Why Passkeys Will Be Simpler and More Secure Than Passwords

Originally published at: Why Passkeys Will Be Simpler and More Secure Than Passwords - TidBITS

Passkeys are a new way to log into websites and apps that replaces passwords. The industry-standard passkey technology is simpler and more secure than passwords (even with two-factor authentication), resists phishing, and is built to be compatible across browsers and platforms.

3 Likes

“Apple has built passkey support into iOS 16, iPadOS 16, macOS 13 Ventura, and watchOS 9, slated for release in September or October of this year.”
Two of my Apple devices are not going to be further upgradeable come this fall. At this point I’m assuming that any passkeys I might have will not be very “portable.” True?

Agreed. The other question I have is whether Apple’s system will be cross-browser. Apple will certainly have tight integration with Safari, but what about those of us who prefer to browse with Chrome, Firefox, Edge or other popular non-Apple browsers?

Will there be a macOS API so browsers can use passkeys managed by the system? Or will each browser manufacturer include its own FIDO implementation? And if it’s the latter, will this means that each browser will need a separate registration with web sites?

I’m hoping that Apple designs a common API for passkeys so browsers from all vendors can share the same set. Presumably, no browser (not even Safari) should be allowed to actually read the key, since that would allow a compromised app to exfiltrate the data, but they can probably use an API where apps can send in content to be encrypted/decrypted/signed/validated without actually seeing the key.

A passkey is supplementary to other authentication. So each website will make its own decisions, but on one that accept passkeys, you should probably also be able to:

  • Use a FIDO2 hardware key with a WebAuthn login
  • Use 2FA
  • Use a password-only account

It’s possible if you upgrade to a passkey, a website will only allow fallback to WebAuthn or 2FA, though.

You may be able to relay logins via an iPhone or iPad running iOS 16 on a device that is a version or more behind, too. Remains to be seen how that works.

2 Likes

Great question. I suspect Safari only for direct OS integration, but Google will probably allow passkey integration across the Chrome browser, Android, and ChromeOS if the right pieces are in place for secure local public-key storage on device.

Right now, Apple doesn’t allow the presentation of the Passwords login items within other browsers, although apps can allow a login to the app only using Passwords entries. By that logic, passkeys would be locked to Safari for generic website logins. However, Apple’s commitment to supporting an industry standard they helped form may result in a different choice with passkeys.

2 Likes

Will this “passkey” system be mandatory in iOS 16, WatchOS 9, etc ? Will I still be able to use the passwords I already use in iOS 15 on my iPhone & iPad Mini since I go to the same software/places (such as Apple’s Mail.app) on my 2011 iMac and 2011 MacBook Air which are limited to Mac OS 10.13.6, and my 2015 MacBook Pro which I believe will not go higher than MacOS 15.x

Or will the “passkey” just be used to log into the hardware only?

No, it’s an option for websites to implement for logins. I’m not clear if any apps would do the same—it requires a WebAuthn server on the other end and conceivably some apps could authenticate through it?

However, it’s not mandatory, doesn’t affect IMAP/POP/SMTP, and isn’t related to device passcodes for unlocking your hardware.

Nothing to do with that at all. A passkey is an operating system’s method of create a secure login for a website in which the private part of a pair of encryption keys is stored only on the device or synced securely among your devices:

  • Your login “secret” is always retained on your device, and is protected by Touch ID, Face ID, or your device password.
  • The website only receives a shareable portion of the key that it can use to validate that you’re legitimate, but which a third party cannot use to forge a login that appears to be from you.

Put another way:

  • Devices have passwords (or passcodes), a way to validate via Secure Enclave on nearly all iOS/iPadOS devices and increasingly most Macs in use that you have the right to unlock the device and use it.
  • Websites rely on passwords, passwords plus additional factors, WebAuthn hardware-based logins, or the future passkeys as a way to authenticate yourself to the website with a secret only you should know. A password can be stolen, cracked, or guessed; a second factor, intercepted or phished; a WebAuthn token or passkey has no easily available component that can be forced, phished, intercepted, cracked, or guessed.
2 Likes

Holy smoke. What an incredibly well-written informative article about a complex but important topic. I nominate for Pulitzer. Or a DogCow at least. Moof!

4 Likes

I’m thinking, yup. Anything else just wouldn’t be Apple. “This won’t be a walled garden. This won’t be a walled garden! This WON’T be a walled garden. BTW, MacOS will only support it in Safari.”

Things are interoperable, or they’re not. They can’t be both.

