On the same day that Apple was announcing the newest software features built into this year’s major operating system updates, we learned about the mother of all password leaks. A 100GB text file containing 8.4 billion passwords collected from various data breaches and leaks found its way online — a stark reminder that hackers continue to hunt vulnerabilities that allow them to acquire login credentials to then steal money and/or information from internet users.
Every major technology company is working to increase user security and prevent hacks, and these initiatives include “killing” the password. Apple is among the tech companies working on better login methods, and the company plans to try out its new Passkeys in iCloud Keychain on iOS 15 and macOS Monterey.
Apple isn’t exactly killing the password. Logging into apps and services will still require an authentication method that involves a username and some way to secure that account so only the rightful holder can access it. But Apple is replacing the password that hackers can steal with a password they can’t hack, even if they know what it is. 3D face recognition (Face ID), fingerprint scanning (Touch ID), or a security key will make this possible.
Passkeys in iCloud Keychain aren’t ready for mass consumption, and that’s why they weren’t detailed during the WWDC 2021 keynote. But Apple hosted a presentation for developers that explains the new tech.
Apple wants to allow iPhone, iPad, and Mac users to log in to apps and services using a username in combination with Face ID, Touch ID, or a physical security key. A hacker would not be able to breach such an account, as they would not have a way to steal the password that secures everything, especially if that password is a face or fingerprint.
This login method has a few clear advantages. You won’t have to remember a password or use a password manager, and you can reuse the same password (your face or fingerprint) on multiple apps and sites without worrying about someone stealing them. Even if hackers photograph your face and fingers, it’s nearly impossible to hack Face ID and Touch ID.
There are a few downsides as well. For starters, losing access to the hardware that runs Face ID or Touch ID authentication would make it impossible to log into apps and services. Also, an iPhone and/or Mac user would not be able to access the same online account from Android and Windows, at least not unless Apple, Google, and Microsoft develop common interoperability standards. Still, considering that Google and Microsoft are also working on “killing the password,” Apple’s Passkeys tech does sound exciting. The feature does work thanks to the WebAuthn standard, which Apple, Google, and Microsoft support.
WebAuthn uses public key cryptography to perform the login in, which means the private credentials stored on iPhone and Mac never leave the device. The hardware only sends a signature that can verify the user’s identity, as seen in the image above.
The new Passkeys feature will be turned off by default in iOS 15 and macOS Monterey. Developers can enable it, and we might soon see examples of apps and services that will need a face, fingerprint, or security key to log you in.