Although it is a recommended practice to have a strong password for each account we have, the truth is that remembering 300 passwords similar to “6&h-4F%#S” it’s…complex. That is why there are password managers (a good lifesaver) and for them companies like Google, Microsoft y Apple they have set out to get rid of them altogether.
The last to put the cards has been Apple, which during the WWDC 2022 that took place yesterday showed Passkeys. And what is Passkeys? A biometric login standard whose objective is as simple as it is interesting: do away with passwords by replacing them with biometric identification
apple is not alone
Passkeys is based on WebAuthn, a web authentication API. The system uses public key credentials from iCloud Keychain, eliminating the need for passwords. Instead of having to enter a key, the system relies on biometric identification (Touch ID and Face ID, in this case) to generate and authenticate accounts.
The device generates a unique public and private key pair for each account you create on a service. The authenticator (in this case, the iPhone) retains the private key and sends the public key to the server, which authorizes the login. In a nutshell: when you go to login, instead of entering “6&h-4F%#S” you will simply have to verify with the biometric sensor of the device.
What is the advantage of this system? That access is more secure, since the private key never leaves the device. In principle, this system would be a great shield against phishing and there would not be a major problem in the event that the keys are obtained from the service server, as long as there are no keys. Nothing private leaves the device and/or is stored on a server.
As it could not be otherwise when we talk about Apple, these “access keys” are stored in the iCloud keychain and can be synced between Macs, iPhones, iPads, and Apple TVs with end-to-end encryption. Now, it is not something exclusive to the Apple ecosystem, but we can also log in to websites and apps from other devices (let’s say a Windows PC) using the iPhone’s Face ID to authenticate us.
In that sense, Apple has been with the FIDO Alliance (including Google and Microsoft) to allow Passkeys to work on non-Apple devices. It makes all the sense in the world and, according to Google, the system would be ready between 2022 and 2023. Is it the end of passwords? Not entirely, but it is a big step forward.