Apple says its new passkeys are a replacement for passwords that are designed to provide websites and apps a passwordless sign-in experience that is both more convenient and more secure.
Passkeys – which will be included in iOS 16, iPadOS 16, tvOS 16, and macOS Ventura – are a standard-based technology that, unlike passwords, are resistant to phishing, are always strong, and are designed so that there are no shared secrets.
Passkeys are designed to simplify account registration for apps and websites, be easier to use, and work across all of your Apple devices, as well as non-Apple devices within physical proximity.
Passkeys are built on the WebAuthn standard and use a unique cryptographic key pair for each website or account. These keys are generated by the device, securely and uniquely, for every account.
One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible.
Passkeys use iCloud Keychain, which requires two-factor authentication for additional protection. Passkeys sync across all of a user’s devices through iCloud Keychain, which is end-to-end encrypted with its own cryptographic keys.
There is a multi-step authentication process users must go through to recover an iCloud Keychain with passkeys, or users can set up an account recovery contact.
On non-Apple devices, Passkeys will work through QR codes that will authenticate using the iPhone, but it will require support from other companies, so this will likely take a while to become widely used. However, this is a solid step towards a password-free future.