Apples passkeys could be better than passwords. Heres how theyll work. – Popular Science

Passwords stink as a security system. Humans are flat out terrible at creating long, unique, secure passwords. Most of us reuse the same short strings of meaningful information again and againand even secure passwords arent very good. Social engineering attacks like phishing can con people into giving up even the longest of passwords, or they can be leaked if an entire unencrypted database gets hacked. This is a big problem for tech companies who are on the hook for keeping your data safe, not to mention the individuals themselves who suffer a privacy breach. So, Apple, Microsoft, Google, and the other companies in the FIDO Alliance have set out to develop a better solution called passkeys.

At its Worldwide Developers Conference (WWDC) this week, Apple announced its implementation of the newly agreed upon passkey standards. It will roll out with iOS 16 and macOS Ventura, so its the first real-world look weve had at the long-promised password-less future (the FIDO Alliance, which is an industry group dedicated to solving the Worlds password problem, has been working on this for a decade).

In the WWDC keynote, Apples vice president of internet technologies, Darin Adler, called passkeys a next generation credential thats more secure, easier to use, and aims to replace passwords for good. Thats actually a pretty good summaryand doesnt even oversell it.

So how will they work? Passkeys are built on the WebAuthentication, or WebAuthn, standard. It uses a cryptographic principle called public-key cryptography to secure your accounts. Its the same idea thats used for end-to-end encryption in iMessage, Signal, and other secure communications apps. Instead of creating a password for an account, your device will create a unique pair of mathematically related keys: a public key and a private key. The public key is stored on the server (because, as the name suggests, its not a secret) and will allow the website or app to verify your accountas long as you have the matching private key. The trick is that because of how the math works, the private key never needs to get shared with the server. Your device can do all the authentication without ever revealing it. Its neat tech, and it has serious security implementations.

Although passkeys might sound complicated (and the underlying cryptography is indeed complex), in practice, they will make signing up for new accounts even simpler. You will just use Touch ID or Face ID, and your iPhone, iPad, or Mac will do the rest. You dont have to come up with a long password, add in a few $s and &s, and then try to remember it. You wont even see your public or private keys. Its all done in the background, which takes the squishy, unreliable human element out of things.

Also, passkeys cant be phished. Your public key for any given site isnt privileged information. All that matters is the private key, which never leaves your device. A fake website designed to impersonate your bank, Ebay, or some other account cant trick you into giving it up. It can set up a login prompt, but it just wont do anything.

Apples implementation of passkeysat least in the supporting docs and WWDC talksounds solid. They will be synced between your devices using iCloud Keychain (which is end-to-end encrypted itself). Even Apple wont have access to your private keys.

The system has been designed so that your logins are safe, even if your Apple ID is compromised, you lose all your devices, or a rogue Apple employee tries to hack the iCloud Keychain servers. It requires you to use two-factor authentication with your Apple ID, which makes it much harder for an attacker, even one with your iCloud password, to set things up on a new device. Theres also a system called iCloud Keychain escrow that handles restoring your passwords if you lose your devices. Its resistant to brute force attacks even by Apple.

While were still waiting to see how Microsoft, Google, and the other big tech companies roll out passkeys, they have all pledged to make them interoperable across as many different devices as possible. We got a hint of that in the WWDC announcement when Adler demonstrated using an iPhone to login to a website by scanning a QR code. This would allow you to do things like check your email on a friends computer or print something in a hotel without a password.

In short, this looks to be as secure a system as can reasonably be designed. There are always going to be attack vectors, and dedicated hackers targeting specific individuals may find and use them, but for regular people this system should solve three of the biggest problems: weak passwords, leaked passwords, and phishing.

Watch the relevant bit of WWDC, below:

Original post:
Apples passkeys could be better than passwords. Heres how theyll work. - Popular Science