Six Colors
Six Colors

by Jason Snell & Dan Moren

This Week's Sponsor

Kolide is a fleet visibility solution for Mac, Windows, and Linux that can help you securely scale your business. Learn more here.

By Dan Moren

WWDC 2022: Passkeys hit primetime

Last year, Apple started tolling the death knell for passwords with the first round of passkey support on its platforms. At the time, I wrote:

…the writing is on the wall for the good old password, and the first step to its demise is being rolled out in macOS Monterey and iOS 15—though it will probably take at least a couple years before it comes to fruition.

Well, the future is here, somewhat sooner than I thought. With Apple’s forthcoming updates, passkeys are a reality, ready for developers to start offing the password with extreme prejudice. In its WWDC keynote, Apple gave passkeys some time in the spotlight, explaining just how much more secure of an option they are when it comes to authentication. The message is clear: passwords just aren’t sufficient for the connected world we now live in and the sooner they go into the dustbin, the better for everyone.

As usual, Apple’s WWDC sessions spend a little more time detailing how developers can add passkey support to their apps, as well as discussing how to deal with some additional cases that might crop up.

Passkeys
Apple’s newest updates will allow you to login with passcodes, as well as other authentication methods if necessary.

The best part of this transition is that it should be pretty straightforward for users once apps and web services start offering passkey as an option. Generating a passkey is as simple as enabling it in the app or service and then authenticating with biometrics. Subsequent logins are handled with biometrics, like Face ID or Touch ID, and can generally be accomplished with a single tap. And because passkeys are stored in iCloud, they’re synced between all your devices. You can even have multiple passkeys for a site or service stored on your device, if you have multiple accounts, and choose the appropriate one if needed.

The addition of passkeys should also remove the need for multifactor authentication—no more entering codes from an app or via SMS. That was always an additional feature provided because of passwords’ inherent insecurity, but the way in which passkeys work makes it unnecessary.

For those who already use iCloud Keychain for passwords, all of this should be pretty much second nature and, in retrospect, it’s clear that iCloud Keychain has been Apple training its users for this passwordless future. For example, just as you can currently share passwords from iCloud Keychain with AirDrop, that same feature will be available for passkeys as well—that way, if you have an account shared with someone, like a friend or another member of your family, you can easily give them access to those credentials.

It’s worth noting that while AirDrop is the only Share option in iCloud Keychain, you’ve also been able to copy and paste passwords listed in the Passwords section, letting you send those credentials via an email or iMessage (which you probably shouldn’t do, for security’s sake). However, given the nature of passkeys (which are very lengthy strings of random characters), it doesn’t look like you’ll be able to copy and paste them—probably for the best, again, for reasons of security, though it may frustrate some users trying to cram the passkey into a password-shaped hole.

There’s also no solution for bulk sharing of credentials, as via a shared vault in a password manager like 1Password; the only sharing option is on a per-passkey basis. It’ll be interesting to see if Apple thinks this needs to be updated in the future to something more like iCloud Shared Keychains, but that’s not a road that it’s taken so far with passwords.

Login with another device
Logging in to another device with passkeys involves creating a Bluetooth connection between the two, for extra security.

One additional question that has now been answered for passkeys is what happens when you’re logging in on another device, either from Apple or another manufacturer. The FIDO Alliance that backs the passkey standard (of which companies like Apple, Microsoft, Google, and Amazon are all members) has an approved solution: a QR code that you scan with your phone, providing a secure way to log in.

The methodology behind this process is fascinating: among other things, the authenticating device (likely your iPhone) creates a Bluetooth-based relay server which, by the very nature of Bluetooth’s limited range, helps ensure that you are in fact in proximity to the device into which you’re logging in. That makes it much more difficult for phishers to trick you into giving up your passkey: sending you a QR code in an email or text message won’t work because it won’t be able to get access to the Bluetooth connection.

Of course, this does still put into relief one potential issue with the passwordless future: it depends on having a device to serve as an authenticator. Widespread as smartphones are, not everybody has one, and those who don’t will probably still have to rely on memorized passwords (or, say, a security key with biometric authentication built in).

Making passwords better

Passwords won’t go away tomorrow, of course, or even in the fall when the new platforms ship. And so Apple’s not neglecting improving the password experience in the interim. There are a couple additional password-related features coming in the fall releases that are worth detailing:

Wi-Fi Passwords in Settings: Apple devices’ ability to share Wi-Fi passwords with people in your contacts has been a lifesaver, but sometimes that feature doesn’t work, or you have a non-Apple device you want to get online, or you just want to look up the darn password. On the Mac you’ve always been able to look up your Wi-Fi network passwords in the Keychain Access app and now with iOS/iPadOS 16, those Wi-Fi passwords will be available in the Passwords section of Settings; on the Mac, you’ll be able to find them in Network Preferences as well.

Strong password editing: Stop me if you’ve heard this one: you’re creating a new password for an account on a website and iCloud Keychain suggests a good, strong option. Only problem is it’s one of those sites that insists you follow its rules for creating passwords: this many numbers, that many letters, only these prescribed special characters, and so on. In the past, adapting the strong password suggested by Keychain to meet these requirements has involved an awkward dance of copying and pasting—or falling back to another password manager, or, worst of all, a weaker password. But in the latest Apple platform updates, you’ll also be able to edit those suggested passwords inline to make them comply with the rules on a given site.

Our journey towards our more secure feature continues apace and here’s hoping that by the time WWDC 2023 rolls around, we’re all using more passkeys in our lives.

[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Twitter at @dmoren or reach him by email at dan@sixcolors.com. His latest novel, The Nova Incident, comes out in July and is available to pre-order now, so do it!]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.


Search Six Colors