Apple's PassKeys update could make traditional passwords obsolete

Sometimes it seems like passwords have been with us forever, and yet every year we’re reminded how we still don’t^[1] use them properly!

The annual publication of the “worst passwords” list^[2] shows we haven’t become much more password savvy over the decade. And while several replacements for the humble password have been proposed, none have come close to the ease of using the traditional method.

But this changes today with the introduction of Passkeys – an update in Apple’s latest iOS 16 operating system. Passkeys could be the long-awaited solution to password malpractice, and the near-constant problem of compromised credentials.

Read more: This New Year, why not resolve to ditch your dodgy old passwords?^[3]

What’s wrong with passwords?

The problem with passwords has been well documented. We choose weak ones, write them down (for others to see), share them, and re-use them on multiple websites.

The last of these is particularly problematic. Once your details are breached (and subsequently leaked), they’re vulnerable to “credential stuffing” – where cybercriminals take a set of login credentials and try them on multiple websites.

“But I use a password manager,” you might say.

Well, that’s good. The standard advice for years has been to use password managers such as 1Password or LastPass. These let you create unique passwords for each website or service you use. So even if a website is compromised, only one password is revealed.

But this approach requires the ability to synchronise across all your devices – a feature not all password managers provide.

And even with a password manager, our passwords are still stored on the remote website we’re accessing. Although most websites store passwords in a secure (hashed) format, they are still routinely compromised^[4]. It’s estimated more than two billion sets of credentials^[5] (including passwords) were leaked online^[6] in 2021.

Along come Passkeys

Apple devices using the newest operating system release (iOS 16 or MacOS Ventura) will integrate a new password mechanism called Passkeys. Unfortunately iPad users will need to wait a little longer^[7] for the feature.

It’s worth noting you won’t be forced to use Passkeys, but your Apple device will prompt you with the opportunity to do so. Also, most websites will continue to support password access for people without the latest devices.

You’ll also have the option to use Apple’s secure cloud storage, iCloud, to back up your keys and share them across your Apple devices.

How do they work?

The concept behind Passkeys is relatively simple^[8]. Every website you elect to use Passkeys on will securely generate a unique pair of secret codes (referred to as “keys”).

One of these is a public key, stored on the website you’re registered on. The other is a private key stored on your device. Both keys are related, but one can’t be used to get the other.

When you attempt to log in to the website, instead of entering a password, your device will ask you to verify your login using your device’s biometric unlocking mechanism. So you’ll either scan your face or your finger.

This deliberately limits Passkeys’ functionality to devices with biometric support (iPhones have offered Touch ID since 2013 and Face ID since 2017).

Read more: The iPhone turns 15: a look at the past (and future) of one of the 21st century's most influential devices^[9]

Once your biometrics are verified, your device will use your private key to prove your identity to the website by tackling a complex mathematical “challenge” issued by the site. At no point is your private key sent across the internet to the website.

The response from your device can only be verified by the website, using the public key generated when you registered. And nobody can pretend to be you without your private key, which is safely stored on your device.

If a website is compromised, the public key alone is useless to cybercriminals.

References

1. ^{^} still don’t (theconversation.com)
2. ^{^} list (en.wikipedia.org)
3. ^{^} This New Year, why not resolve to ditch your dodgy old passwords? (theconversation.com)
4. ^{^} routinely compromised (theconversation.com)
5. ^{^} sets of credentials (www.forgerock.com)
6. ^{^} leaked online (haveibeenpwned.com)
7. ^{^} little longer (9to5mac.com)
8. ^{^} relatively simple (support.apple.com)
9. ^{^} The iPhone turns 15: a look at the past (and future) of one of the 21st century's most influential devices (theconversation.com)
10. ^{^} relatively (www.macrumors.com)
11. ^{^} difficult (www.ccc.de)
12. ^{^} be compatible (www.fastcompanyme.com)
13. ^{^} fall short (doi.org)
14. ^{^} Four ways to make sure your passwords are safe and easy to remember (theconversation.com)