By Glenn Fleishman

August 18, 2025 8:15 AM PT

Some key facts about passkeys and how they work

The passkey was introduced with some excitement by Apple and varying degrees of hurrahs from Microsoft and Google a few years ago.¹ This humble method of combining strong encryption, avoiding password entry, and adding the best aspects of second-factor authentication seemed like a winner. The excitement died down, even as operating systems, browsers, and websites provided increasingly robust support.

Why haven’t passkeys seemed to match their hype? Or do they “just work” and are being ignored despite their value?

I recently found one of the best arguments for using them, which I’ll share below. I’ve also seen quietly increasing adoption, even by the least-technology-focused sites, like those of home-improvement retailers and shipping suppliers.

What’s wrong with a password, anyway?

I think you know the answer to this, but I’ll spell it out a little. Being text, a password can be copied or stolen, even if it’s generally obscured. Someone might be able to extract your password in a bunch of ways:

• Phishing: Don’t be too smug about not falling for fake SMS or email attempts to make you log in. I’ve received phishing messages alleged to be from American Express, DHL, the local Washington State highway tolling authority, and SendGrid (an email-sending service provider) in the last few years, and almost been taken in! The reason? They didn’t ask me for money, but told me I needed to log in to check the status or update something.
• Social engineering: Again, we all believe no one will talk us out of our password, but the right person at the right time, particularly when we’re vulnerable or panicked, can often pry information out of the mostly tightly shut clams among us.
• Shared password and weak sites: One of the most common ways we have our passwords stolen is because we reuse them. Maybe you generate a unique one now, but you (and I) surely have some sites we never updated our passwords at, and it might be the same among 10 or 100 old sites. Poorly stored passwords that are exfiltrated from a site and then cracked (or, horribly, stored in plain text) can then be applied against our other sites.²
• Shoulder surfing: Most passwords are too complicated to watch someone type them in, and most of us use password managers, so we’re using our finger or face to validate automatically filling in a password or login. But it still happens. Someone with an iPhone can film you in 4K from across a room and see each letter as it briefly appears.

The strongest password from a complexity angle still has the weakest links: it can be used anywhere, by anyone, and has to remain accessible to you in plain text. When it’s pasted or filled into a Web page, it may be transmitted through secure https transport, but it’s still in the clear briefly at your end and the other.³

What if there were a way to eliminate these flaws and simplify the process? That’s the goal of the passkey.

Double, secret validation

A passkey isn’t just an extra-secure password. Rather, it relies on public-key cryptography (PKC), in which your system creates a secret that can be derived into two parts: one public and one private. The public key portion can be freely shared without risk through a variety of methods.⁴ The private key must be kept secret. It never leaves your device and is never typed in or shared.⁵

Because there’s no shared, identical (or “symmetrical”) password used between two parties that’s send in the clear (over an encrypted method like https or otherwise), there’s nothing useful that can be intercepted or stolen.

One of the useful aspects of PKC for proving your identity to access an account at a site is that the site only needs your public key to validate who you are. The private key, only you have access to, can encrypt a message that any possessor of the public key can validate could only have come from someone with that private key. Similarly, someone with the public key can encrypt a message that only you, with the private key, can decrypt.

PKC allows passkeys to provide two-way validation along with the primary purpose of a secure login. When you enroll to use a passkey at a site, you use your existing credentials to log in, often including a second-factor code or process. Your device generates a fresh private-public key pair for this login and sends the public key to the site.

The next time you log in, you opt to use a passkey, and the site sends a challenge through the browser that the browser or operating system manages. Using a fingerprint, your face, or a password, you confirm you want to use your locally stored passkey. Your system creates a message signed by the private key, which is sent to the site, which uses the public key to validate it. Easy as pie!

If someone tries to log into your account with a passkey, they would lack the proper keys and be unable to. Likewise, if you’re being phished, your browser won’t offer to log in to that site with a passkey, because the details don’t match. This is true with password managers, too, of course, which match accounts to sites. However, even if someone suborned a domain and a password manager “thought” it was the correct site, there’s no way for the phisher to provide a valid request your passkey system would respond to. Even then, that login information isn’t portable—it couldn’t be reused (or “replayed”) at the legitimate Web site.

