Apple’s upcoming iOS 15 and macOS Monterey will preview a new feature called “Passkeys in iCloud Keychain,” which is an attempt to help replace passwords with a more secure login process. Instead of logging into an app or website using string of text, a WWDC presentation showed how you could instead use Face ID, Touch ID, or a security key, to gain access. The Passkeys are then synced across your Apple devices using iCloud.
Although passwords are currently the most popular way to secure accounts, they’re plagued with a host of problems. Passwords can be phished, forgotten, and they’re insecure if not used properly (think about the number of times you’ve been tempted to re-use one across multiple accounts). But Apple thinks its new Passkeys solution can solve these problems, as shown by the comparison table below.
In a demonstration, Apple showed how the new feature could remove the need to ever create a password to sign in to an app or website in the first place. Instead of creating a username and password during the sign-up process like normal, Apple authentication experience engineer Garrett Davidson just enters a username and allowed the app to register his Face ID as a Passkey. Then he showed how he could use Face ID to log into the app in future, or even log into his account via the service’s website. It works on Macs with Touch ID, too.
The functionality rests on the WebAuthn standard, which Apple, Google, Microsoft, and others have been slowly adding support for over time. Last year Apple added support for it to offer password-less logins in Safari in iOS and macOS. But the new approach goes deeper, integrating WebAuthn into an app’s sign-up process, and syncing your credentials across Apple devices via iCloud.
Behind the scenes, WebAuthn uses public key cryptography to let you log in without your private credentials ever having to actually leave your device. Instead, your phone or computer is only sending a “signature,” which proves your identity without having to share your secret private key.
Apple admits that the feature is in its early stages. It’s only releasing in preview this year, and will be turned off by default in iOS 15 and macOS Monterey. Developers can enable it, but it’s not meant for widespread use. There’s also the obvious limitation that the feature relies on iCloud to function, so you’re out of luck if you need to log in to the same service on a Windows or Android device. Apple admits this is a problem, however, suggesting it’s working towards improving cross-platform support in future. Apps and websites will also need to enable support for the new process.