If Chrome, FireFox, and Safari each have separate keystores, this is going to be a big mess. How many people honestly never change browsers? I must switch every couple of months to a year and it’s already a hassle, plus I have maybe 5 computers I use regularly and I’ve found syncing between even separate instances of the same kind of browser to be often hinky, and that’s assuming you trust the idea of being locked into centralized services… the amount of spam I get to email addresses I’ve given out only once each, to major communications service providers who presumably have industry standard security, leads me to have a hard time trusting my most private authentication information to 3rd party servers. And, hopping from device to device, I’ve found even networked password managers too inconvenient to use, so I don’t know how a similar system is going to work when it’s 256-character cryptographic keys instead of passwords.

As to the Chrome/Android ecosystem, personally, I’m trying to divorce Google completely. Nuff said. They’ve still got my email going through their servers, but that’s it, and that won’t be for much longer.

The idea of passkeys is great. If we lived in a world where the corporations that make our hardware and software had a business interest in making tools to serve our needs, rather than their own, and built for interoperability instead of trying to rope us into proprietary software and “Embrace, Extend, Extinguish” schemes, I’d welcome this smart solution to the obvious drawbacks of passwords.

But here in the real world? Maybe the Linux folks will get a good implementation of this, at least…

I hate to be a pessimist, but I can’t pretend Apple’s direction over the past 15 or 20 years is something other than what it has been. Ever since Steve Jobs told the guys at Panic, “You guys are a little pushcart on the tracks and we’re a great big locomotive about to run you down”, I’ve noticed a lot more effort to try to control the uses of their products, and rope people into exclusively using Apple apps and devices, than to provide real flexibility and interoperability that might encourage an independent ecosystem of third-party products and services.

2 Likes

I’ve been reading all the posts about Passkeys and come across the acronym FIDO. I keep thinking DOG!

Please educate me —what does FIDO stand for? And now I see FIDO2!

Fast IDentity Online.

I can’t believe that there won’t be a solution to this. But, until there is, I believe the was FIDO is designed so that you have one device that knows your identity and contains all of your passkeys (for almost everyone, an iOS or Android smartphone.) Yes, Apple will sync passkeys to other devices with the same Apple ID using the same iCloud Keychain syncing that we use today, and Google will do the same between Android and Chrome browsers signed in to the same Google account. But on a browser where you are attempting to log in to a system using FIDO for the first time, where the pass key has not already synced, the web site will do something like show a QR code, your unlocked smartphone will scan the code, authenticate with the server, then the server will allow the browser to download the unique private key, so it will be on the browser (something besides Safari on a Mac, something besides Chrome if you own an Android phone) going forward.

The biggest issue is how do you switch from an iOS to an Android phone, or vice versa? Especially if you no longer have the old device (lost, stolen, broken, etc.) Apple and Google cooperated on the COVID-19 exposure notification system - I believe that they will come up with a joint solution of some sort that will allow these private keys to move end to end encrypted somehow between their platforms.

2 Likes

It’s not just switching. It’s syncing the data stores between them. I own both an iPhone and an Android phone. And I use computers running macOS, Linux and Windows.

With cross-platform password managers (e.g. 1Password or the password managers built-in to many popular web browsers), your passwords can be seamlessly sync’ed between devices. Will there be a way to securely do this for your passkeys? Right now, it’s anybody’s guess.

Maybe 1Password will add passkey support (using their own key storage if they can’t access Apple’s), and provide cross-platform support that way, but again, there’s no way to know at this time.

And there’s still the issue of cross-browser compatibility. For instance, I use Firefox almost exclusively on my desktop/laptop computers, but I run Safari on my iOS devices. Apple may sync the passkeys (via iCloud keychain) between my devices, but if the non-Safari browsers can’t use them, then it’s of little use to me.

I’m not one to slam a new product because of random speculation, but I believe the ability to easily migrate passkeys between different operating systems and apps is a critical feature that will need to be addressed in order to gain wide adoption of this tech.

With passwords, you can always manually migrate your data if you need to (you can just write them down, if nothing else works for you). But with a cache of cryptographic private keys, that won’t be an option for most of us.

I know that the FIDO people are working on this problem, but I don’t think we know when a standard will be released and how long it will be until OS and browser makers (especially Apple, Microsoft and Google) get on-board to support that standard.

Like with Wi-Fi, it sort of stands for nothing, even though it has the ostensible definition provided above. FIDO Alliance is the group of companies, and some of the standards are also labeled FIDO, but it’s more branding? Like “FIDO2” bundles the W3C Web Authentication API (WebAuthn) and FIDO’s in-house Client-to-Authenticator Protocol (CTAP). Wi-Fi 6, similarly, is 802.11ax plus a bunch of other 802.11 and other specs wrapped into an easy-to-say moniker.

