Apple Passkeys: Passwords Aren't Dead Yetapple fido ios ios16 ios16-1 macos security
iOS 16 is right around the corner, and one of the big features I’ve been messing around with is Apple’s Passkeys (developer.apple.com), which they claim will “end the password” as we know it. Password management is frustrating and I have more passwords than I can keep track of, but I don’t think that they will die any time soon. I thought I’d share my experience using Passkeys in a few places, and sort out exactly what they are and why at this point it’s not a primary authentication method. Disclaimer: I am not actually any expert on security, but I do know enough to try and explain everything in simple terms.
First, it’s important to understand the distinction between a Password, an OTP Code, and a FIDO Token are. It may seem a bit basic, but it’s important to establish what they’re used for versus what Apple wants them to be used for.
Password: This one is pretty self explanatory, you type it in, or copy and paste it from your password manager to log in to a site. This is a primary method of authentication, i.e. you type in your password first when logging in. Apple wants to kill the password in its entirety, which is a noble effort given how difficult it is to manage dozens of different passwords in such a way that’s a balance between the level of effort the average person will remember, and being secure enough to not get guessed or leaked and compromise accounts.
OTP Code: This is when, after you type in your password, you get a “one time PIN” from an app like Authy, or via text or email (far less secure). This was the first popular way to have a secondary method of authentication, something that you type in after you submit the correct password, usually only when you’re logging in from a new IP. This isn’t very secure anymore, as it’s been easy for attackers with just a phone number to call cell providers and transfer your service to their SIM card and intercept those codes. As for apps, all they do is generate a code by using an algorithm that takes a token and the current time to get a number every 30 seconds or so that the website will recognize. Some services, usually mobile apps (e.g. Telegram), will only send a code via SMS to log in instead of a password. Apple lets you use their password manager (iCloud Keychain) to also generate OTP codes so they’re all in one space for autofill. This will be more important later on.
FIDO Token: These are cryptographic keypairs, much like PGP, but are invisible to the user, and were originally designed to be loaded on USB keys as a secondary authentication method. After you enter your password, your computer prompts you to plug in your USB key (such as a Yubikey), read a fingerprint in some cases, and log in more securely than an OTP. It started out as a way to have 2FA on local computer accounts, but eventually through the Webauthn standard, another authentication factor for web accounts. The most important thing here is that Apple Passkeys are FIDO Tokens stored in iCloud Keychain WITH your passwords AND OTP codes. As it stands right now, FIDO tokens aren’t a replacement for a password in most places, only a replacement for typing a PIN.
Using iCloud Passkeys
Apple’s desired usage flow is to register accounts with passkeys, generating a key that isn’t known by the user, and saving it with a username and the website it’s made for in iCloud Keychain. Then, when logging in, instead of typing in a username and password, you type in the username, and it pops up a native OS prompt to use the device’s PIN or biometrics to sign in. This is only possible because the site itself sends a token that proves it’s not a fake website trying to phish a password. If you aren’t on a Mac that you’ve signed into iCloud on, the will display a QR code that you can scan with an iPhone or iPad to load the prompt, similar to Discord letting you sign in on desktop with the mobile app. Theoretically, one would only need an iPhone to sign in to accounts, and it wouldn’t matter if you use Windows or Linux on desktop, but as it stands right now, support isn’t there.
In my experience using passkeys, the only service that has it set up the way Apple intends is the Best Buy website, and only the website. The mobile app still requires a password, but you can sign in and create an account using Webauthn and a Passkey. Other sites that have already supported Yubikeys may work with a Passkey, e.g. Github, but only as a second authentication factor. Among these sites, if you try to log in on Windows, most of the time it expects you plug in a physical Yubikey and doesn’t display a QR code to sign in with your phone, forcing you to have OTP set up or only use Apple devices. Some sites that support FIDO keys won’t detect Passkey functionality, namely Google, and won’t let you set it up at all.
My biggest sticking point is the fact that all your eggs end up in one basket in this situation. It’s more secure to keep unique, random passwords in a password manager and use two-factor authentication than not, but having everything in one spot, under the same entry for the website in iCloud Keychain and synced to multiple devices defeats the purpose. What’s the point of 2FA if someone gets a hold of your device, knows your simpler password to unlock the password manager (since you can’t use it to store your password manager password), and suddenly has access to everything? What if iCloud gets hacked again and all of it is compromised? Sure, it’s easier and less prone to losing access to accounts if the one device that has OTP codes breaks or goes missing or you lose a number, but is it worth the compromise in security (and getting more ingrained into Apple’s ecosystem)?
Apple Passkeys are going through growing pains, but I have a feeling that Apple’s influence will start to usher in a passwordless future, but as for right now?
- Passkeys haven’t replaced passwords, they’ve only half replaced OTP codes.
- Storing Passkeys, OTP codes, and passwords in the same spot is a disaster waiting to happen.
When iOS 16 comes out, I recommend holding off on passkeys without having some other 2FA method in place, not only for lack of good cross-platform desktop support, but also lack of first party support. Passkeys won’t be available on iPad at launch, since Apple is skipping to iPadOS 16.1 on iPads due to UX concerns with Stage Manager (cnet.com). I would wait to dive in until at least iPadOS 16.1 comes out if you use an iPad, and then only mess with it when rotating passwords instead of deliberately going out and changing everything. Of course, if you don’t use Apple products, then none of this applies to you, and Google, Microsoft or someone else might come up with something similar that works more broadly after Passkeys mature.
As for using FIDO for 2FA, Yubikeys (yubico.com) are still the gold standard and work on all platforms, even phones. The benefit to these is they’re a physical key, and your tokens are only saved to the one object with limited connectivity, rather than a cloud server like an OTP app or a Passkey. These options are all a bit overboard for the average person, and it always comes down to how much you’re willing to compromise security with convenience.