PKC also prevents man-in-the-middle attacks, where a third party captures information from one side and silently hands it over to the other, and back to the first as a way to grab data or credentials. Without the private key, there’s no way for a third party to impersonate the logging-in user.

Notice that this process effectively removes the necessity for a second factor because the second factor becomes an integral part of the enrollment process: you have a unique set of information shared between the site and your device (or account ecosystem, like iCloud) that can’t be intercepted. A passkey makes logging in as easy as automatically filling in a password while offering the security advantages of two-factor authentication.

I’m not aware of a widely available website that allows you to disable password-based logins or two-factor authentication exclusively in favor of a passkey. Most sites that have adopted them shifted their login process in a way that you might have noticed a couple of years ago that added some friction: instead of a dialog for your email address or account name and then password, you were first asked for your user name. In a second step, you can enter a password or click or tap a button to use a passkey.

Some sites have pushed a “passkey login” button to their main login page in recent months. The credit-card processor Stripe makes it one of several options, which makes sense given the security needed for its account. However, the company does let you disable SMS-based second-factor codes once you have a passkey or other non-phone authentication method set, which is a significant move.⁶

Web sites love passkeys more than users, possibly, because it reduces friction: it’s less effort to login, the password doesn’t have to be found or entered, and it likely saves money on customer support from people losing their password and being unable to reset it.

Enrolling in passkeys and managing them

Most sites have made it a trivial process to add a passkey to your account. The steps usually work like this:

1. Log in to a site through your normal method.
2. Go to your account preferences for password or security.
3. Look for a section that says “add passkey” or “add authenticator.”
4. Follow the steps provided, which typically involve just using Touch ID, Face ID, or entering a passcode/password at the right moment.
5. The passkey is stored in Passwords.

When you’re using a single ecosystem, like Apple’s with Safari, you visit a Web site, click or tap use passkey, and use Touch ID or Face ID to complete the login, with a fallback to entering your passcode or macOS account password.

When you’re using a browser or operating system that doesn’t connect to Passwords, or when you’re using someone else’s Apple device, there is a nifty built-in login workflow:

1. You’re presented with an option to use a mobile device. Choose that option.
2. A QR code appears that you scan with your iPhone or iPad. Scan that code with your iPhone or iPad.
3. Tap the link that appears reading “Sign in with a passkey.”
4. Use Touch ID, Face ID, or a passcode to proceed.
5. The browser acknowledges the response, and the site proceeds to log you in.

While this seems a little sus, as the kids say,⁷ the whole process is well defined in the industry-standard passkey protocol, and is as fully secure as if you were using a passkey through authentication directly on the device.⁸

Passkeys were a little mistreated in Passwords until the fall 2024 upgrade to Apple’s operating systems. Now the Passwords app has its own category. An entry for a passkey also includes the user name, password, and other information associated with a site, such as the included domains.

Passkeys’ biggest flaw right now is that they aren’t exchangeable across password-management systems. I recommend Apple-centric people use the Passwords app to leverage the Safari and iCloud Keychain infrastructure and end-to-end encryption at the moment. If you regularly use Android or Windows, 1Password can manage passkeys across all its supported platforms, so it’s a better choice for now.

The whole industry touts the portability of passkeys without yet offering such a thing. But it’s inevitable, as there’s no lock-in benefit. Finding a secure way to sync or transfer passkeys without introducing security holes that bypass their value is the key (sorry) issue remaining.

One weird trick to share passkeys in Passwords

You can use Passwords as one nifty workaround I hinted at in the intro. My wife and I share a login at our auto insurance’s site, but it requires a second-factor SMS code, and it will only allow one phone number. So I have to bother her every time I’m paying a bill on the site for the code sent to her phone. The company recently upgraded to passkey support, which I enrolled in. Using Passwords, I moved the passkey to my spouse and my shared group. Now, either of us can use the same passkey across all our collective devices.

[Got a question for the column? You can email glenn@sixcolors.com or use /glenn in our subscriber-only Discord community.]