2 Likes

This is a big improvement over the current system in which you need to bring up a password on your device and then painstakingly type it in, with all the concerns about password phishing, someone seeing your password, and just typing a unique, strong password into a browser while sometimes balancing a phone!

Apple hints at this in the presentation. Adam and I had a whole behind-the-scenes discussion, as he initially assumed passkeys required Secure Enclave. But I dug through what’s available, and I realize it cannot, because the passkeys can be shared. If it were a one-way encryption storage house, like with your device password, you wouldn’t be able to share the private key portion of a passkey.

Thus, passkeys are much more like passwords managed by the Passwords feature across iOS, iPadOS, and Safari 15 or macOS 12. As part of compatibility, I’m going to wonder if you’ll be able to export securely your entire set of passkeys to import onto another platform? Huge security issue: if you can export your passkeys in quantity (like 100s or more), that’s a bigger risk than a one-at-a-time export. So we’ll see how that gets finessed.

1 Like

Most people live in single ecosystems for hardware, but not for software, so I agree, since this is a web-oriented solution, not a device-oriented one for logins. So if I use Chrome on a Mac and I’m all in for Apple, I still have a passkey problem. Likewise, if I use Windows at work, have an Android smartphone, and a Mac at home—much worse.

1 Like

One question that I don’t see addressed anywhere is how passkeys will affect a Mac user’s ability to help another Mac user remotely. I offer tech support to several family members and to clients, and most of the time I help them out remotely. They trust me enough to share their passwords with me, but I don’t have the “proximity” advantage that comes with being next to them when trying to help them out. I guess we’ll see how this plays out in the years to come.

1 Like

Tell me which part concerns you? This won’t affect logging into or remotely accessing a Mac, and websites clearly won’t abandon passwords for a long time to come—some sites will probably offer a way to opt into making passkeys your primary login method with additional protections if you need to use a backup method. But for people who already are daunted by using the Internet, etc., their accounts will probably remain password-only or password-plus-second-factor for many, many years.

1 Like

Oh yes, I am not worried about the immediate future. And I didn’t mean to suggest that I was “concerned” — just curious about how this change will affect remote tech support.

I am just basically wondering about how this might play out. It could very well be that things will be easier. For instance, I have a client who’s almost blind and getting him to type passwords correctly (when I cannot type them for him remotely) can be pretty challenging at times. I can easily imagine having to set Face ID for him once and then using that and passkeys to avoid having to deal with passwords altogether.

We’ll see, I guess. Thanks for the article.

So, again I put that part in my post you replied to above. When you encounter a web site that you’ve not authenticated with before in Firefox, presumably the web site will show a QR code, you will unlock your phone, use its camera to get the QR code. If you have a passkey, it will let the server know, and then the passkey will get added to Firefox’s passkey store for use from that point forward, and Firefox will likely have its own passkey sync service to sync with other devices on which you use Firefox, as FF does now with passwords. Or perhaps MacOS will have a way to capture using a key combo to authenticate using the Mac’s keychain itself. Or both.

It’s also possible (likely?) that Apple will offer an API that will allow signed third party apps like Firefox, Chrome, the Kindle app for MacOS, etc., to access passkeys stored on your Mac.

We don’t know for sure yet. Passkeys aren’t even implemented yet (well, actually I think that Apple is already using passkeys when you try to log in to Apple ID online, as I know when I try it allows me to authenticate using my user account passphrase, and sometimes even my Apple Watch with a double-click of its side button - but I’m not really sure if that’s FIDO2), and it’s likely that they will be available only for a few web sites and services at first, and those services likely will still offer typical userid/password at the same time, and likely for quite a while.

That’s not what I believe happens. If you review the video, the QR code allows an iPhone to authenticate for a session (add a new device as an authenticator), but it does not create a method for new enrollment by the website with a passkey.

From the video:

This cross-platform sign-in experience is a first-class system feature that’s part of the standards behind passkeys. On the surface, it appears incredibly simple, but this is not just a QR code. Behind the scenes, the devices are performing a local key agreement, proving proximity, establishing an end-to-end encrypted communication channel, all to let you sign in in a way that’s easy but maintains the strong phishing resistance of passkeys. It works great for allowing me to sign in securely to my account on any device…

I just had confirmed on Twitter by a Microsoft person involved in this effort that passkeys will be ecosystem unique, too—that bodes poorly right now for syncing or coordinating among devices or browsers not in the same ecosystem, but this is the first generation rollout of this technology.

If you need a way to use a passkey-like element across browsers and operating systems, get a FIDO2-compatible hardware key from Yubico. Broadly supported. If you work entirely inside Apple’s ecosystem (devices and Safari) with occasional non-Safari logins on your own or other devices, an Apple-managed passkey should work very well.

2 Likes