This story is part of, our full coverage of the latest news from Apple̵
Apple has begun testing access keys, a new authentication technology that it says is just as easy to use as passwords, but far more secure. Part of the iCloud keychains, a trial version of the technology comes with iPhones, iPads and Macs later this year.
To create an account on a website or app using a passkey, first select a username for the new account and then use FaceID or Touch ID to confirm that you are really using the device. You never choose a password. Your device handles password generation and storage, which iCloud Keychain syncs across all your Apple devices.
To use the password for authentication later, you will be asked to confirm your username and verify yourself with FaceID or Touch ID. Developers need to update their login procedures to support access keys, but this is an adaptation of existing WebAuthn technology.
“Because it’s just a single tap to log in, it’s easier, faster, and more secure than almost all common forms of authentication today,” Garrett Davidson, an Apple authentication experience engineer, said Wednesday at the company’s annual.
Passwords are the latest example of growing interest init is designed to be more secure than the list of passwords you have taped to the side of your screen. Conventional passwords are plagued by security flaws, primarily our inability to create and remember unique ones. That’s why Apple is working with Microsoft, Google and other companies to come up with alternatives.
Moving beyond passwords is a monumental endeavor given how ubiquitous they are and how difficult it is to get businesses and consumers to embrace change. However, it is crucial in an era where our accounts are at risk from cyber attacks and phishing scams.
“The most common security vulnerability today is still bad passwords,” said Jen Fitzpatrick, senior vice president of core systems at Google, at the Google I / O Developer Conference in May. “Ultimately,. “
More than 200 million account holders have. In comparison, the security website Have I Been Pwned has collected more than 613 million stolen passwords. The website operator, Troy Hunt, is an adviser to Microsoft and in May began adding passwords, which the FBI discovered had been compromised.
The technology behind Apple’s access keys is built on the WebAuthn technology that emerged from the FIDO (Fast Identity Online) Alliance, a consortium that has undergone hardware security key approval. Apple’s approach includes a fundamental part of WebAuthn, the combination of public and private encryption keys already built deep into communication security and many other established processes.
The technology only works with Apple devices, but Apple recognizes that the success of access keys also requires accessibility on Windows computers and Android smartphones. To this end, Apple is talking to industry partners at FIDO and the World Wide Web Consortium (W3C) about the technology.
Apple’s move is welcome, said Mark Risher, Google’s Director of Product Management for Identity. “We believe that FIDO keys stored on the mobile device will play a fundamental role in password replacement,” which is why Google decided to automatically enroll users in its two-step verification system, he said. Google built WebAuthn support into Chrome in 2018 and into Android in 2019.
Blocking phishing attacks
Phishing is a problem that FIDO, WebAuthn, and Apple’s access keys are designed to fix. Login technology is paired with a specific app or website, so it does not work if someone tries to trick you into logging in to a forgery.
Such approaches mean that the servers that handle logon no longer need to be filled with treasure chests with secret login information that tempts hackers. “Servers are less valuable targets because there are no authentication secrets that an attacker could steal,” said Apple’s Davidson.
Hardware security keys also block phishing, but come with a number of disadvantages, such as the need to carry them at all times and the difficulty of recovering account login privileges if the fob is lost.
Passwords work around both issues, Apple says. Everyone is already carrying their phone, face and fingers. Accounts can be restored via Apple’s iCloud keychain if a user’s devices are lost, damaged or stolen. It is not yet clear how this aspect of access keys would work beyond Apple devices. (Apple encrypts data from iCloud Keychain, and reconstructing it without a device may require a previously used password.)
Apple does not see passkey as two-factor authentication, a powerful login protection method that commonly pairs passwords with other authentication steps such as a biometric scan. But the company believes that access keys are strong enough to reduce the need for two-factor authentication.
Apple is making a preview of access keys available in developer buildings of future iOS, iPadOS and MacOS. It is disabled by default while Apple and external developers test the technology.