Standards. A group of technology giants, including Apple, Google and Microsoft, have banded together to form the FIDO Alliance. This is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. FIDO promotes the development of, use of, and compliance with standards for authentication and device attestation.
Apple is the first of the major players in FIDO to bring out their standards compliant solution to removing passwords from online security. The new technology is called Passkeys and will debut this fall on all of Apple’s operating systems: macOS Ventura, iOS 16, iPadOS 16, and Apple TV.
How do Passkeys Work? Passkeys are unique digital keys that are easy to use, more secure, never stored on a web server, and stay on your device. Hackers can’t steal Passkeys in a data breach or trick users into sharing them. Passkeys use Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across iPhone, iPad, Mac, and Apple TV with end-to-end encryption.
When you create an online account on a website, you will use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” said Darin Adler, Apple’s P of internet technologies.
When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a pass phrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (Using iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (Within) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.
A password-less system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don't exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)
When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms Apple is the first company to roll out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”