Apple’s Passkeys Could Usher In a Password-Free Future
Apple's recently announced passkey feature may forever change the way you log in to your online accounts. Here's what passkeys are and how to use them.
Let’s face it: Hackers love to prey on our weak and reused passwords. Most of us struggle to follow proper password hygiene, and using easy-to-guess passwords puts our online security at risk. That’s why Apple’s new “passkey” feature—which the company unveiled at its recent developer conference—might just be the solution to stopping cybercriminals and ditching weak passwords for good.
“Passkeys are a way to help users secure themselves and their digital lives,” says Chris Furtick, director of security engineering at Fortalice Solutions, which provides cybersecurity services. “Once we transition from the use and reuse of passwords to the more secure practice of passkeys, it will be much more difficult for the fraudsters to access our accounts.”
Considering passwordless access is the way of the future, you’re going to want to understand the concept before Apple launches the feature in September. We’ve got you covered with an explainer on what passkeys are, how to use them, why they’re safer than passwords, and what they mean for the future. Until then, you should still create good passwords that are complex and unique, store passwords in password managers, use two-factor authentication, and know how to tell if your computer has been hacked to keep your online accounts secure.
What are passkeys?
In simple terms, passkeys are data stored on your devices that verify your identity, allowing you to log in to a website, application, or device. They can be used across many platforms, but Apple’s passkeys feature is “the Apple-flavored future of password managers,” says Caitlin Johanson, vice president of application security at the cybersecurity firm Coalfire.
Passkeys will replace passwords on Apple devices, using biometrics like fingerprint recognition (Touch ID) and facial recognition (Face ID) for authentication instead. When users create or log in to an online account from their iPhones, iPads, or Macs, all they have to do is enter their biometric passkey rather than a passphrase. “Instead of you remembering a 12-digit password, you can create a passkey that will allow you to use biometrics to log you in to the site you want to access,” Furtick says.
This new feature is a great opportunity to boost your iPhone security. Unlike passwords, passkeys “cannot be guessed, and they cannot be discovered,” says Thomas Reed, director of Mac and mobile at Malwarebytes, a cybersecurity company. “They allow the average person to secure their accounts without having to know anything about proper password hygiene.”
How do passkeys work?
Passkeys use an encryption technology that is commonly found on security apps and email. When you create an account on a passkey-enabled website using Face ID or Touch ID, the site creates encrypted “keys” that only you and your device can decrypt. By restricting who can access the data, the entire system stays secure from hackers and spyware, according to Reed.
To log in to a passkey-enabled website on an Apple device, you’ll be prompted to verify your identity using Face ID or Touch ID rather than typing in a password. The site will recognize the key and give you access. Passkeys will sync across all Apple devices—including iPhones, iPads, and Macs with iOS 16 and MacOS Ventura—through iCloud’s Keychain, which acts as an Apple password manager.
You can still use passkeys if you’re on a computer without Touch ID, such as a PC. In that case, you’ll scan a QR code on the website with your iPhone, which will use a passkey to sign you in.
Why are passkeys safer than passwords?
While passwords are as old as computers themselves, they are not very secure. “Passwords are the major cause of many breaches, are difficult to remember, and are easily ‘cracked’ by a motivated attacker” through phishing, spoofing, and other cyberattacks, Furtick says.
If your password is compromised, it can fall into the hands of bad actors hoping to commit financial fraud and other crimes. A compromised password could also leave you vulnerable to getting hacked on Instagram or Facebook, or in more serious cases, becoming a victim of doxxing—especially if you use that password for multiple accounts.
Passkeys, on the other hand, are unique and complex, cannot be accessed by anyone other than the owner, and are almost impossible to steal or hack. “The ability to use key pairs instead of passwords is a huge step in the right direction [for online security], as your ‘password’ has now become intrinsically complex and unique and doesn’t ever have to be reused,” Johanson says.
The bottom line? “The shift from passwords to passkeys may very well be the impetus for a transition to a much safer digital world,” Furtick says.
Is the future passwordless?
Apple has taken a big step toward a passwordless future by creating a passkey feature for its devices—and this is only the beginning. Microsoft, Google, and other tech companies have announced their intention to ditch passwords and shift to using passkeys too.
“Passkeys will not be limited to Apple systems,” Reed says. “Once they become widely adopted, they should be usable by any device to connect to any system that needs authentication.”
That said, a passwordless future won’t arrive right away. “It will take time for sites, services, and applications to implement the passkey standards into their products,” Furtick says. Tech companies also need to fix any issues that could make passkeys vulnerable to attackers, according to experts.