The average internet user has many different online accounts with associated passwords. Apple has been working on a new way of logging in based on WebAuthn credentials, called passkeys, over the past year. This allows you to log in to apps and websites with your iPhone by scanning your face (Face ID) or fingerprint (Touch ID).
This is not only super convenient, but also very safe because passwords are no longer used. The function is not only added by Apple, Google and Microsoft also offer this.
Partnership with FIDO Alliance
Apple, Google and Microsoft want to make the web safer and easier to use. That’s why these three companies have announced that they will be supporting the FIDO Alliance and World Wide Web Consortium’s common passwordless login standard more broadly. This means that you will soon be able to log in securely and easily to websites and apps that offer this option on the devices and platforms of these companies.
Several hundred technology companies and service providers have worked with the FIDO Alliance and W3C to create the standards that enable passwordless logins. These standards are now supported by billions of devices and all modern web browsers. Apple, Google and Microsoft have taken the lead in developing the extended version of this login method and are now building support into their own platforms.
What are passkeys?
Passkeys are based on WebAuthn and FIDO authentication, a new global standard for secure authentication on the web. The passkeys should ensure that you no longer have to use passwords. Instead, you scan your face or finger once when creating an account on a website or app.
The scanned biometric characteristics are then converted into a unique code. This code is then stored encrypted in the iCloud Keychain.
A passkey is much more secure than logging in with a password. When you log in to a website or an app, your password is sent to a server via the internet. Your password is therefore present on both your own device and on the server of the website or app you want to log in to.
It is not uncommon for hackers to steal the entire user database of a server. This contains both the usernames and the associated passwords.
How do passkeys work?
A passkey works according to a key set principle; a cryptographic decryption method. Within this methodology you use a public key and a private key.
The public key is, as the name suggests, visible to everyone and traceable to you. The private key, however, is only for you and remains on the devices you want to log in with.
Both the public and private keys are needed to log in. The public key is compared to the private key to allow authentication to take place. Your iPhone or Mac thus serves as a control mechanism to prove that you are really you.
This method of logging in is much more secure than a password. Guessing passwords, which is still a popular tactic to obtain login details, will be a thing of the past.
Want to test Passkeys? You can do so via this demo website.
Synchronization via iCloud Keychain
The Passkeys always remain on your device and are specific to the site or app for which you created them. Your private key is not stored on a web server of the website, app or Apple, so your accounts are also not vulnerable to data leaks.
To ensure that you can use the keys on all your Apple devices, they are synchronized completely encrypted via iCloud Keychain on all your Apple devices. The key is then immediately stored locally and not on Apple’s web servers.
Passkeys in iOS, iPadOS and macOS
Paskeys has been available since iOS 16, macOS 13 Ventura, WatchOS 9 and tvOS 16. An app or website must first integrate the function into their system before you can use it. In the meantime, you can do this at Google and PayPal Set up.
You can also use Passkeys via Apple on third-party devices. Below is an explanation of how the identification works exactly.
- iPhone and iPad: Log in with Face ID or Touch ID
- Mac: Log in with Touch ID, possibly also QR code via iPhone/iPad
- Apple TV: Sign in by scanning a QR code with your iPhone or iPad
- Third-party devices: Log in via a website by scanning a QR code with your iPhone or iPad
Using Passkeys on Apple Website
Since iOS 17, iPadOS 17, macOS Sonoma and Safari 17 it is possible to log in using Passkeys on Apple websites. Think of iCloud.com, Apple ID website, Apple Online Store and more.
Navigate to an Apple website, for example: appleid.apple.com and select ‘Passkey from a nearby device’. You can then scan a QR code with a trusted device to confirm your identity. Tap ‘Log in with a passkey’ to then log in to the website with Face ID or Touch ID.
What if your iPhone gets stolen?
Your iPhone will play a crucial role in logging in via Passkeys, but what if it gets stolen? Of course, you can use another device to log in to the website or app and you can disconnect the iPhone from your account. Suppose you also have no access to other devices, you can use a recovery contact to still gain access to your accounts. So it is important that you set this up.
Finally, there is an additional option called ‘iCloud Keychain escrow’, only then you need to have access to your phone number for a received SMS and you have to answer some important (personal) questions such as your access code. More information about the security of Passkeys are you reading here back.