Apple’s new biometric Passkeys may kill passwords for good | Cult of Mac

Apple’s new biometric Passkeys may kill passwords for good

By

Apple's new Passkey system on a MacBook
Apple's Passkeys promise to kill passwords forever.
Photo: Apple
WWDC22 - Brought to you by CleanMyMac X

If passwords are the bane of your life, Apple’s got some good news. The company just introduced Passkeys, a new biometric system that can’t be phished, stolen or compromised.

“We’ve helped create a next-generation credential that’s more secure, easier to use and aims to replace passwords for good,” said Darin Adler, VP internet Technologies, during Monday’s WWDC22 keynote.

Finally, the end of passwords? Apple introduces Passkeys.

During live-streamed showcase of Apple’s upcoming software platforms, Adler outlined a new biometric system for authenticating yourself on the web or in apps.

Called Passkeys, the system uses Touch ID and Face ID — biometric systems already built into your iPhone, iPad and Mac — to create a unique digital key, which is sent to a website to authenticate you.

“Passkeys use powerful cryptographic techniques and the biometrics built into your device to keep accounts safe,” said Adler. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done.”

Passkeys can’t be leaked, phished or stolen

The digital key only works for the site or app it was created for, so it won’t work on fake websites used by hackers to harvest passwords. It is stored locally, so it can’t be phished or stolen. And it’s not stored on a remote server, so it can’t be compromised if hackers break into a server that stores passwords.

“Passkeys can’t be leaked because nothing secret is kept on a web server,” said Adler.

Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography, according to Apple’s developer website. The user is authenticated on their device using Touch ID and Face ID, which then sends a public key to the website or app.

“As the authenticator, your Apple device generates a unique public-private key pair for every account it creates on a service,” says Apple’s developer site. “The authenticator retains the private key and shares its public key with the server, known as the relying party.”

Apple says the system also will work in apps.

Passkeys are synced via iCloud Keychain to make them available across devices, including Mac, iPhone, iPad and Apple TV.

Apple is working with Google and Microsoft

Adler said Apple has been working with Google and Microsoft, as well as the Fido Alliance, an industry association dedicated to “help reduce the world’s over-reliance on passwords.”

Adler said the system will work “seamlessly” across platforms.

But he cautioned that Passkeys won’t solve password headaches overnight.

“The transition away from passwords will be a journey,” he said. “And we look forward to working with developers on the password-less future.”