Chapter in this post:
What are passkeys? Some of you are probably asking yourself that after WWDC22 and in the run-up to the release of iOS 16, iPadOS 16, macOS Ventura and Co. I have listed the answer to this question below. In doing so, I not only go into the advantages that are promised for the users of the Passkey technology. I also show sources that could be interesting for developers. Because logging in with passkeys in Apps and on websites, according to Apple, can be easily implemented; the “Authentication Services API” is offered for this.
What are passkeys?
Passkeys are intended to replace the passwords previously used for logging into apps or websites. The whole thing should work similar to the automatic filling in of the login fields and confirmation via Face ID or Touch ID. For users of Apple devices and the iCloud keychain, there is hardly any difference to the previous procedure when using this new login method.
However – and this is actually a difference – passkeys are encrypted access keys that are created individually and once for each account. They are end-to-end encrypted and can only be used with the respective service, in the corresponding app or on the website. That makes it difficult Phishing via fake websites or other input masks. So a passkey is much more secure than a password.
This is how passkeys work
When creating an account for an app or website, the operating system (iOS, macOS, iPadOS, etc.) generates an encrypted pair of keys. This consists of a public key that is stored on a server and a key that is only used locally. The WebAuthentication standard, WebAuthn for short, is used for this. In addition, platform providers are working through the FIDO Alliance to ensure that passkeys work across platforms on a wide variety of devices.
Passkeys can be thought of as a pair of keys. You have a key, namely the uniquely created and strongly encrypted one. The associated key, which is public and not further protected, belongs to the operator of the service you want to use. Only when both come together will the door be opened and you will be granted access to your account and the offers you can access (shopping, app content, online banking, etc.).
Why are passkeys more secure than passwords?
Passwords can be obtained from unwary people by fishing or other methods. But even cautious users can e.g spyware monitored, which can also reveal their passwords. And even if you only use Touch ID and Face ID on Mac and iPhone to verify the autocomplete, the passwords are still on the server of the service you want to use.
Since the user's own access key does not resemble any other key (unlike shared passwords) and since it is heavily encrypted and stored on secure local storage, it is virtually impossible to hack. According to Apple, passwords and passkeys stored in iCloud can be protected and recovered even if the account has been hacked, there has been an external attack or employees gain access. More information can be found in the support document “Passkey security information” with the number HT213305.
Information for developers who want to use passkeys
Passkeys are strong, cannot be guessed, and are not reused. These are arguments that Apple on the corresponding developer page attaches. If you want to implement the login method, you can read up on it there and you will also find a reference to the Authentication Services API mentioned above. Sample codes can also be viewed to make implementation easier. With this link If you are interested, you will also find videos from WWDC21 and WWDC22 that deal with passkeys and their use (in your own app). You can also find the videos in the Developer app.
After graduating from high school, Johannes completed an apprenticeship as a business assistant specializing in foreign languages. But then he decided to research and write, which resulted in his independence. For several years he has been working for Sir Apfelot, among others. His articles include product introductions, news, manuals, video games, consoles, and more. He follows Apple keynotes live via stream.