[Glenn Fleishman is a printing and comics historian, Jeopardy champion, and serial Kickstarterer. His latest book, which you can pre-order, is Flong Time, No See. Recent books are Six Centuries of Type & Printing and How Comics Are Made.]

By Jason Snell

August 15, 2025 9:51 AM PT

Last updated November 21, 2025

Get started with folder automation in macOS Tahoe

One of the most exciting additions in macOS Tahoe is Shortcuts automation, which (among many other things) allows Shortcuts to act when things move or change in the filesystem. More than two decades after Folder Actions brought those features to Mac OS X Jaguar, Apple has built a modern take on the feature that’s been popularized by third-party utilities like Hazel.

Unfortunately, Apple’s implementation of this feature is pretty basic—it’s a trigger that fires off a Shortcut and passes it all the information about what’s changed in the filesystem. The job of parsing, filtering, and acting on that information is entirely in the hands of the shortcut itself. This means that to take advantage of this feature, users will need a grasp of some Shortcuts fundamentals.

That’s what this article is for: to provide a quick guide to building a shortcut that acts on the contents of a folder when items are added to it. In this case, we’ll create a drop folder that moves Markdown files elsewhere when they’re added.

Continue reading “Get started with folder automation in macOS Tahoe”…

By Glenn Fleishman

August 11, 2025 8:15 AM PT

Backing up iCloud photos in other ways

I recently wrote about duplicating iCloud Drive and iCloud Photos to a network-attached storage (NAS) system. This struck a nerve for folks who want to keep full-resolution backups of their Photos Library when they don’t have enough local storage. (That column was focused on not needing to keep your Mac powered up to handle these iCloud offline backups when the Mac was otherwise not in use.)

Readers wrote in or replied via social media with strategies and workarounds, as well as suggesting three software options that can let you sync iCloud Photos outside of Apple’s limitations. Meanwhile, a developer dropped a line to Jason about his new app, which can sync and archive iCloud Photos and files from iCloud Drive.

This feels like it shouldn’t work, but it does

Six Colors reader Mark has a rather elaborate process of keeping a local backup of his Photo Library without enabling full-resolution downloads for his primary account and startup volume.

He started by creating a Photos Backup macOS user. While logged into Photos Backup, he logged into his primary iCloud account, the same one he uses in his main macOS account. On that backup account, he set up an external 2 TB drive and, holding down Option while launching Photos, created his Photos Library on that drive.

He then used Photos > Settings > General to click Use as System Photo Library, which is required for iCloud Photos syncing. He also enabled Download Originals to this Mac in Photos > Settings > iCloud. Because he also has a Backblaze subscription, he enabled that service to back up his external 2 TB volume as an additional off-site protection.¹

This was all a one-time setup. Now, whenever he wants to perform his on-demand backups, Mark:

1. Attaches the 2 TB drive.
2. Logs into Photos Backup, which effectively starts the background syncing.
3. Uses Fast User Switching to return to his main account.

When he needs to leave his current location, he swaps back to the Photos Backup account, logs out of it (Apple Menu > Logout Account Name), unmounts the external volume, and he’s all set. I have not tested this, but Mark says it works, despite the complexity.²

Mark asked, “Am I crazy, or is this an OK solution?”

You’re not making an irrational decision, Mark! This is a perfectly reasonable way to achieve results with limited options.

The only failure point I can see is very unlikely:

• You’re on the road.
• You create, modify, or capture new images on devices you carry with you.
• Those devices are lost or destroyed after syncing.
• And your iCloud.com account becomes inaccessible, or the data stored there is corrupted.

Losing your device or having it damaged beyond recovery before syncing is a scenario you can’t avoid in the above method, anyway.

Image Capture and offloading

Reader Jonathan wrote in with a strategy he was using for media management because his family opted to pay for just 200 GB of iCloud+ storage. He also has a Backblaze subscription. Instead of keeping everything in the cloud, he would offload images from time to time:

Normally, I would log into iCloud on my Mac, go to Photos, and then download the latest files to my external hard drive that gets backed up to Backblaze. Is that the best method?

As we corresponded, I found that Jonathan was also curious about how he would copy files that were not downloaded locally if optimization were enabled.

