Towards A Passwordless Web With Apple Passkeys

Photo by Kenny Eliason on Unsplash

Apple is about to release what is called a next-generation authentication technology called Passkeys. According to Apple, this solution will not only improve the User Experience, but it will also rule out several security risks like credential leaks or phishing.

The problems with passwords

Passwords have been for decades the standard for authentication mechanisms. From login pages to lock screens, they have been used everywhere.

There is a problem with passwords though. You must remember them.

According to a study, commissioned by NordPass, the average person has to remember around 100 passwords. Oh and I almost forgot that passwords must be strong and unique. They must be at least 15 characters, with numbers and all sorts of weird characters.

The solution to this problem came with password managers. They remember all the passwords for you.

But wait, is there a better solution that tackles this problem? According to Apple, this solution is called passkeys.

Introduction to passkeys

Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.

This is one of the first sentences I have read about passkeys on Apple’s official website. It seems awesome.

Let’s break down this sentence.

  • Passkeys replace passwords. They rely on biometric authentication, like Touch ID or Face ID. Your Apple device is called the authenticator. For each account, the authenticator generates a public-private key pair, and it shares the public key with the service.

  • Passkeys are faster to sign in with. Instead of filling two fields, whether it is auto-filling or manual-filling, and then waiting for the one-time code, with passkeys you just have to click on the form and login.

  • Easier to use. Passkeys are automatically generated by your device. They are automatically synched using iCloud Keychain. You have to do nothing. Just tap and sign in.

  • More secure. Passkeys rely on multiple layers of security. First, they are based on asymmetric encryption. Second, they are synchronized using iCloud Keychain, which uses end-to-end encrypted with strong cryptographic keys not even known to Apple. Plus, the access to iCloud Keychain is also rate-limited to prevent brute-force attacks, even from within the cloud infrastructure. Third, any Apple ID using iCloud Keychain requires two-factor authentication.

It’s important to emphasize that you don’t share any password with the services you sign-in to. You share a public key, and it’s not that valuable without the private key which is end-to-end encrypted in your device.

Launch date

Passkeys have been available since iOS 15 and macOS Monterey, but only in a developer preview. With macOS Ventura and iOS 16, Passkeys will be available to everyone.

iOS 16 will be released Monday, September 12. Then, both iPadOS 16 and macOS Ventura will roll out during October.