Raise your hand if you hate entering passwords. Okay, now keep your hand up if you use the same password for multiple accounts or services. Yes, a lot of people do this, and it is one of the main causes of users getting hacked.
Think about it. If someone can get your password for just one service, whether through a data breach, social engineering, or phishing attack, your identity and personal information could be compromised. This can lead to anything from people spying on baby cams to hackers stealing money from your bank account.
Yes, there are alternatives to manually entering passwords, such as the best password managers, but they can still leave users vulnerable. Now Apple, Google, Microsoft and others have come together through the FIDO Alliance (opens in a new tab) to try to replace the password forever. And Apple’s implementation is called Passkeys, coming this fall in iOS 16, macOS Ventura, and iPadOS 16.
In an exclusive Tom’s Guide interview, I had the opportunity to speak with Kurt Night, senior director of platform product marketing at Apple, and Darin Adler, vice president of Internet technologies at Apple, about how passkeys work and how they might really make passwords a thing. From the past.
What the heck are skeleton keys and how do they work?
Access keys are unique digital keys that are easy to use, more secure, never stored on a web server, and remain on your device. The best part? Hackers cannot steal access keys in a data breach or trick users into sharing them.
Face ID and Touch ID verification gives you the convenience and biometrics that we can achieve with an iPhone. You don’t have to buy another device, but you don’t have to learn a new habit either.
— Darin Adler, Apple
“Passwords are key to protecting everything we do online today, from everything we communicate to all of our finances,” Knight said. “But they are also one of the biggest attack vectors and security vulnerabilities facing users today.”
That’s why Apple has been pushing so hard to find an alternative. Passkeys use Touch ID or Face ID for biometric verification and iCloud Keychain to sync between iPhone, iPad, Mac, and Apple TV with end-to-end encryption.
Other companies have tried to replace passwords with dedicated hardware, like a physical security key, but that’s mostly focused on business users; it also added another layer of complexity. Passkeys have a real chance to take off because they take advantage of a device you already have.
Access keys are based on what is called public key cryptography. There is a private key, which is a secret and is stored on your device, and there is a public key that goes to a web server. Access keys make phishing impossible because you never present the private key; you simply authenticate using your device.
“People almost always have phones with them,” Adler said. “Face ID and Touch ID verification gives you the convenience and biometrics that we can achieve with an iPhone. You don’t have to buy another device, but you don’t have to learn a new habit either.”
Wait, what if you’re not using an Apple device?
Let’s say you sign up for a streaming service on your iPhone but need to sign in on your Roku. What do you do when your Roku doesn’t have Touch ID or Face ID?
The other device generates a QR code that can be read by your iPhone or iPad. iOS uses Face ID or Touch ID to confirm that you’re trying to sign in before confirming or denying the request to the app or website running on the other device.
Also, if someone tries to sign in to a service with an iOS device or Mac that isn’t yours, access keys can be shared through AirDrop.
The cross-platform experience is super easy,” said Night. “Let’s say you’re someone who has an iPhone, but you want to go and log into a Windows machine. You’ll be able to access a QR code that you’ll then simply scan with your iPhone and then you can use Face ID or Touch ID on your phone.”
In other words, the computers will communicate with each other to make sure you’re nearby for security purposes and confirm that you’re logged in.
An unbreakable keychain
For Passkeys to work across multiple Apple devices, including iPhone, iPad, Mac, and Apple TV, something is needed to sync information with end-to-end encryption. And that’s where iCloud Keychain comes into play.
“This is not a future dream to replace passwords. This is something that is going to be a path to completely replace passwords, and it’s starting now.”
Kurt Night, Apple
iCloud Keychain is already used to keep your passwords and other secure information (like credit cards) in sync across all your devices. But the arrival of Passkeys takes things to the next level.
So what happens if you don’t have access to your iPhone? iCloud Keychain also allows you to recover your old keys through iCloud if your Apple device is lost or stolen.
This is why it’s so important that Apple built Passkeys on top of iCloud Keychain.
“iCloud Keychain made it possible, and security that was previously limited to people who would be willing to carry extra hardware can be made available to everyone with the phone,” Adler said. “So I think those two things come together in a really special way.”
What’s next for passkeys?
Access keys will be built into the operating systems for iOS 16, iPadOS 16, and macOS Ventura, but Apple is also working with developers to integrate access key support into their apps.
Apple was not yet able to share which Passkey-enabled apps will be available at launch, but it looks like a push is already in the background. And it’s not just about ease of use.
“These public keys actually have no value. There’s nothing worth stealing,” Adler said. “So that’s going to lessen the responsibility of the developers running the services… and developers are going to want to take advantage of this because of the lessened responsibility.”
According to Adler, developers have everything they need to start implementing Passkeys now, and consumers will be supported when they update their Apple devices to the newly released software this fall.
So, despite all the previous hype about deleting the password forever, this time it might actually be happening.
“This is not a future dream to replace passwords,” Night said. “This is something that is going to be a path to completely replace passwords, and it’s starting now.”