Apple’s upcoming iOS 15 and macOS Monterey will preview a new feature called “Passkeys in iCloud Keychain,” an attempt to replace passwords with a more secure login process. Instead of logging into an app or website with a text string, a WWDC presentation showed how to use Face ID, Touch ID, or a security key to access it instead. The passkeys are then synced to iCloud on your Apple devices.
While passwords are currently the most popular way to secure accounts, they are plagued with numerous problems. Passwords can be phishing, forgotten, and insecure if not used correctly (think of the number of times you’ve been tempted to reuse one for multiple accounts). But Apple thinks its new Passkeys solution can solve these problems, as shown in the comparison chart below.
In a demonstration, Apple showed how the new feature could remove the need to ever create a password to log into an app or website. Instead of creating a username and password during the login process as normal, Apple authentication expert Garrett Davidson simply enters a username and has the app register its Face ID as a password. He then showed how he can use Face ID in the future to log into the app, or even log into his account via the service’s website. It also works on Macs with Touch ID.
The functionality rests on the WebAuthn standard, which Apple, Google, Microsoft and others have slowly added support for over time. Last year, Apple added support to offer passwordless logins in Safari in iOS and macOS. But the new approach goes deeper: WebAuthn integrates into an app’s sign-up process and syncs your credentials across Apple devices via iCloud.
Behind the scenes, WebAuthn uses public key cryptography to let you log in without your private data ever leaving your device. Instead, your phone or computer just sends a “signature,” which proves your identity without having to share your secret private key.
Apple admits that the feature is still in its infancy. It will be released in preview only this year and will be disabled by default in iOS 15 and macOS Monterey. Developers can enable it, but it is not intended for widespread use. There’s also the obvious limitation that the feature relies on iCloud to function, so you’re out of luck if you have to log into the same service on a Windows or Android device. Apple admits this is a problem, but suggests it is working on improving cross-platform support in the future. Apps and websites should also enable support for the new process.
But the move is another sign of the growing momentum behind password dumping. Microsoft has announced plans to make Windows 10 passwordless, and Google has been working on making it possible to sign in to its services without a password.