Passwords are a huge problem. Weak or stolen passwords are behind over 80% of hacking breaches, and people are just terrible at managing passwords. We either forget them, use the name of our dogs or kids, or use the same password for everything. Password managers like NordPass or iCloud Keychain can help, but a password is still fundamentally insecure. Passkeys in iCloud Keychain, and the new standard WebAuthn, want to fix this, but can they ever really replace the password? “If Apple rolls this out as standard on its devices, millions of people will become used to it and other tech giants like Google will follow suit,” Christen Costa, CEO of Gadget Review, told Lifewire via email.
Public Keys
The problem with a password is it needs to be kept secret, but it also needs to be shared. iCloud Passkeys use something called Public Key Cryptography. This consists of two keys. The public key can only lock things, so it’s safe to share; the private key can both lock and unlock data, and it never leaves your device. When you sign up to a website or service using iCloud Passkeys or WebAuthn, a new key pair is generated, and the public key is shared with the service, taking the place of a password. The catch is you’ll need to use one of your own devices to log in, but in practice, that will rarely be an issue, and the security benefits are huge. And if you already use a password manager and two-factor authentication, then you’re already on a device running your password manager app. Another problem, though, is if an attacker gets hold of your device, and can manage to access it, then all bets are off. However, iOS and modern Mac devices are very difficult to crack, and stealing a phone is a lot more effort than sending phishing emails.
Passkeys in iCloud Keychain Are Easy
Using Passkeys in iCloud Keychain is simple. When you sign up for a new user account on a website, you enter an email address, and your iPhone will ask you to confirm you’re creating an account. That’s it. The new passkey is stored in your keychain, and the public part is stored by the website. The big difference is the public key is designed to be public. It doesn’t need to be hidden or kept secret. If the website is hacked, stealing all these public keys is pointless, because they won’t do anything. Those massive password breaches you read about every few weeks? They’ll be a thing of the past. “If we examine how passwords work today, first you enter your password, then it’s usually obfuscated through something like hashing plus salting, and the resulting salted hash is sent to the server,” says Apple’s Garrett Davidson in a WWDC session called “Move beyond passwords.” “Now, both you and the server have a copy of the secret, even though the server’s copy is obfuscated, and you’re both equally responsible for protecting that secret.”
What About Your Password Manager?
This tech might seem to spell doom for password manager apps, but it makes little difference. Most users already rely on the built-in iCloud password manager. Power users, the kind of folks who like the extra features, and are decoupling their passwords from their Apple ID, will keep using standalone apps. “No one wants more competitors, but such built-in solutions are not the primary focus of the browser,” says Nordpass security expert Chad Hammond. “Therefore, they don’t solve the same global problems that password managers do. The primary function of a browser is to give the user access to information, and a password manager is only one of the many features it offers. In dedicated password managers, it’s the main feature.” On the other hand, Apple’s reach can put this new authentication technology into many hands, which is a win for everyone. Contactless payments existed before Apple Pay, but only took off in the US after Apple added it to the iPhone. Passwords aren’t going away any time soon, but at last we have an alternative that is inherently secure, easy to use, and doesn’t let you use the name of your dog. Again.