Apple unveils passkeys for passwordless authentication to apps and websites
At WWDC 2022, Apple has announced and previewed iOS 16 and iPad OS 16, macOS 13 (aka macOS Ventura), watchOS 9, their new M2 chips, new MacBook Air and Pro, as well as new tools, technologies, and APIs for developers focusing on Apple’s platforms.
Among the many new and improved functional features added to these solutions are also several ones aimed at improving user security and privacy.
Apple extends passwordless authentication with passkeys
In May, Apple, Google and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.
“These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality,” the FIDO Alliance noted at the time.
The expanded support means that users would be able to automatically access their FIDO sign-in credentials (aka “passkey”) on many of their old and new devices without having to re-enroll every account. Also, that they could use FIDO authentication on their mobile device to sign in to an app or website on a nearby device.
With Apple’s new OSes and technologies, this extended support in practice means safer browsing in Safari on macOS Ventura, iOS and iPad 16, with passkeys.
“Passkeys are unique digital keys that stay on device and are never stored on a web server, so hackers can’t leak them or trick users into sharing them,” Apple explained.
Designed to replace passwords, passkeys use Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across iPhone, iPad, Mac, and Apple TV with end-to-end encryption.
“Passkeys never leave your device and are specific to the site you created them for, making it almost impossible for them to be phished,” Apple notes.
They can’t be leaked because they are not kept on a web server, and allow users to sign in to websites or apps on other devices (including non‑Apple devices) with their saved passkey by scanning the QR code with ytheir iPhone or iPad and using Face ID or Touch ID to authenticate.
Rapid Security Response
Apple did not share much about Rapid Security Response, a new feature in macOS Ventura, iOS and iPad 16 that should push out security updates automatically between standard OS updates – if users choose to allow it.
Some of the updates will not even require a reboot of the device, apparently.
iOS 16 comes with a new section in Settings that allows users “in domestic or intimate partner violence situations quickly reset the access they’ve granted to others.”
People in abusive relationships may be coerced into sharing their Apple ID (email address + password) and grant access to their Apple ID account to their abuser(s). Once physically safe from them, they will now be able to use Safety Check to lock them out of their account.
“[Safety Check] includes an emergency reset that helps users easily sign out of iCloud on all their other devices, reset privacy permissions, and limit messaging to just the device in their hand. It also helps users understand and manage which people and apps they’ve given access to,” Apple explained.
Other privacy-related improvements
In iOS 16, the Hidden and Recently Deleted albums are locked by default – users will be able to unlock them via Face ID, Touch ID, or by entering their passcode.
Apps will need to ask users’ permission before accessing the pasteboard to paste content from another app.