One of the exciting outcomes at this year’s Worldwide Developers Conference was the introduction of passkeys, a unique feature coming to Apple devices that let creators present a passwordless sign-in experience to users. This also means the first step towards the death of traditional passwords.
There’s no doubt that we’ve come a long way over the past few years regarding digital security. We’ve bid farewell to obvious passwords like ‘pa$$w0rd123’ and hello to more secure options like touch ID and two-factor authentication. However, the fact is that logging into and handling our online accounts is still complex and cumbersome.
With the upcoming iOS 16 and macOS Ventura, Apple desires to change that and used its Worldwide Developers Conference keynote speech to notify passkeys, scheduled to substitute conventional passwords and begin a new age of user authentication. A new report has uncovered that cybercrime will cost the world $10.5 trillion annually by 2025, and the recent COVID-1 9 pandemic only supplemented the threat. A study from Deloitte found that nearly half of people have fallen for phishing hoaxes while working at home, with hackers becoming increasingly clever in getting users to hand over their particulars. Last year, 24 billion passwords circulated onto the dark web in one of the biggest cyberattacks in history. With consumers devouring more time and performing more personal activities online than ever before, from telemedicine to banking and online dating, the stakes are high.
We’ve heard of alternatives to passwords for several years. Though we’ve seen features like SMS two-factor authentication and features such as Sign In with Google and Sign in with Apple, logging into your accounts is always tedious and time-consuming. Apple seems to have cracked the code with its latest tech, proposing passwordless entry to your accounts across iPhones, Macs, iPads, and Apple TVs later this year. Instead of using a password, you’ll be able to log into online accounts using ‘passkeys.’ Instead of memorizing passwords for dozens of accounts or employing a password managing tool like LastPass, passkeys replace passwords using Face ID and Touch ID. When you attempt to log back into that website or app, Passkeys will help you establish your identity using biometric information rather than having to type in a password.
In addition, these passkeys will sync across all of your devices using the iCloud keychain. Because keys are stored on your device rather than on Apple’s servers with end-to-end encryption, the possibility of them entering into the wrong hands is much lower. Moreover, Apple utilizes Web Authentication API (WebAuthn) for additional security and peace of mind – with many under-the-hood benefits.
If passkeys are widely adopted, they could mark a profound step ahead for online security and lessen the prospects of phishing invasions. After all, passwords cannot be embezzled if they don’t exist in the first place. Because every account will have a distinct passkey, you also don’t have to stress about someone discovering your ‘master password’ and suddenly holding access to all of your accounts. A study conducted by Google with Harris Poll discovered that 13 percent of users reuse the same password across all accounts, and a further 52 percent use the exact one for multiple accounts. Only 35 percent use a unique password for every account.
The fact is that Apple’s vision for a passwordless future isn’t exactly fresh: techniques like this have been attempted in the past. But what is new is that the world’s biggest technology enterprise is adopting the concept, which could make a real difference. Apple first teased passkeys at last year’s WWDC conference, and The FIDO Alliance has also been working on the prototypes that are required to substitute passwords for many years. Passkeys are Apple’s execution of these standards, which could help other tech giants like Google pursue the suit.
Indeed, earlier in the year, Apple, Microsoft, and Google all proposed their consent for the new FIDO standards, which will unify any possible future implementations and ensure that customers are safeguarded. Microsoft has already adopted them by letting users replace their passwords with one-time login codes and links. Google, too, has experimented with passwordless technology, setting out its own journey earlier this year. Provided all of these corporations execute the same idea, it should be feasible to use your iPhone to log into Windows PCs and vice versa. FIDO’s norms mean that tech companies must function collaboratively; passkeys could be a universal tech soon.
THE APPLE INFLUENCE
One of the most exciting things about passkeys is that they are devised by Apple, implying that the implementation on iOS apps and websites is likely across-the-board. We have already seen this in the case of ‘Sign In With Apple.’ Apple launched Sign In With Apple just a few years ago, and the button can now be seen on millions of websites and apps worldwide, allowing consumers to log in to services and apps using their iPhone or Apple Watch. In addition, apple states that passkeys were “designed to be convenient and accessible from all devices used on a regular basis” and adds that they are rate-limited to help control brute-force attacks, even from a privileged position on the cloud backend. What’s even good to mention is that they are recoverable even if the user loses all their devices through the iCloud keychain.
Further protecting users’ data is the fact that any Apple ID using an iCloud keychain mandates two-factor authentication. This not only offers users peace of mind that their passkeys can’t enter into bad hands easily, but it also shields developers and companies from the possibilities of cybersecurity breaches on their end. This is the primary basis the passkey technology will be favored once implemented.
Although some features are yet to be uncovered, Apple has already shared a few details on how passkeys would function if a user lost their iPhone or Mac. Apple says passkeys can be retrieved through iCloud keychain escrow, which is also shielded against brute-force attacks. iCloud Keychain escrows a user’s keychain data with Apple without permitting Apple to read the passwords and other data it holds. The user’s keychain is encrypted using a robust passcode, and the escrow service only delivers a copy of the keychain if a strict set of requirements is fulfilled. Users must first authenticate with their iCloud account, answer an SMS, and then enter a device passcode. After several failed tries, users must call Apple Support for additional access attempts, and eventually, if more failed attempts are made, the data will be deleted. It is also possible to make someone an account retrieval contact.