I had not thought of this strategy, either, which can work:

• If optimization is off: You can move media from your Mac’s Photo Library at any time without preparation. The size of your library on your drive is within about 20% of the storage it takes up on iCloud.
• If optimization is on: You have to stay more on top of adding images and videos so you don’t accidentally fill up your iCloud storage.

To remove media from a Photos Library for an archiving operation like Jonathan employs:

1. Select the media in Photos for Mac.
2. Choose File > Export and one of the options described below.
3. Press Delete or choose Image > Delete Photos.³
4. This moves media to the Recently Deleted folder. After ensuring you have an additional backed-up copy, such as through Backblaze, Time Machine, or other methods, go to the Recently Deleted folder, click Delete All, and confirm deletion.

Which of the two Export submenu items should you opt for?

• Export X Photos: The export includes any modifications made in Photos and any metadata changes. The photo is converted to the format (Photo Kind) with any quality, color profile, and size options set. (Set to Full Size to preserve the original dimensions.)
• Export Unmodified Originals for X Photos: The original photo as imported or created will be exported, including in any supported RAW format, with all modifications ignored.

You can also make life easier on yourself by springing for PowerPhotos 3 ($40), a robust Photos Library management app. It can move items between libraries, split and merge libraries, and much more. The operation above would be far simpler: just hold down the Command key and drag the media from one library to another within the app.⁴

Jonathan has used Image Capture in the past to copy media from his iPhone to the external drive, although he had optimization turned on for the phone, so he wasn’t sure if he was copying full-resolution images or low-resolution thumbnails.

Apple will never copy low-resolution images through sharing or copying from the Photos app or using Image Capture. However, with optimization enabled, Image Capture shows only images and videos that are downloaded to that device. On my iPhone, for instance, Image Capture showed about 7,000 items available for copying; my Photos Library has nearly 70,000.

I command you to download and sync

There are four software solutions—two fully developed apps, two Python command-line packages—to back up an iCloud-linked Photos Library, even when optimization is enabled. Each has unique elements, including one of the Python tools working via a web connection. (I have not tried any of these packages or apps yet! And using Python for this is definitely on the edge of my personal geekiness level.) I also shout out Carbon Copy Cloner for iCloud Drive backups.

Here are the details. The three Mac apps are:

Photos Backup Anywhere (App Store, $10): Allows simple background backup of the Photos Library to any local destination, including NAS. The app temporarily downloads any newly synced images that aren’t stored locally. (Referral via reader Ted)

Parachute Backup (App Store, $5): A slightly more elaborate background Mac tool that lets you choose to backup either or both the Photos Library, including iCloud-stored images and iCloud Drive. (Newly released, referral via the developer, Eric Mann)

Carbon Copy Cloner ($50): If you’re looking just for iCloud Drive file backups, CCC can download iCloud-stored files and then dismiss the local copy after backup—usually. There are oceans of provisos, as Bombich Software explains in this support note.

If you’re into command lines, installing packages, reading documentation, and tweaking results, you may find that either of the two options above will let you back up or create different kinds of archived copies that hit the sweet spot for you:

iCloud Photos Downloader: Adam Bodner pointed me on Mastodon to iCloud Photos Downloader, a Python-based system that lets you perform various syncing and download operations, including copying media out of your library and then deleting it from iCloud Photos. The app communicates with Apple’s servers directly via a web connection. I’m not sure how they have made this all work, but it apparently does!⁵

OSXPhotos: Another Python-based option, also from a Mastodon colleague, comes via geraint, who pointed me to OSXPhotos. Rather than talking to iCloud.com, OSXPhotos routes its requests through the Photos app. However, it also has a remarkable range of capabilities, including detecting if an optimized image is in place and forcing a download with the correct options selected.

[Got a question for the column? You can email glenn@sixcolors.com or use /glenn in our subscriber-only Discord community.]

[Glenn Fleishman is a printing and comics historian, Jeopardy champion, and serial Kickstarterer. His latest book, which you can pre-order, is Flong Time, No See. Recent books are Six Centuries of Type & Printing and How Comics Are Made.]