One of the new features Apple announced at WWDC 2022 is Passkeys, its password replacement system that will provide a more secure way to log in to websites and apps. Apple is part of the FIDO Alliance, an organization that aims to enable password-free logins and also includes key players like Google, Microsoft, and Lenovo. While passwords are still widely in use, frequent hacks and leaks have resulted in users resorting to methods like two-factor authentication to secure their data.
However, there's a simpler solution. Most smartphones now have either a fingerprint scanner or face unlock, and these biometric scanners can do more than just unlock the phone. Several financial apps now let users confirm a transaction by scanning their biometrics rather than entering a PIN. Operating systems like ChromeOS allow users to unlock their Chromebooks by keeping their connected smartphone nearby rather than entering a password. For phones with a fingerprint scanner, simply unlocking the phone with a registered finger will unlock the phone and Chromebook simultaneously. The feature is called Smart Lock and it even has the option to sign in to a Google account using the connected smartphone.
Passkeys use a combination of cryptographic techniques and biometrics on a device to protect a user's account. It is also pretty straightforward to create them. According to Apple, when a user visits a site or an app that needs an account, they can create a Passkey using Touch ID or Face ID as authentication. The Passkey created is a unique digital key only for that website or app, and is saved securely on a user's device. When a user wants to access the Passkey, they can use biometric verification to sign in.
Passkeys Will Work Across Operating Systems
While a Passkey may be created on a Mac or iPhone, Apple says it will be securely synced across all devices tied to the user's account using iCloud Keychain. So if a Passkey was created for a website on a Mac, that same Passkey will be available when a user wants to sign in to that site on their iPhone or iPad. Passkeys will not only work across Apple's own devices but also on non-Apple devices. All a user has to do is sign in using their iPhone or iPad. A demo at the announcement shows that users will have to scan a QR with their iPhone, and then use Touch ID or Face ID to sign in to the website on a different device.
According to Apple, Passkeys can't be phished. This is because the passkey never leaves the device which means hackers can't trick a user into sharing a password on a fake website. Also, it cannot be leaked since there isn't anything being stored on a server. Since a Passkey is only accessible with biometric authentication, a thief won't be able to access a user's accounts even if they steal an iPhone. Passkeys, alongside all the other exciting features Apple announced at WWDC, will be available on supported devices later this year.
Source: Apple