The unbelievable quantity of passwords to manage along with the hackers who are endlessly trying to exploit them are irritating realities of modern life. However, a session at Apple’s WWDC 2021 signals a potential solution to both.
The “Move beyond passwords” session by Garrett Davidson at WWDC 2021 highlighted a new feature found in both iOS 15 and macOS Monterey called “Passkeys in iCloud Keychain,” which could be used in the future to allow for sign-in without the need for an underlying text-based password.
Garrett started with a brief discussion of what’s wrong with passwords today. It’s something that may sound familiar if you’ve read our recent two-factor authentication coverage including why you shouldn’t use your phone for 2FA. While brute force hacks on passwords are a problem, it’s the ease of phishing passwords, security questions, and/or phone numbers that makes these options so vulnerable.
The WebAuthn standard the “Passkeys in iCloud Keychain” is based on circumvents this with a public/private key pairs system that maintains a private key on your device. It is never shared with the server and uses a public key that can be shared without fear of granting access to your account or data.
With Apple’s method, this private key or Passkey could be tied to your Face ID or Touch ID, obviating the need for you to know a password at all. The one downside to Apple’s version is that it only works within Apple hardware, which is not shocking, but unfortunate for those of us that work across multiple operating systems.
Apple is hardly alone in this; the WebAuthn standard has seen uptake from Google, Microsoft among many others and support continues to build. To be clear, we are still in the early days for this, Apple is merely opening it up to developers in preview, so if you have dreams of being password-free by 2023, you probably are going to have to wait a bit longer.
With that said, there are far too many major players invested in this notion due to both the enhanced security and ease of use for it to likely fail or stall out completely. It would be surprising if there isn’t a meaningful rollout within the next five years.
H/T The Verge