Apple’s Worldwide Developers Conference back in June showcased new software and technologies to be incorporated into the Apple ecosystem. A few months have gone by and with the launch of iOS 16 and soon to be launched Mac OS Ventura, we now see some of these new innovations in action.
One technology that caught our attention was Passkeys. Passkeys have been designed to be the replacement for using passwords. Is this the solution to lead us to a future without passwords?
What are passkeys?
Passkeys are the result of a commitment made by Apple, Google and Microsoft to develop an alternative to using passwords, created by FIDO Alliance and the World Wide Web Consortium.
Essentially, passkeys are described as an account sign in method, without needing to enter a password. This method is “easier to use than passwords and far more secure”. No longer will we need to remember a password, forget a password, or have passwords hacked and so on. In this article, we will be looking at Passkeys using the context of Apple’s ecosystem.
So how much of this is true? Is this all it seems to be?
How do Passkeys differentiate from Passwords?
Passkeys work by signing in using biometric verification, such as fingerprint scanning and face recognition, or a PIN. Some accounts still require you to enter your email before signing in with a passkey. Most just simply allow you to sign in using just the passkey, as the email is stored within your iCloud Keychain.
This is different to what we are familiar with when it comes to passwords. Normally we are required to physically enter the password, meaning there is something for us to remember.
A password manager can automatically your username and password, along with you performing a second verification step (if enabled) - usually a 6 digit code sent to your phone.
Passkeys make this process shorter by simply inputting your email/username, or if already saved will auto-fill, and simply sign in with the passkey using biometrics (fingerprint, face recognition etc.) or a pin. This makes the process more streamlined and quicker for you.
How secure are Passkeys?
In a word: Very
In Apple's case, Passkeys are created and stored within the iCloud Keychain. This will be familiar to those who already store and create unique passwords within the iCloud Keychain.
Your passkey stays locked onto the device and cannot be viewed by you or Apple's servers, making it harder to compromise for an attacker.
If you need to login to an account on a different device, such as a family member’s phone, the passkey system can present a QR code to scan.
Furthermore, this QR system is used for cross-platform integration. Say you were using an iPhone but needed to sign into an account on a Windows PC, you would simply type your username and then scan the QR code that shows up on the PC with your iPhone to sign in.
What issues do they solve?
This solution solves a plethora of problems associated with passwords. Firstly, this will help prevent traditional social engineering attacks, such as phishing, as you don’t know the passkey to be tricked into giving away. The system will know what account/website your passkey is linked to, eliminating spoof websites aiming to “phish'' your passkey.
Even attacks like shoulder surfing (someone looking over your shoulder and learning your details) are prevented as no one can see what you are typing, as there is nothing to type, so nothing to be stolen. Having nothing to be stolen also addresses a big issue with leaked passwords ending up in data breaches.
Stealing a passkey looks to be a near impossible feat, even for the most capable of attackers.
Each passkey is unique for a single account, which stops the same password being used on different accounts. This eliminates the issue of an attacker gaining potential access to these multiple accounts through one passcode.
Are there any drawbacks?
As this solution is at the testing/early adoption stage, we can assume there will be drawbacks whilst refining passkeys. One example is if you were to lose your device that the passkey is attached to. How can you recover your passkey onto another device if this was to happen? As there would be no QR code for you to scan from your device.
Apple did introduce “recovery contact” in iOS 15 so that you can gain access to your Apple ID in the event of a lockout through a trusted, pre-established recovery contact. This will allow the trusted person to provide you with a recovery code to be passed back to you to gain access to your Apple ID. We can assume that more practical solutions for recovery will be revealed in the future as passkeys become more widely adopted and refined.
We cannot rule out the drawbacks associated with biometric authentication. Although rare, false acceptance rates are something to consider with biometrics. Apple claims that the likelihood of an unauthorised person gaining access to your device using Face ID is less than 1 in 1,000,000.
Furthermore, FIDO has a strong membership base, but there may be some issues with passkey adoption across all platforms at this current time. As the environment begins to gain traction, we can expect more vendors and platforms incorporating this standard within their systems.
Do we still need Two-Factor Authentication (2FA)?
So from what we know, passkeys do not make use of 2FA during the sign-in process. In a world where 2FA is strongly emphasised for password protection, can we really make do without using it on our accounts?
Well the argument could be made as nothing can be obtained, there is nothing to steal by attackers. So as there is nothing to bypass, a second layer of defence now becomes obsolete?
Apple answered this question, by stating that any Apple ID account using iCloud Keychain requires 2FA enabled in order for a user to register a new passkey. If this is not enabled, you will be prompted to set up 2FA. So although the individual passkeys themselves have no 2FA, the environment (your Apple ID account) they live within does. This may certainly be a way to ensure we still use a second layer of defence, but only when it is applicable.
To summarise, Passkeys look to be the slolution we've been waiting for, as we've long known passwords were never made to scale. As it is still in that initial adoption stage, we can expect a lot more development over time to iron out any issues regarding adoption on a large scale.
Overall, we believe this solution has great promise in developing a password-less future. It certainly is great to see the juggernauts within this space join forces to tackle a security issue that has been prominent for way too long. Maybe the days of phishing and account lockouts are truly becoming numbered? Let’s wait and see.