As we reported, Apple added support for passwordless authentication to its products last year. This technology is called Passkeys. It eliminates the need for text-based passwords and provides end-to-end authentication across devices using only one Apple device (iPhone, iPad, Apple Watch) for biometric control.
Refusal to use passwords when working with mobile and desktop devices and when visiting online services is one of the main security trends now. The new technology is receiving positive feedback and support from the industry. Multi-factor authentication standards have been developed for it. Previously, the only thing missing was real mobile devices where this technology would have seamless integration, but now it is fully implemented and successfully functions, organically integrating into the global process of abandoning passwords as the primary method of accessing protected resources.
Passkeys passwordless technology
Passkeys technology provides end-to-end support for working with credentials across different platforms. The technology uses cryptographic techniques, generating a unique pair of keys – a public key that is shared with the service and a private key stored securely on the user's device. This approach is more secure than traditional passwords because the private key never leaves the device, reducing the risk of interception or theft. Additionally, Passkeys are end-to-end encrypted, ensuring that even Apple cannot access them.
Passkeys was developed in collaboration with the FIDO Alliance (Fast IDentity Online), an industry organization created in 2012 to address the challenges of secure, device-based network access with strong authentication requirements, and industry partners such as Microsoft and Google. The main idea of the Passkeys technology is a complete rejection of the use of passwords as the weakest link in the construction of all modern security systems.
With this technology, Apple is making big plans for the future: to qualitatively revise the technology for working with credentials used for authentication, switch to using next-generation data, and implement more secure, easy-to-use systems that eliminate the use of passwords altogether.
Access keys
The new type of access keys uses data obtained using Apple biometric technologies - Touch ID or Face ID. Once you have created access keys for working with the website, you can use them in the future. Simply read the QR code and take a thumbprint or look into the selfie camera for authentication. The rest of the verification is performed by the authentication mechanism.
Access keys are backed up in iCloud Keychain. They provide end-to-end authentication across devices - Mac, iPhone, iPad, and Apple TV. Encryption is end-to-end and consistent across all connected devices.
Technology for secure access to a website or application is available even for third-party devices, as long as you have an iPhone or iPad for initial authentication. To confirm access, simply scan the provided QR code or use Touch ID or Face ID.
The introduction of Passkeys by Apple significantly streamlines the user's experience. With Passkeys, account creation and sign-in are greatly simplified. To confirm access, simply scan the provided QR code or use Touch ID or Face ID. Technology for secure access to a website or application is available even for third-party devices, as long as you have an iPhone or iPad for initial authentication.
Distribution of passwordless WebAuthn technology
Apple uses the existing API web authentication technology WebAuthn to implement passwordless access. Thanks to it, unique access keys are created. The WebAuthn API is gaining traction as a standard for web authentication, recognized by the World Wide Web Consortium (W3C). This endorsement underlines the industry's commitment to moving away from traditional password-based authentication.
The use of new technology involves support for this API on the side of the website being visited or the application being accessed. The created authentication keys are stored strictly on the user's device; they are not transmitted to the web server. Instead of entering a password, the visitor is prompted to authenticate using biometric verification via Touch ID or Face ID.
As a result, the password used cannot be forged: it never leaves the user's Apple device. There is also no possibility of falsifying a fake website; the threat of stealing the access key, for example, through phishing, is eliminated. The passkeys you create work only in certain apps and are securely synced between Apple devices using iCloud Keychain.
Many web services already support WebAuthn technology. For example, some email services provide the ability to log into your account using electronic keys instead of passwords.
A notable example is GitLab, which mandated the use of WebAuthn devices as the sole method for logging into Okta, their primary platform for accessing SaaS applications. This shift was largely driven by the need for more robust, phishing-resistant multi-factor authentication (MFA). By leveraging the built-in biometric capabilities of devices (like Touch ID on MacBooks) and providing YubiKeys for users on other platforms, GitLab successfully implemented a more secure and user-friendly authentication process.
Microsoft, Yahoo, and Amazon are talking about widespread support for WebAuthn technology today. These companies intend to completely abandon password access and switch to passwordless authentication methods in their services in the very near future.
Complementary security measures
In addition to passwordless authentication, comprehensive cybersecurity strategies also include the use of antivirus software and other protective measures. Antivirus programs help detect and prevent malware threats, while passwordless authentication strengthens the security of access points. This multi-layered approach is essential in today's digital landscape to safeguard against a wide range of cyber threats.
Going forward
The introduction of Passkeys by Apple is a significant step in the journey towards a passwordless future. This technology not only enhances security but also improves user convenience, marking a major shift in how authentication is perceived and implemented in the digital world. The seamless integration of Passkeys into Apple's ecosystem and their alignment with industry standards underscore the potential for broader adoption in the tech community.
Obviously, completely eliminating the use of passwords is a long process. Most likely, passwords will remain an option, giving way to new technology. However, the arrival of WebAuthn support on new Apple devices indicates that the mass transition has already begun.