Sometimes it seems like passwords have been with us forever, yet every year we are reminded how I still don’t Use it properly!
Annual publication of “Worst Passwords” existing It shows that we haven’t become more familiar with passwords over the decade. And while many alternatives to the humble password have been proposed, none have come close to the ease of use of the traditional method.
But that changes today with the introduction of Passkeys – an update in Apple’s latest iOS 16 operating system. Passkeys may be the long-awaited solution to password misuse, and the almost persistent problem of compromised credentials.
What’s wrong with the passwords?
The password issue is well documented. We select the weak, write them down (for others to see), share them, and reuse them on multiple sites.
The last of these problems in particular. Once your details are compromised (and subsequently leaked), they are vulnerable to “credential stuffing” – where cybercriminals take a bunch of login credentials and try them out on multiple websites.
You might say “But I use a password manager”.
well, that is good. The standard advice for years has been to use password managers like 1Password or LastPass. These allow you to create unique passwords for each website or service you use. So even if a website is hacked, only one password will be revealed.
But this approach requires the ability to sync across all of your devices – a feature that not all password managers offer.
And even with a password manager, our passwords are still stored on the remote website we access. Although most websites store passwords in a secure (hashed) format, they still are routinely at risk. Estimated at more than two billion sets of credentials (including passwords) were It was leaked online in 2021.
Along come pass keys
Apple devices using the latest version of the operating system (iOS 16 or macOS Ventura) will integrate a new password mechanism called Passkeys. Unfortunately, iPad users will need to wait a little longer for this feature.
It should be noted that you will not be forced to use passkeys, but your Apple device will prompt you for the opportunity to do so. Also, most websites will continue to support password access for people who don’t have the latest hardware.
You will also have the option to use Apple’s secure cloud storage, iCloud, to back up your keys and share them across your Apple devices.
How do they work?
The concept behind Passkeys is relatively simple. Each site you choose to use Passkeys will securely generate a unique pair of secret codes (referred to as “keys”).
One of these keys is a public key stored on the website where you are registered. The other is a private key stored on your device. Both keys are related, but one cannot be used to obtain the other.
When you try to log into the website, instead of entering a password, your device will ask you to verify the login using your device’s biometric unlock mechanism. So you either have to scan your face or your finger.
This deliberately limits Passkeys functionality to biometric-enabled devices (iPhones have introduced Touch ID since 2013 and Face ID since 2017).
Once your biometrics are verified, your device will use your private key to prove your identity to the website by processing a complex mathematical “challenge” issued by the website. Your private key is not sent online to the website at any time.
The response from your device can only be verified by the website, using the public key generated at registration. And no one can pretend to be you without your private key, which is stored securely on your device.
If a website is hacked, the public key alone is useless to cybercriminals.
Moreover, while biotechnology Can Can be hacked, that is relatively Difficult. To exploit a combination of biometrics/passkeys, a criminal will first need to get hold of your device and then do a great job of faking your face or fingerprint (or forcing one) – unlikely circumstances for most users.
Passkeys will initially be released on Apple, but others are close to it. It is likely that Microsoft will release an equivalent soon, although it may not be the case at first be compatible With the Apple app. This can be a problem for people who want to use an iPhone and Windows laptop.
Going forward, it is important that Apple, Google, and Microsoft work together to ensure maximum compatibility across devices.
Until then, there are some solutions. If you need to access your protected Apple Passkeys on your Windows laptop (or other device), you can scan a QR code with your iPhone and provide biometric login verification this way.
This means that users will always need to have their phone when they want to authenticate to a remote service – while they can currently type in their password, or use a password manager synchronized across their devices.
For some users, having to have their phone on hand all the time may be enough to give Passkeys a pass altogether.
long tail for adoption
The Passkeys approach has the potential to make passwords obsolete, but this will require organizations around the world to invest time, effort, and money into it.
Big players like social media companies are in a good position to adopt Passkeys early, but there will be millions of websites that may take years to do so – or may never do.
In fact, given the state of play today, many of the leading sites are still He failed to achieve his goal To apply current good practices around passwords. So it’s hard to say how quickly passkeys are implemented and exactly how broad they are.