Your passwords are terrible. Year after year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.
For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will actually be the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.
So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.
When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are
A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don’t exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)
Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.
In recent months, FIDO has taken a series of important steps to bring the password’s demise closer to reality. In March, FIDO announced it has figured out a way to store the store cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”
This was followed in May by Apple, Microsoft, and Google declaring their support for the FIDO standards. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said adoption of the standards would keep more people safe online. At the time, the three tech giants said they would start rolling out the technology “over the course of the coming year.” Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.