So…we got this new thing coming we found out today…and from what I’ve seen so far it’s not real clear exactly what it is. On one hand…it’s going to “do away with passwords” according to Apple but actually it will never do that since whatever cross platform standard thing that all the companies agree on will probably never be adopted by all the web sites one might use…and that means we’ll still need passwords for those.
In the interim…those sites that currently use passwords only will continue to do so even after Ventura ships and we have Passkey…and from what I can gather there will be a Passkey app that (hopefully) all be more user friendly than Keychain Access…that Passkey will operate on the iCloud Keychain and sync back and forth between devices…and that Passkey will use your biometric authenticator (face or touch) to open and automatically send either the regular userid/password or the new and improved Passkey authenticator to the site…and I guess that will be better than the current Safari passwords that it remembers and enters but only for Safari and may or may not sync between devices…I’ve been a long time password manager user so don’t really use either Safari or Keychain for things like that. In addition…iCloud Keychain currently AFAIK doesn’t allow attachments which means it can’t replace a password manager for me…yet…anyway.
ZDNet claims that Passkey is better than a password (and presumable a password manager) because they’re encrypted while password aren’t encrypted (except they are in the password manager and in Safari although its encryption might be less than adequate…don’t know.
Did anybody get a better idea from the keynote or from reading sites or quick takes or whatever on how actually useful Passkey might be? I know that Apple will say it’s the best thing since sliced bread…but a lot of the time especially early like this they’re pretty light on details of implementation and talk about things in the best light while ignoring things that it might not do. I also don’t fully understand how if they never leave your device what exactly gets transmitted to the web site for authentication. Perhaps this is similar to or incorporates the SQRL identifier that Steve Given of grc.com invented and I believe made open source for others to use…essentially it identifies you as user 1234567j9qtx with no actual identification to you as a person…which I would think websites won’t like because they like to profile you so that their advertisers (or them) can serve you more targeted as, sell your info to google or whoever, and get more per click because of the targeted ads. Identity-less authenticators sound like a good thing in theory from the user side but from the web site side they leave a lot to be desired monetarily I would think.
Anyway…thoughts? Or is this one of those things that nobody really has figured out yet whether it’s actually going to be useful or not?