Apple’s Killing the Password. Here’s Everything You Need to Know

With iOS 16 and macOS Ventura, Apple is introducing passkeys—a more convenient and secure alternative to passwords.

For years, we’ve been promised the end of password-based logins. Now the reality of a passwordless future is taking a big leap forward, with the ability to ditch passwords being rolled out for millions of people. When Apple launches iOS 16 on September 12 and macOS Ventura sometime soon, the software will include its password replacement, known as passkeys, for iPhones, iPads, and Macs.

Passkeys allow you to log in to apps and websites, or create new accounts, without having to create, memorize, or store a password. This passkey, which is made up of a cryptographic key pair, replaces your traditional password and is synced across iCloud’s Keychain. It has the potential to eliminate passwords and improve your online security, replacing the insecure passwords and bad habits you probably have now.

Apple’s rollout of passkeys is one of the largest implementations of password-free technology to date and builds on years of work by the FIDO Alliance, an industry group made up of tech’s biggest companies. Apple’s passkeys are its version of the standards created by the FIDO Alliance, meaning they will eventually work with Google, Microsoft, Meta, and Amazon’s systems.

What Is a Passkey?

Using a passkey is similar to using a password. On Apple’s devices, it’s built into the traditional password boxes that websites and apps use to get you to log in. Passkeys act as a unique digital key and can be created for each app or website you use. (The word “passkey” is also being used by Google and Microsoft, with FIDO calling them “multi-device FIDO credentials.”)

If you are new to an app or a website, there’s the potential that you can create a passkey instead of a password from the start. But for services where you already have an account, it’s likely you will need to log in to that existing account using your password and then create a passkey.

Apple’s demonstrations of the technology show a prompt appearing on your devices during the sign-in or account-creation phase. This box will ask whether you would like to “save a passkey” for the account you are using. At this stage, your device will prompt you to use Face ID, Touch ID, or another authentication method to create the passkey.

Once created, the passkey can be stored in iCloud’s Keychain and synced across multiple devices—meaning your passkeys will be available on your iPad and MacBook without any extra work. Passkeys work in Apple’s Safari web browser as well as on its devices. They can also be shared with nearby Apple devices using AirDrop.

As Apple’s passkeys are based on the wider passwordless standards created by the FIDO Alliance, there’s the potential that they can be stored elsewhere, too. For instance, password manager Dashlane has already announced its support for passkeys, claiming it is an “independent and universal solution agnostic of the device or platform.”

While Apple is launching passkeys with iOS 16 and macOS Ventura, there are several caveats to its rollout. First, you need to update your devices to the new operating system. Second is that apps and websites need to support the use of passkeys—they can do this by using the FIDO standards. Ahead of Apple’s updates, it isn’t clear which apps or websites are already supporting passkeys, although Apple first previewed the technology to developers at its developer conference in 2021.

How Do Apple’s Passkeys Work?

Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), which was developed by the FIDO Alliance and World Wide Web Consortium (WC3). The passkeys themselves use public key cryptography to protect your accounts. As a result, a passkey isn’t something that can (easily) be typed.

When you create a passkey, a pair of related digital keys are created by your system. “These keys are generated by your devices, securely and uniquely, for every account,” Garrett Davidson, an engineer on Apple’s authentication experience team, said in a video about passkeys. One of these keys is public and stored on Apple’s servers, while the other key is a secret key and stays on your device at all times. “The server never learns what your private key is, and your devices keep it safe,” Davidson said.

When you try to sign in to one of your accounts using a passkey, the website or app’s server sends your device a “challenge,” essentially asking your device to prove that it’s you logging in. The private key, which is stored on your device, is able to answer this challenge and send its response back. This answer is then validated by the public key, which then allows you to log in. “This means the server can be sure that you have the right private key, without knowing what the private key actually is,” Davidson said.

What if I Don’t Use Only Apple Devices?

Because Apple developed its passkeys based on the FIDO Alliance standards, the passkeys can work across devices and on the web. If you try to log in to one of your accounts on a Windows machine, you’ll have to use a slightly different method since your passkeys won’t be stored on that machine. (If they are saved in an external password manager, you would need to log in to that first).

Instead, when you log in to a website in Google Chrome, for example, you will have to use a QR code and your iPhone to help you sign in. The QR code contains a URL that includes single-use encryption keys. Once scanned, your phone and the computer are able to communicate using an end-to-end encrypted network via Bluetooth and share information.

“That means a QR code sent in an email or generated on a fake website won’t work, because a remote attacker won’t be able to receive the Bluetooth advertisement and complete the local exchange,” Davidson said. This process happens between your phone and the web browser—the website you are logging in to isn’t involved.

Aside from Apple, other tech firms are in various stages of rolling out their own passkey technology. Google’s developer pages say it aims to have passkey support available for Android developers “towards the end of 2022.” Microsoft has been using some passwordless login systems for a few years now and says that “in the near future,” people will be able to sign in to a Microsoft account with a passkey from an Apple or Google device.

Are Passkeys Better Than Passwords?

No system is infallible, but the passwords people currently use are one of the biggest security problems with the web. Every year, the most popular passwords people use—according to analysis of data breaches—are topped by “123456789” and “password.” Using weak and repeated passwords is one of the most significant risks to your online life.

There’s wide support for abandoning passwords—the FIDO Alliance involves pretty much every big technology company, and they’re all working on eliminating the password. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, welcomed the adoption of passwordless technologies in May this year.

“Every passkey is strong. They’re never guessable, reused, or weak,” Apple says in its documentation of passkeys. “To really address password problems, we need to move beyond passwords,” Google says in its own description of passkeys. It claims passkeys will help reduce phishing attacks—people can’t be tricked into sharing their passkeys—and that passkeys are less of a target for hackers as their details aren’t stored on servers.

Despite the enthusiasm for passkeys, passwords are going to be around for a long time yet. Transitioning people from using passwords to a new sign-in method requires them to trust and understand the new system; apps and websites also need to support passkeys. And there are some unanswered questions, such as whether cloud backups from iOS to Android will be compatible. The password isn’t quite dead yet, but it’s getting there.

Apple’s Killing the Password. Here’s Everything You Need to Know

(May require free registration to view)