Passkeys are only on your devices, never out on the internet.
Every passkey is generated on your device, and the secret
portion of it never leaves your device during a login. (You
can securely sync your passkeys across devices or share them
with others.)
Because passkeys are created using a strong encryption
algorithm, you don't have to worry about a "weak" password
that could be guessed or cracked.
Passkeys
https://developer.apple.com/passkeys/
Passkeys adoption
https://www.corbado.com/passkeys/adoption
Sign in with passkeys on iPhone
https://support.apple.com/guide/iphone/sign-in-with-passkeys-iphf538ea8d0/ios
About the security of passkeys
https://support.apple.com/en-us/HT213305
Why Passkeys Will Be Simpler and More Secure Than Passwords
https://tidbits.com/2022/06/27/why-passkeys-will-be-simpler-and-more-secure-than-passwords/
Apple has unveiled its version of passkeys, an
industry-standard replacement for passwords that offers more
security and protection against hijacking while
simultaneously being far simpler in nearly every respect.
You never type or manage the contents of a passkey, which is
generated when you upgrade a particular website account from
a password-only or password and two-factor authentication
login. Passkeys overcome numerous notable weaknesses with
passwords:
Each passkey is unique-always.
Every passkey is generated on your device, and the secret
portion of it never leaves your device during a login. (You
can securely sync your passkeys across devices or share them
with others.)
Because passkeys are created using a strong encryption
algorithm, you don't have to worry about a "weak" password
that could be guessed or cracked.
A website can't leak your authentication credentials because
sites store only the public component of the passkey that
corresponds to your login, not the secret part that lets you
validate your identity.
An attacker can't phish a passkey from you because a passkey
only presents itself at a legitimately associated website.
Passkeys never need to change because they can't be stolen.
Passkeys don't require two-factor authentication because
they incorporate two different factors as part of their
nature.
Apple, Google, And Microsoft Commit To Expanded Support For
FIDO Standard To Accelerate Availability Of Passwordless
Sign-Ins
https://www.apple.com/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/
MOUNTAIN VIEW, CALIFORNIA In a joint effort to make the web
more secure and usable for all, Apple, Google, and Microsoft
today announced plans to expand support for a common
passwordless sign-in standard created by the FIDO Alliance
and the World Wide Web Consortium. The new capability will
allow websites and apps to offer consistent, secure, and
easy passwordless sign-ins to consumers across devices and
platforms.
Password-only authentication is one of the biggest security
problems on the web, and managing so many passwords is
cumbersome for consumers, which often leads consumers to
reuse the same ones across services. This practice can lead
to costly account takeovers, data breaches, and even stolen
identities. While password managers and legacy forms of
two-factor authentication offer incremental improvements,
there has been industry-wide collaboration to create sign-in
technology that is more convenient and more secure.
About the security of passkeys
https://support.apple.com/en-us/HT213305
Passkeys are a replacement for passwords that are designed
to provide websites and apps a passwordless sign-in
experience that is both more convenient and more secure.
Passkeys are a standard-based technology that, unlike
passwords, are resistant to phishing, are always strong, and
are designed so that there are no shared secrets. They
simplify account registration for apps and websites, are
easy to use, and work across all of your Apple devices, and
even non-Apple devices within physical proximity.
Meet passkeys (Video 33+ min)
https://developer.apple.com/videos/play/wwdc2022/10092/
It's time for a security upgrade: Learn how to add support
for passkeys to create a quick and easy sign in experience
for people, all while offering a radical increase to account
security. Passkeys are simple and strong credentials built
to eliminate phishing attacks. We'll share how passkeys are
designed with security in mind, show you how people will use
them, go over how to integrate passkeys in your log in flow,
and explore the platform and web APIs you need to adopt this
feature.
Passkeys
https://developer-mdn.apple.com/passkeys/
Based on FIDO Alliance and W3C standards, passkeys replace
passwords with cryptographic key pairs. These key pairs
profoundly improve security. Strong credentials. Every
passkey is strong. They're never guessable, reused, or weak.
Safe from server leaks. Because servers only keep public
keys, servers are less valuable targets for hackers.
Safe from phishing. Passkeys are intrinsically linked with
the app or website they were created for, so people can
never be tricked into using their passkey to sign in to a
fraudulent app or website.
In iCloud Keychain, passkeys are end-to-end encrypted, so
even Apple can't read them. A passkey ensures a strong,
private relationship between a person and your app or
website.
Apple 'Passkeys' Could Finally Kill Off The Password For Good
https://it.slashdot.org/story/22/06/06/2010255/apple-passkeys-could-finally-kill-off-the-password-for-good
Passkeys are based on the Web Authentication API (WebAuthn),
a standard that uses public-key cryptography instead of
passwords for authenticating users to websites and
applications, and are stored on-device rather than on a web
server. The digital password replacement uses Touch ID or
Face ID for biometric verification, which means that rather
than having to input a long string of characters, an app or
website you're logging into will push a request to your
phone for authentication.
During its WWDC demo of the password-free technology, Apple
showed how passkeys are backed up within the iCloud Keychain
and can be synced across Mac, iPhone, iPad and Apple TV with
end-to-end encryption. Users will also be able to sign in to
websites and apps on non-Apple devices using an iPhone or
iPad to scan a QR code and Touch ID or Face ID to
authenticate. "Because it's just a single tap to sign in,
it's simultaneously easier, faster and more secure than
almost all common forms of authentication today," said
Garrett Davidson, an Apple engineer on the Authentication
Experience team.
sam.wormley@gmail.com