How Do Apple Passkeys Work? How Do They Keep You Secure?

Currently, there is one primary way we secure online access: username and password. However, even if we make a long, complicated, and complex password, there still remains one key weakness in this security setup—the user.

Millions have already been victims of phishing sites, social engineering, and other forms of attacks that compromise passwords. That’s why Apple wants to remove the password and replace it with passkeys.


So, how do Apple passkeys solve the password issue?

What Is the Web Authentication (WebAuthn) Standard?

This standard is published by the World Wide Web Consortium (W3C), an organization dedicated to building protocols and guidelines for long-term web development. By developing this new authentication technology, the group hopes to reduce our reliance on passwords as the primary or only way of protecting our data.

Apple is also a member of the W3C, and they’re incorporating the WebAuthn standard in Apple passkeys. This feature also works with iCloud Keychain, so people who already use this service don’t need to migrate their system.

By implementing the WebAuthn API, web developers and device manufacturers ensure an authentication that will work across different systems. So, whether you’re on Android, iOS, Mac, or Windows, this passwordless system should work.

How Do Apple Passkeys Keep You Safe?

Most of us have relied on username and passwords at some point. You probably still do right now. But passwords can be easily hacked, especially if the user doesn’t have a secure password or if they’re a victim of social engineering.

The traditional username and password combination also means this information is stored online. So, if the service you’re using, like Twitch for instance, gets hacked, the attack compromises the data and more. If you reuse your username and password, which many do but we advise against, your other accounts are also at risk.

Two-Factor Authentication (2FA) was developed to solve this problem. By adding another layer of security, users help prevent unauthorized access to their accounts.

Although this technology has dramatically increased security, especially against brute force attacks, many users are still victimized by social engineering attacks. And while tech-savvy users can easily spot attacks, those who aren’t as familiar may not be able to spot the signs of attacks like phishing scams.

Apple passkeys aim to solve this issue by removing the password altogether. When logging in to an online service, you no longer have to type in your username and password. Instead, you just need to use your device’s biometric security features, like FaceID or TouchID.

The service is also not just limited within your Apple device. You can use passkeys on your Windows PC or Android tablet. As long as you’re accessing a website that implements the WebAuthn API, you can use your Apple device’s biometric features to log into your account, even if you’re accessing it in a non-Apple gadget. It’s like using your Apple device as a universal key that can open any digital door.

How Do Apple Passkeys Work?

Instead of keeping the username and password together online, Apple passkeys use asymmetric encryption. According to Apple’s passkeys security support page:

During account registration, the operating system creates a unique cryptographic key pair to associate with an account for the app or website. These keys are generated by the device, securely and uniquely, for every account.

One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key.

When you use a username and password, the server holds the lock (your username) and key (your password). To open the lock, you show the server that you have a similar key, and it opens the door for you.

But with Apple passkeys, the server will never hold the key. Instead, it hands you the lock, and you unlock it yourself. And since the server will only hand you the lock if it physically has it (i.e. your data is actually stored in its server), phishing hacks will become ineffective because they don’t have the lock (i.e. they can’t ask for the key, because Apple passkeys will only release it if they deliver a valid lock).

With this system, only the valid entity can ask for a passkey, ensuring that users are less likely to fall victim to phishing scams and other social engineering attacks. It’s also a lot more convenient since users no longer have to remember a myriad of login credentials. All they need is to be logged into their 2FA-protected Apple ID.

Another Example of a Passwordless System

While Apple might be the first to be effectively baked into a smartphone OS, it’s not the first company to implement passwordless systems. If you have a Microsoft account, you have probably encountered this technology.

If you’ve set up passwordless logins with your Microsoft account, you can log into it using the Microsoft Authenticator app—no username and password needed. Although it’s primarily available in the Microsoft Edge browser, you can also use Windows Hello or a security key to use the Microsoft Authenticator app to log in to your Microsoft account on other browsers like Google Chrome.

Saying Goodbye to Passwords?

Although usernames and passwords have protected users for the better part of 60 years, they might be nearing the end of their lives thanks for better security systems elsewhere, that are easier to use too. As we sign up for more and more services, the idea of memorizing tens, if not hundreds, of username-password combinations can be daunting.

Hackers are also getting more sophisticated, allowing them to compromise data even with enhanced security. And although multi-factor authentication has somewhat increased the security of traditional login credentials, it still leaves the user as a significant vulnerability.

With passkeys, we can move forwards from username and passwords into a more secure future. And as new technologies like quantum computing get developed and released to the market, the traditional username and password combination risks becoming obsolete overnight.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button