Whether it means artificial intelligence or Apple intelligence, AI is the hot news of the day. That’s why I think it’s time to talk about (sits backwards in a chair) passwords.
It may have been buried in reports from last night’s Apple event, which the invaluable Kari Paul and Nick Robins-Early covered for us from Cupertino and New York, but one of the biggest changes coming to the company’s platforms Over the next year is the creation of a new Passwords app.
The average user has probably never heard of 1Password or LastPass, and may or may not know that the iPhone can automatically create and store passwords for them. For users like this, a new Passwords app that will appear on your iPhone’s home screen this fall is expected to lead to a more secure computing future.
The straightforward version of this is that it’s a minimal change. Almost everything the new passwords app will do is already on iOS and macOS, simply buried in the settings menus. Unless you’ve actively decided to do something different, if you use either platform you should be able to go to the system settings app, scroll down to Passwords, and after authenticating with your face or fingerprint, see a nice list of all. login you have over the Internet.
Apple has not neglected service either. In the years since its release, it has turned it into a full-featured password manager: it will perform a light security audit and warn you about hacked or reused passwords; allows you to share details with family members, saving you from having to send sensitive data via email; It even allows you to import and export the database, which is still a rarity for the company.
But splitting the service into its own app is still an important act. Because the problem Apple is trying to solve has nothing to do with passwords at all, but rather identity.
Last week I sat down with Steve Won, product manager at 1Password, a password management app with a long history on Apple platforms. “The way we manage digital identity is just a disaster,” Won said. “Effectively, I have no identity: there are just random databases around the world with my information. My credit card information, my banking information, my university probably still has my information, etc.
Passwords are the oldest and most popular way to solve the identity problem on the Internet. You show who you are by sharing something only you know. But they also have big, obvious problems: Simply existing in the developed world requires creating more passwords than one can reasonably remember, which pushes people to reuse them. Password reuse means that the loss of a single password can lead to devastating subsequent attacks. Trying to memorize a unique password for each account forces passwords to be short enough to be guessed by brute force.
All of which leads, inexorably, to the creation of password managers. Despite competing directly with Apple in this space (a position no one would choose to be in), Won is optimistic. “Every time Apple and Google have made a big push into password manager, it’s been like our biggest month of progress,” he says. Billing 1Password as “the Aston Martin of password managers,” he argues that anything that makes it clear to users that they should stop memorizing or reusing passwords is a plus. “The total addressable market for a password manager should really be seven and a half billion people.”
But even a password manager can’t fix passwords. Tying increasingly valuable systems to a string of easily stolen or spoofed characters is a recipe for problems. Two-factor authentication solves some of the problems, but also introduces new ones. And that’s why the industry has started looking at what comes next: access keys.
You may remember when we talked about them two years ago. From the TechScape archives:
A slight improvement in your daily life. That’s what Apple, Google and Microsoft are offering, with a rather rare triple announcement that all three tech giants are adopting the Fido standard and ushering in a password-free future. The standard replaces usernames and passwords with ‘access keys’, login information stored directly on your device and only uploaded to the website when combined with biometric authentication such as a selfie or fingerprint.
However, since its launch in 2022, passcodes have not set the world on fire. Part of this is because they have been slow to roll out: only a handful of sites support them, with 1Password. listing 168 in your directory – but it’s also because early adopters have been burned. Australian hacker William Brown is emblematic of that reaction:
Last night around 11pm my partner went to change the lights in our living room using our house’s light control system. When you tried to log in, your account could not be accessed. Your Apple keychain had removed the passcode you were using on that site… Like ad blockers, I predict that passcodes will only be used by a small subset of the technical population, and consumers generally use them. they will reject.
The same things that make passwords insecure—the fact that they’re human-readable, that you can copy and paste them in plain text, that you can physically say them over the phone—also make them feel controllable. Passwords, on the other hand, require you to put all your trust in the system, and after the last few years, you may not have that much trust left.
However, for 1Password’s Won, change is still an opportunity. “Apple, Microsoft and Google have been very, very open to engaging in dialogue with us, because they realize that passcodes will only work if they work everywhere and consistently. They recognize that they won’t be the best at multiplatform, right? We can store access codes and use them on all surfaces. “It’s not just a security benefit, it’s also a speed benefit – passcodes allow you to skip email verification and password setup, so it’s a better user experience.”
It’s important to get it right, because “identity” is about to get a lot more confusing. Take Zoom’s CEO’s pontifications:
Zoom users in the not-too-distant future could send AI avatars to attend meetings in their absence, the company’s CEO suggested, delegating the heavy lifting of corporate life to a system trained on its own content.
In practice, such a system is very far from reality. Or, at least, if we really have AI systems that can meaningfully assist a meeting in your absence, then Zoom calls are pretty low on the list of things that would radically change.
But AI systems that can play your part well enough to fool people for a moment are very real. OpenAI’s latest speech synthesis system has not been made public because the company believes its flagship capability (convincingly imitating a voice with just 15 seconds of sample audio) is too dangerous to be widely available. But he knows he won’t be able to hold back the tide for long and is advertising what technology can do to try to promote the security objectives that it considers necessary:
• Phasing out voice-based authentication as a security measure for accessing bank accounts and other sensitive information.
• Explore policies to protect the use of individuals’ voices in AI.
• Educate the public to understand the capabilities and limitations of AI technologies, including the possibility of misleading AI content.
Like I said: Whether we’re talking about passwords, Apple intelligence, or artificial intelligence, in the end it all comes back to identity. How can I prove that I am who I say I am? How can I even prove that I am a self? Wherever we go, a 16-character password is not enough.
