How do Apple’s passkeys work?
At WWDC22, Apple introduced a new sign-in tool called “passkeys”. Billed as a replacement for passwords, passkeys have generated a lot of buzz in the Apple security community. But how do passkeys work? And why are they necessary? Here’s what you need to know:
What are passkeys?
Passkeys are a new way to sign in to your accounts and apps. They are a replacement for the password-based sign-in methods we’re all using at the moment.
Passkeys are coming in iOS 16 and macOS 13 (Ventura). As you might expect, they will work across synced Apple devices. But interestingly, they will also work cross-platform as well.
Why are passkeys necessary?
From a security standpoint, passwords are inherently problematic. Here’s why:
- Used correctly, passwords offer reasonably robust protection for accounts. The trouble is, many people don’t use passwords correctly! They reuse passwords across multiple sites, share passwords, use weak and easily guessed passwords — all of which results in countless account takeovers every year.
- Passwords are vulnerable to phishing and social engineering attacks. People simply give their credentials to hackers and malicious websites all the time.
- Company’s need to store passwords on their servers. That makes those servers a prime target for attack. Alas, companies with poor security leak credentials all the time. And even though those credentials are hashed and salted, bad actors can often guess them, since so many people use weak passwords!
- Two-factor authentication (2FA) can provide additional security, but 2FA has its weaknesses, and many users find it inconvenient and/or annoying.
Passkeys, according to Apple, will solve all of these problems.
How do Apple’s passkeys work?
To the user, transitioning from passwords to passkeys is pretty painless:
- First, you sign in to your account as you normally would.
- If the app or website developer offers support for passkeys, you’ll see an option to create one in your account management or settings area.
- Select the “create passkey” option and authenticate yourself using your device’s biometric sign-in method (Face ID or Touch ID).
- That’s it! The next time you go to sign in, you’ll see a “sign in with passkey” prompt. Tap it to use the passkey, complete the authentication using Face ID or Touch ID, and you’re in.
Your new passkey will sync across devices via iCloud Keychain, so it will work on your other Apple devices automatically.
Each passkey is cryptographically strong, and unique as well — the system doesn’t allow the same passkey on multiple accounts. In addition, the system will only use a passkey with the correct site or app, eliminating the problem of lookalike phishing websites.
Do Apple’s passkeys work on other platforms?
Apple is implementing passkeys as part of its collaboration with the FIDO Alliance. The idea is to make secure, easy, passwordless sign-ins work on as many platforms as possible.
For this reason, Apple has designed passkeys for use on other platforms. For example, say you’ve set up a passkey for an account using your iPhone. What happens if you want to sign into that account on a Windows PC at work using Chrome browser?
With passkeys, this is actually pretty simple:
- Go to the website on your PC and type in your username.
- The site will recognize that there’s already a passkey associated with the account, and ask you if you want to add a mobile device.
- Next, you’ll see a QR code. Scan it with the iPhone that you used to create the passkey.
- On your iPhone, you’ll be asked if you want to sign in with your passkey. Say yes, and your device’s biometric sign-in method will kick in to authenticate you.
- That’s it! Now you’re signed in on the non-Apple device as well.
How do passkeys work under the hood?
Passkeys sound a little like magic, but they’re actually based on a well-known and widely used security technology: public key cryptography.
In public key cryptography, a system generates a pair of cryptographic keys: one public, one private. The keys are mathematically linked — but in a way that is impossible to guess, both for humans and for computers.
With passkeys, a public key is stored on a company’s server, and the corresponding private key stays on your device. The two keys’ mathematical linkage is why they’re useful for authentication:
- Every time you sign in to a website or app, that site will send you a cryptographic challenge problem created using your public key. Only someone with the corresponding linked private key will be able to provide the correct response to the challenge.
- Your device uses your private key to generate the correct response to the challenge, and then sends the response (i.e., not your actual private key) back to the website or app’s server.
- The server recognizes that it has received the correct response to the challenge problem: a response that could only have come from someone holding the private key linked to the public key that was used to create the challenge. In other words, that’s how the site knows that it’s really you!
When are passkeys coming?
Apple will roll out passkeys to the general public with iOS 16 and macOS 13. The new OSes will likely drop in September and October of this year, respectively.