Passkeys in iCloud Keychain
The feature is found in iOS 15 and macOS Monterey and is only open to developers for now. In doing so, a new WebAuthn credential is recorded in iCloud Keychain. Apple calls it a ‘passkey’ and it replaces a password to create accounts and log in, for example. Instead, all you need to do is tap once. There are currently already apps that allow you to log in with Face ID, for example, but creating the account is still done in the traditional way.
If you create an account with passkey, no password is required. All you do is scan your finger or face. Apple arranges the generation and storage of the passkey, without you as a user having anything to do with it. The passkeys are end-to-end encrypted and synced to all your Apple devices via iCloud Keychain. The credentials are saved if your Apple device is stolen or lost.
The fact that a server is involved may arouse suspicion in some people. Why isn't everything local? However, according to Apple, passkeys are more secure than most password-based login methods with two-factor authentication. You can read how that works below.
Why passwords are insecure
That's it, according to Apple's Garrett Davidson: One of the biggest advantages of WebAuthn (the solution Apple plans to use) is that it uses public/private key pairs instead of shared secrets. Today, entering a password makes it unrecognizable using techniques such as hashing and salting. The result is that a salted hash is sent to the server. You and the server will then both have a copy of the secret, even if it is not directly readable on the server. However, both parties (you and the owner of the server) are responsible for protecting that secret.
Why passkeys are more secure, according to Apple
With the new system, your device creates a set of keys. One is public and can be shared with anyone. The other is private and is only known on the device itself. Your device never shares this key with anyone else, not even with a server. When creating an account, your iPhone generates the two keys and sends only the public key to the server.
One more test now Developers can easily build in passkey support. Now it only works on Apple devices, but Apple is in talks to broaden it as well. Discussions are being held with FIDO and the World Wide Web Consortium for this.
If you want to get started with passkeys in iOS 15, it is good to know that they are currently only intended for testing. So it may be that not everything works and Apple has to reset all passkeys again at some point. As a regular user, it doesn't make much sense to transfer all your passwords now, because Apple plans to take several years to switch to a passwordless future. Other companies such as Google and Microsoft are also working on it.
For those who want to know more, there is the WWDC session ‘Move beyond passwords‘.