We outline the benefits of Passkeys – and how to protect online accounts until they arrive
At WWDC 2022, Apple formally introduced Passkeys, having earlier this year committed to expanding support for passwordless sign-in. Passkeys are an ambitious idea – nothing short of an attempt to eliminate passwords from tech. This isn’t an Apple-only objective either – the company is working alongside industry giants Google and Microsoft, supporting the FIDO alliance standard.
What this means is the need for passwords to sign into apps, websites and services should soon erode, whether you use an iPhone, iPad, Mac, Android phone or Windows PC. This article digs into why this is a good thing, the benefits of Passkeys, and how to best secure accounts until Passkey support is commonplace.
Why passwords are a problem
Passwords are a solution designed for an older era of computing. Attacks from bad actors have now become dangerously sophisticated. Hackers regularly breach web servers where account details are stored, sometimes gaining access to millions of usable passwords. Elsewhere, phishing attacks and social engineering tactics trick people into giving away login details by signing into lookalike websites for services they use.
This is compounded by user complacency and ignorance. Passwords add mental load, and so some people use easily remembered ones across multiple accounts. In fact, ‘password’ genuinely remains a very common password; but even relatively complex strings of symbols can be instantly cracked. Two-factor authentication can help, by adding an extra security layer. But it brings further friction, complexity and hassle, and some two-factor methods (like text messages) are prone to security breaches, such as SIM card cloning.
Why Passkeys are a better option
From a technical standpoint, Passkeys protect against credential reuse, phishing, server leaks and plain old guessing. They also make for a superior and streamlined user experience compared to passwords (even more so if you use two-factor authentication), which should help drive adoption.
Passkeys use familiar interface elements.
To create a new Passkey with a compatible app or website, you enter a username and authenticate with Touch ID or Face ID. Your Passkey is generated and synced to iCloud Keychain. Because each Passkey is unique and intrinsically linked to a specific website or app, you cannot later be tricked into signing into a fake website that could steal your details. And because the Passkey never leaves your device and requires your biometrics to authenticate, it cannot be leaked or stolen.
Signing in uses the autofill system you’re already familiar with, and there are no steps beyond confirming your username and authenticating. In other words, you tap and sign in. It’s a single step flow, with no need for additional security requirements like two-factor authentication.
How Passkeys deal with edge cases
There is also flexibility in the system, where it’s required. Given that your Passkeys are stored on iCloud Keychain, you might ask how you’d sign into a service or website on a PC or Android phone. Here, things do get a little more complex, but not onerously so.
You’re asked to scan a QR code with your phone, which then securely connects to the target device over Bluetooth. You then authenticate as normal and you’re in. (This process adds further security through Bluetooth’s limited range determining your close proximity to the device in question.)
You can use an iPhone and Passkey to sign into a website on a PC.
You can also share a Passkey with someone you trust, so you can both more securely access shared accounts, such as for an online grocery store. In this case, proximity comes into play by way of AirDrop. At present, the main limitation is that Passkeys can only be shared one at a time.
Similarly, there are questions regarding mass Passkey transfer between devices in different ecosystems, should someone wish to switch from iPhone to Android, or vice-versa. However, the security benefits of Passkeys outweigh such drawbacks, and it’s likely we’ll see answers and solutions to these questions over the coming months.
What you should do until Passkeys arrive
Apple describes the transition to Passkeys as a journey – and things won’t change the second iOS 16 lands. In the meantime, you must therefore keep your accounts secure, to the best of your ability. We’ve covered this territory before, but let’s go over the basics in brief.
When making new passwords, use your operating system or password manager’s suggestion. Should you require answers to challenge questions, use randomized strings for them as well and add them in the notes section of your password manager.
Look for and update existing weak or compromised passwords by making use of the security recommendations in Settings > Passwords and data breach information on haveibeenpwned.com. And wherever it’s offered, employ two-factor authentication, ideally in a manner that uses an authenticator app on your iPhone, rather than codes sent by text message.
Finally, look forward to a world of Passkeys, in which such hassles will be gone forever.