know about: Remember that we could have secret proceedings they're not allowed to disclose at all so you wouldn't know.
 
...And then what happens when someone hacks Apple themselves? Or forget hacking, what happens when government agencies force Apple to give out passwords? And Apple saying they'll fight them in court to not do so it's all well and good if we even get to know about: Remember that we could have secret proceedings they're not allowed to disclose at all so you wouldn't know.
I understand your cynicism, being a cynic myself who believes the internet ruins everything. However, I'm not entirely sure you read the article because your assumptions don't match up with the reported facts.

"...And then what happens when someone hacks Apple themselves?"
Nothing because the passkeys are stored on-device, not on Apple servers or any third-party server.

"...what happens when government agencies force Apple to give out passwords?"
Again, nothing. There are no passwords to give out. Authentication occurs through an authentication token store on the device. Not only is there no password, there is no way for Apple to retrieve the passkey.

The rest is just speculative and conspiratorial. I agree with you on secret proceedings and so forth. We've seen it happen. We've seen the FISC and FISA abused just recently. However, what ifing the situation is counterproductive. What should Apple do? How is storing regular passwords on say a password manager any more secure than not having passwords to phish, crack, or leak at all? What if the government compels 1Password to hand over all it's passwords? We could argue that all day. It's a strawman proposal.
 
How is storing regular passwords on say a password manager any more secure than not having passwords to phish, crack, or leak at all? What if the government compels 1Password to hand over all it's passwords?
I'll answer in two parts but I'll address this bit first: Password managers while not a great idea have the benefit of being numerous services often none of them being a really big target. Apple however sells billions of devices so that fact alone, no matter how much they try to secure things, makes them a more desirable target.

As to some of your other rhetorical questions

What should Apple do?

Why is that your question? Why does Apple need to do anything at all regarding becoming a password manager almost by default? What's wrong with other people running password manager services? With trusting other companies or other entities with as much or as little biometric information as possible why does it has to be Apple and your questions suggest that they have to do this?

See the answer has nothing to do with security and everything to do with Apple wanting to force as many people as possible into their ecosystem. They just want to make sure they sell you Apple products and only Apple products, in perpetuity, to as many people as possible beyond what's practical, desirable and beyond the point in which it would stifle tech progress overall because they'll be the only ones in control of everything: All of your passwords, all of your apps, all of your websites, even your banking and paying options, your financing and even a credit card. No car could be anything but Apple and soon enough if they had their way you wouldn't even be able to start your car without an Apple product as the key because hey, it's convenient and just trust us right?
 
I'll answer in two parts but I'll address this bit first: Password managers while not a great idea have the benefit of being numerous services often none of them being a really big target. Apple however sells billions of devices so that fact alone, no matter how much they try to secure things, makes them a more desirable target.

As to some of your other rhetorical questions



Why is that your question? Why does Apple need to do anything at all regarding becoming a password manager almost by default? What's wrong with other people running password manager services? With trusting other companies or other entities with as much or as little biometric information as possible why does it has to be Apple and your questions suggest that they have to do this?

See the answer has nothing to do with security and everything to do with Apple wanting to force as many people as possible into their ecosystem. They just want to make sure they sell you Apple products and only Apple products, in perpetuity, to as many people as possible beyond what's practical, desirable and beyond the point in which it would stifle tech progress overall because they'll be the only ones in control of everything: All of your passwords, all of your apps, all of your websites, even your banking and paying options, your financing and even a credit card. No car could be anything but Apple and soon enough if they had their way you wouldn't even be able to start your car without an Apple product as the key because hey, it's convenient and just trust us right?
Other companies do that too. Google is just as much about forcing you into its own ecosystem, Apple is more aggressive about it, I agree. But take the Epic Games suit as example. It's not all about Apple. Epic is suing Google too.

Additionally (and again), this is not a password manager. It's an authentication tool like any other. Not indifferent than a USB fob actually. And it's a tech that is also being developed by Google and Microsoft. So Apple is not a lone outlier on this. It's just the first to get it out so far.

