With the rampant cybersecurity attacks and threats in today’s digital age, it is more important than ever to use strong passwords. But even when you use the strongest password, you’re still prone to data leaks and attacks.
That’s why Apple plans to throw passwords out the window in iOS 16 and macOS Ventura. Instead of using passwords, you’ll only need your fingerprint or face to authenticate a login.
Below I’ll discuss everything you need to learn about Apple passkey, including how it works, which devices will support it, and more.
- What are Apple passkeys, and how will they replace passwords?
- How to use Apple passkeys on your iOS 16 and macOS Ventura
- Use passkeys on a non-Apple device
- The security behind Apple passkey
- How to recover your Apple passkey in case you lose your device
- When is Apple passkeys release date?
What are Apple passkeys, and how will they replace passwords?
At the WWDC 2022, Apple announced that it has been working with developers FIDO Alliance and industry partners like Microsoft and Google to move toward a password-less future. As the conference details, both macOS Ventura and iOS 16 will feature passkeys.
Passkeys are unique digital keys or credentials that use biometrics—your Touch ID or Face ID—for a more convenient and secure sign-in experience.
It works pretty much like how you would sign in using your iCloud Keychain. You just select a credential and authenticate with your Face ID or Touch ID—no need to input your username and password.
This security feature uses iCloud Keychain to sync across all your Apple devices so you can access your accounts using any device. Not only that, but you can also use it with non-Apple devices within proximity.
Which devices will support passkeys?
You can use Apple passkeys using your Mac, iPhone, and iPad. You simply need to log in using your Touch ID or Face ID.
Passkeys can also be used on your Apple TV and non-Apple devices simply by generating a QR code that you can authenticate using your Apple device.
Where can you use passkeys?
So far, apps and website developers need to add support for the FIDO standard before you can use Apple passkeys to access them. This isn’t likely to happen anytime soon, and it might take third-party apps longer to roll this feature out.
How to use Apple passkeys on your iOS 16 and macOS Ventura
Creating and using passkeys is very easy. First things first: make sure iCloud Keychain is enabled. If you already have iCloud Keychain on your device, you’re good to go. If not, you first need to enable your iCloud Keychain.
How to setup Apple passkeys
Next, you need to set up passkeys when you initially access an app or website that supports the FIDO Standard. You’ll initially be prompted to register or create an account.
- Tap the Register or Sign Up button. Enter your credentials, possibly an email account, your Apple ID, or a username.
- A prompt will appear asking you to authenticate with your Face ID or Touch ID.
- Your passkey is created.
How to use Apple passkeys to log in
The next time you sign in on the website or app, you’ll be shown a prompt asking if you want to sign in using the saved passkey on your device. Once you tap Continue, your device will need your biometrics to authenticate.
Use passkeys on a non-Apple device
You no longer have to worry about accessing your accounts on non-Apple devices, which is a hassle for many users. Neither do you need to export your iCloud Keychain passwords elsewhere because Apple passkeys promise a convenient cross-platform experience?
Remember that other platforms will also implement the FIDO Standard, including Google and Windows. That being said, there’s a way for you to sign in on a device that isn’t yours or a non-Apple device.
The catch with Apple passkeys is that you’d need your Apple device to be able to use the feature. So while you can log in using a non-Apple device, your Apple device must be in proximity simply because the process will require a Bluetooth connection.
To use passkeys on a non-Apple device:
- Log in to the website or app.
- Just select Other Sign-In Options, then generate a QR code.
- Scan this QR code using your device and authenticate using your Face ID or Touch ID.
Notably, sending a photo of the QR code and scanning them with your Apple device while you’re far away won’t work. Plus, if you’re using another Apple device that isn’t yours, you have the option to share the passkey via AirDrop.
The security behind Apple passkeys
Apple devices are generally well-protected. However, you can still fall victim to social engineering attacks and phishing scams. Hackers can also directly breach websites and access all the passwords stored on their servers.
Apple passkeys incorporate the Web Authentication API (WebAuthn) for a much more robust security measure. The authentication relies on a person’s biometrics to authorize using a “key” stored in the user’s device to access a website or app.
This process eliminates the need for one-time passwords (OTPs) sent via SMS, which skilled hackers can easily spoof. According to Apple’s passkeys support page, whenever you register an account, your device generates a unique cryptographic key pair that will be associated with every account you register on that site or app.
This key pair consists of a public key stored on the server and a private key stored in the person’s device—in the case of Apple devices, in the iCloud Keychain, not visible to the user. Using WebAuthn, the user needs to prove to the server that they have the private key.
They need to use their Touch ID or Face ID to authorize the use of the passkey stored in their device. If the private key matches the public key stored in the server, the user is permitted to access the system. Phishing attacks are impossible in WebAuthn because your device will verify the site’s public key and cannot be tricked into sharing your passkey on a fake website.
Data leaks are also impossible because the server does not hold the person’s password. This is in contrast to traditional security measures, where the server has both your username and password and gives you access to the system when you show it the same key (i.e., enter the password).
How to recover your Apple passkey in case you lose your device
As mentioned, the catch with using Apple passkeys is that you need your Apple device to authenticate access to websites and apps. But what happens when you lose your device?
If you lose one of your devices, you would still be able to access them through your remaining devices since your passkeys are synced across your Apple devices.
However, suppose you lose all your associated devices. In that case, you can still recover your passkeys using iCloud keychain escrow, a secure infrastructure that prevents unauthorized users, even Apple itself, from brute-force attacks.
You’ll need your iCloud account, password, and elected phone number, to which Apple will send an SMS. Then, you’ll need to enter your iCloud security code and authenticate using your device passcode.
Note that you only have a maximum of 10 attempts to authenticate and retrieve your escrow record. After the failed attempt, your escrow record and the Keychain will be destroyed and lost forever.
You may also set up an account recovery contact to ensure that you’ll always have a way to access your account even when you forget your device passcode and Apple ID password.
When will Apple passkeys be released?
Apple first introduced passkeys as part of its announcement of macOS Ventura in the WWDC 2022. It is now available for developers via the Apple Developer website. However, it will be publicly rolled out on iOS 16, iPad OS 16, and macOS Ventura in the fall.
If you’re bothered about your security, you can check out our tips on how you can make your iPhone safe and secure while you wait for passkeys to be launched.
Though using passkeys seems daunting on pen and paper, it’s really as easy as using your Touch ID or Apple ID to log in to a website or app. Only, it’s made much more secure and safe for you from the backend. What do you think of passkeys? Share your thoughts below!