Blog

Is Apple's Passkey A Step Towards A Passwordless Future?

Weak passwords leave users vulnerable to different types of cyber threats. However, users struggle to create strong passwords that can be remembered and tend to reuse passwords for multiple platforms. To eliminate the problem of weak and repetitive passwords, Apple announced the launch of passkeys at the recent Worldwide Developers Conference (WWDC),. By September, Apple envisages passwordless logins across all its product lines, such as iPads, iPhones, Macs, and Apple TVs. While many organizations in the past had promised a password-free future, Apple will likely be the first to implement it. 

What are passkeys?

Passkeys are hybrid security measures that use WebAuthentication (WebAuthn) standard and cryptographic principles to secure accounts. It leverages the principle of end-to-end encryption found in apps like Signal, WhatsApp, iMessage, etc. With passkeys instead of passwords, the Apple device will yield a unique pair of private and public keys. The public key will remain in the server and the private key in our local systems. 

It might seem tricky but in practice, authentication will be simpler as the Apple devices will do the heavy-lifting for you. Once you use the FaceID or TouchID of your Apple system, your iPhone, Mac, or iPad will take care of the complex and technical aspects for you. You will not have to set or remember passwords or deal with cryptographic keys. "To create a Passkey, just use Touch ID or Face ID to authenticate, and you are done," Darin Adler, Apple's Vice President (VP) of internet technologies, said at Apple's WWDC.

Problems with the password-based authentication

According to a report by Google, 75% of users are frustrated by passwords. Here is a list of issues users and developers have with password-based authentication techniques. 

  • Passwords are hard to manage as they require encryption and hashing techniques to protect them against malicious attackers.

  • Weak passwords are prone to brute force or dictionary attacks.

  • Strong passwords are hard to remember. According to the

    HYPR study report

    , 78 percent of users had to reset their passwords because they forgot them.

  • Passwords are also prone to cyber threats like keylogging, phishing, Man-in-the-Middle (MitM), and credential stuffing.

However, it does not mean that you cannot protect passwords. Guidance from security experts like Packetlabs can help your organization maintain cyber hygiene and inculcate the habit of setting, keeping, and maintaining strong passwords that safeguard your system against hackers.

Breaking the password flow with a passkey

The new authentication mechanism will use Touch ID (as biometrics), keychain, and passkeys (unique key) to provide you authentication with minimum friction. Apple will enable the passkey option and the username field as an additional popup option. Users will not have to log in using their password or user ID; the passkey alone will do the trick. 

It does not mean passkeys are without their shortcomings. The most critical issue is not all services, apps, and websites can make this sudden leap toward a passwordless future. The upcoming iOS 16 and macOS Ventura will have the passkey feature enabled. Now, as you go and log in to any website again, passkeys will nudge you to prove your identity by using your biometrics instead of passwords.

How will the passkey work?

A passwordless system will be a giant leap toward online security. Typically, developers employ encryption techniques to secure passwords so that even if the attacker gains access or eavesdrops on passwords during transit or at rest, they see the distorted version.

With Apple's new passwordless authentication approach, instead of using a single straightforward string value, your Apple device will generate passkeys as a pair of related keys. In the paired keys approach, one of the keys (public key) will remain stored on the server while the other (private key) remains on your device. Both these keys will be unique for every account. 

Conclusion

In the light of recent data breaches and credential stuffing attacks, it is safe to say that passwords have outlived their usefulness. It is time for us to move on to a more secure and user-friendly authentication mechanism like passkeys. Even Google and Microsoft are heading towards a passwordless future. The support and use of FIDO-standard for passwordless authentication is a sign of that. With Apple leading the way, we can hope that other tech giants will follow suit and make the internet a safer place for all of us.

Featured Posts

See All
Packetlabs: One of the Top 5 Best Penetration Testing Companies

December 25 - Blog

Packetlabs: One of the Top 5 Best Penetration Testing Companies

It's official: Packetlabs has been recognized as one of the top penetration testing companies in 2024 on review platform Clutch.

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104