As far as why should any of them, including Apple, do this--because why not? Quite frankly, whether I own an iPhone or an Android; whether I use Chrome, Safari, or Edge; I would rather use my phone as an authentication device than a separate USB fob.

Ecosystems suck no matter whose court you are in, but unless you are using a 1990s flip phone, you might as well have the same functionality on whatever device you have--which is coming this year if all goes as planned. Using FIDO's protocol means it doesn't matter what device you own, passkeys will work.
 
Other companies do that too. Google is just as much about forcing you into its own ecosystem, Apple is more aggressive about it, I agree. But take the Epic Games suit as example. It's not all about Apple. Epic is suing Google too.

Additionally (and again), this is not a password manager. It's an authentication tool like any other. Not indifferent than a USB fob actually. And it's a tech that is also being developed by Google and Microsoft. So Apple is not a lone outlier on this. It's just the first to get it out so far.

As far as why should any of them, including Apple, do this--because why not? Quite frankly, whether I own an iPhone or an Android; whether I use Chrome, Safari, or Edge; I would rather use my phone as an authentication device than a separate USB fob.

Ecosystems suck no matter whose court you are in, but unless you are using a 1990s flip phone, you might as well have the same functionality on whatever device you have--which is coming this year if all goes as planned. Using FIDO's protocol means it doesn't matter what device you own, passkeys will work.
Not sure there's much to discuss we seem to mostly agree except for a few details

1) I personally think it is always important to think about customer entrapment which is what I would really call the 'ecosystems' of these companies

2) Google no doubt would try to do this as well with a chrome password manager, even smaller players like Firefox do it too so they can easily expand into competing services using the same or alternate protocols and such. In the case of Google I wouldn't actually argue in their favor and would be just as critical if it was Google on the news article.

I also appreciate your closing remarks about ecosystems because yes they can be convenient (To the point that is always near the top of the design goals list) and that's why most people willingly and even enthusiastically opt into them and I don't blame any one individual person for making that choice, I just think it is possible to also have a conversation about this extreme convergence of control some companies like Apple or Google (Or Facebook or Amazon, etc.) are able to achieve as to me we're basically there in terms of a digital dystopia.
 
Not sure there's much to discuss we seem to mostly agree except for a few details

1) I personally think it is always important to think about customer entrapment which is what I would really call the 'ecosystems' of these companies

2) Google no doubt would try to do this as well with a chrome password manager, even smaller players like Firefox do it too so they can easily expand into competing services using the same or alternate protocols and such. In the case of Google I wouldn't actually argue in their favor and would be just as critical if it was Google on the news article.

I also appreciate your closing remarks about ecosystems because yes they can be convenient (To the point that is always near the top of the design goals list) and that's why most people willingly and even enthusiastically opt into them and I don't blame any one individual person for making that choice, I just think it is possible to also have a conversation about this extreme convergence of control some companies like Apple or Google (Or Facebook or Amazon, etc.) are able to achieve as to me we're basically there in terms of a digital dystopia.
Agreed. In a perfect world, I suppose that there would be no corporate ecosystems, but that is also not realistic. Apple has one. Google has one. Sony and Xbox. Hell, you could even argue that Microsoft had a forced ecosystem with Windows coming pre-installed for decades with no other options. But the fact is if they all cooperated and opened their systems up they would not be as good because they'd be competing against themselves.

Regardless of how "lock-in" you might feel as a consumer, you are still the consumer and have ultimate control of your wallet. People switch from Apple to Android--probably daily. Yeah. You have to say buh-bye to all those apps you bought, but if Company B is offering something that is better enough to make you want to switch, it has done its job.

Plus, there is nothing stopping Company A from winning its customers back with something even better. The good news is that when those customers go back they still have all their purchases available. So without proprietorship, we wouldn't have nice things, just a bunch of mediocre, half-assed garbage--and there is already enough of the even with corporate ecosystems.

Good discussion btw. Enjoying it. :)
 
Back