web analytics
Home » Technology » Apple Passkey: why everyone on the web can benefit

Apple Passkey: why everyone on the web can benefit

The fact that passwords are a thing of the past has long been obsolete – because they are usually uncreative, cumbersome, and above all insecure. Apple announced at WWDC 2022 that it would replace them with iOS 16 “passwords,” which bind the account and devices.

How much time do you put into your passwords? Do you create new security keys every year and also pay attention to the security of the character and number sequences? Many don’t, because security companies find passwords in their databases that are far too insecure in analysis every year. Most passwords are too simple, are never changed, and can be cracked in minutes.

So it’s commendable that Apple has announced Passkeys, a new authentication method intended to replace passwords. On the web, the new process is heavily tied to the Apple ecosystem, which is a shame. Because with Passkeys, Apple only presented its own way, with WebAuthn Credentials handle

Why “Passwords” Don’t Just Affect Apple Users

That’s right – the “passwords” are not an exclusive invention of Apple, even if it sounded a lot like it during WWDC 2022. They are Apple’s internal branding for a new type of credentials developed by the FIDO Alliance. Although Apple is not part of the alliance, it says it has worked with Google and Android, among others, and uses the FIDO standards for passwords. So sooner or later almost all internet users will benefit from Passkeys.

The basic idea is to use security keys instead of login passwords. From the user’s point of view, logins are then secured using biometric procedures that allow the security key to be compared with the server. If you’re currently using Face ID and Touch ID to activate the iCloud Keychain, the controls won’t change much. While logging into iOS is about as convenient today as using passwords later, there is one major drawback. Currently, iCloud Keychain is only allowed to copy the password to the login mask. From there, it is then forwarded to the server operator.

The risk of passwords being spied on through man-in-the-middle attacks (hereinafter “MITM”) or otherwise still exists. Phishing i.e. stealing passwords by simulating a super important service emergency or other social engineering tactics is also possible with this method. You can currently copy passwords from the keychain and paste them into emails quite easily if you’ve fallen into a scam.

That’s why passkeys and the way Apple handles them are so secure

In a way, using passkeys even protects against the proverbial error in front of the screen. At their most basic level, they are based on two security keys: one public and one private. The public key resides on the server after installation, while the private key always remains on the device used to login. The pinnacle lies in the mathematics on which the method is based.

Because how? Popular science writes, that it is designed so that the private key does not have to be sent to the server on login attempts. This keeps your password safe even in the event of MITM attacks or successful hacks on corporate servers. The passkeys are based on the WebAuthentification standard (WebAuthn), which has long been used for passwordless logins to the network. So if all this is already available, why is everyone acting like Apple reinvented the password?

Why is everyone pretending that Apple has reinvented the password?

Hey, good question! What you can really give Apple credit for is that they are the first to use passkeys across devices. At the same time, they provide a programming interface, an API, for their passwords. Of course, to enable registration via passwords, websites and services must first create the conditions. Since Apple offers its new operating systems iOS 16, watchOS 9, iPadOS 16, and macOS 13 as developer betas half a year before launch, they could be available in many places at first. In any case, Apple showcased its own WebAuthn credentials at WWDC 2021.

Passkeys are also permanently linked to the iCloud Keychain. You can access this from any Apple device you are registered on with your Apple ID. Since Apple uses end-to-end encryption for its keychain and according to the support site does not know the security key itself, there is a safe place to store the passkeys.

The system is also secured with two-factor authentication. So if you want to register a new passkey, you’ll need to reconfirm this process on an Apple device or via the web browser by entering a six-digit code. Apple has by no means (re)invented login without a password, but simply implemented it smartly and securely. Moreover, Apple devices are so widespread that the advance of “Apple’ans” will be a good incentive for services and websites to finally upgrade to WebAuthn.

Do passkeys make switching to Android and Windows impossible?

However, the switch from Apple to Passkey made me a little apprehensive during the live stream. So it looked like Apple would re-cover its “walled garden” with methylene. Does the introduction of passkeys make it nearly impossible to use non-Apple devices or otherwise escape the Apple cosmos? While it’s not entirely clear yet how to complete Apple’s Passkeys integration will be, there are three arguments against my apprehension.

In the future, you can also use QR codes to login to Windows devices with a password:

  • During the developer conference, Apple briefly showed how logging in on non-Apple devices is possible. A QR code can be seen on the display of a Windows notebook, which you must scan with an Apple device to log in. It will also be possible to log in under Windows and Android – but you must have your iPhone or iPad with you.
  • You already have access to iCloud Keychain on Windows. All you have to do is install the iCloud app and you will see a corresponding program on your PC. Unlocking is done via Windows’ own authentication service Windows Hello and therefore also via biometric login procedures. However, I doubt Apple’s system is secure enough for its passkeys. Because as a fallback, Windows relies on a PIN code, which in the worst case only consists of four digits.
  • As mentioned earlier, default WebAuthn is not from Apple and will certainly be natively usable with Android, Windows, and other operating systems in the future. So you can assign new security keys for logins to access websites. Even though these differ from Apple’s synchronized keys, it makes no difference for the handling after setup – you only log in with the fingerprint sensor or facial recognition anyway.

Final Words

Let’s recap the developments: Independent of Apple, WebAuthn will make logging into the Internet more secure. After far too long, our data is no longer dependent on how much time or brainpower we put into maintaining our passwords. In addition, the standard offers reliable protection against phishing, hacking, and even against the companies, we want to log in to. Apple is taking a big step here and is the first company to introduce the service on various devices.

At the same time, the company uses the benefits of its closed ecosystem to make password key logins secure and easy. The fact that Apple is making the introduction of the passwords a major topic at its developer conference and doing it without its own name is also a brilliant move. In a way, Apple is reaping the laurels that the FIDO Alliance has sown and cultivated in partnership. Because if Android or Windows announces password support in the near future, the public will surely associate it with Apple.