The reliance on the traditional password-centric era is decreasing, as companies shift toward more secure alternatives. In 2022, as pioneers in both user experience and security, Apple embraced a new authentication method, called passkeys.
Passkeys will offer a more secure, frictionless, future-ready way to sign in on macOS and iOS devices, enabled by a strong cryptographic technology and biometric capabilities, including Face ID and Touch ID, which will improve both security and convenience for end users.
Next, we will see how Apple implemented passkeys, the cryptography behind them, and why they will become the future of authentication beyond passwords.
Apple's adoption of passkeys: Password-free future
Apple's commitment to increasing security for their users resulted in the adoption of passkeys. These are based on FIDO2, developed by the FIDO Alliance, a standard to enable passwordless authentication based on biometric data and asymmetric encryption.
A key component of FIDO2 is WebAuthn, a web authentication standard enabling users to log into devices using passkeys via browsers.
Apple's passkey system is built on a framework that allows for secure user authentication without passwords, which are susceptible to security breaches, phishing attacks, and human error. Apple first introduced passkeys to its ecosystem with macOS Ventura and iOS 16.
The cryptographic underpinnings: Asymmetric encryption at its core
Passkeys are based on a form of asymmetric encryption, a cryptographic method that takes a different approach from password-based authentication.
Instead of depending on one “secret” (passwords) asymmetric encryption makes use of key pairs, creating a public key and a private key. This is developed when a user registers with a service, for example, an app or website.
Through WebAuthn, this public-private key pair is communicated to websites or applications via a secure API, enabling them to verify users using biometrics or device-based cryptographic keys instead of relying on traditional passwords.
The public key is kept publicly on the services’ servers, while the private key remains on the user's device, safely stored.
While trying to login, the service will send a challenge to the user’s device, which will then sign the challenge using the private key.
This way, even if there was a man-in-the-middle interception of the communication, they will only intercept the public key, which means nothing without the private key. With all of that, passkeys are highly resistant to phishing attacks and other common password-related breaches.
How passkey integration works with Apple's Secure Enclave in macOS and iOS
Apple's Secure Enclave is an increasingly important component in how passkeys perform their function.
The Secure Enclave is hardware within Apple devices, and its role is to store sensitive data, in this case, biometric information, encryption keys, and now, indeed, passkeys.
The Secure Enclave ensures that the private key, which is the most sensitive part of the whole passkey mechanism, is kept in one place and never leaves the device. Consequently, this hardware isolation prevents malware, unauthorized access, and system attacks from getting this data. Even if an attacker successfully breaks into the device, they will not obtain the private key contained in the Secure Enclave.
That means, when a user logs in with a passkey, the authentication happens completely within the Secure Enclave, without the operating system having access to the private key. The addition of hardware-based security reduces the chances of such breaches and builds on Apple's already rather strong ecosystem of security.
Touch ID and Face ID: Enabling seamless passkey adoption
Perhaps one of the biggest advantages to passkeys is how they integrate into the biometric authentication methods that Apple uses: Touch ID and Face ID. Apple has long championed the use of biometric data as a secure, user-friendly way to authenticate users, and now with passkeys, it's taking that one step further.
Authentication with a passkey is as simple as scanning a fingerprint or recognizing your face. Once the passkey is set up, the user will proceed to log in to websites and applications without having to type a thing.
Because biometric authentication with passkeys allows seamless integration, it frees you from typing in long, complicated passwords, adds convenience, and greatly reduces the likelihood of password fatigue, where users would tend to reuse weak passwords across different service providers.
Companies like OwnID build on top of Apple's biometric capabilities to offer seamless passwordless authentication integration, further making passkey adoption easy.
By leveraging innovations like Face ID and Touch ID, OwnID passwordless authentication helps businesses transition to passkey technology, providing a frictionless and highly secure login experience across platforms.
Reducing the attack surface against phishing and credential stuffing
One of the most common attack vectors for hackers is phishing, a method where users are tricked into giving away passwords to fake websites. With passkeys, this threat is almost entirely eliminated.
Since passkeys are tied to the device and cannot be shared, phishing attacks that rely on password stealing become irrelevant. Also, WebAuthn ties the passkey to a specific domain, even if a user is tricked into visiting a fake site, the passkey won’t work.
Besides, passkeys protect against credential stuffing, an attack method where stolen passwords from one service are used to break into others, since passkeys use unique cryptographic keys with each service. There is no risk of one compromised key being used to breach other accounts.
Passkeys: The future of authentication
As Apple continues to smooth and broaden passkey use, we're marching toward a passwordless future. With such easy and secure authentication, built on top of strong encryption and Apple's Secure Enclave, passkeys should be the default method of authentication.