Apple Resources - Passkeys (replaces passwords)

Why Passkeys Will Be Simpler and More Secure Than Passwords   

  Apple has unveiled its version of passkeys, an
  industry-standard replacement for passwords that offers more
  security and protection against hijacking while
  simultaneously being far simpler in nearly every respect.

  You never type or manage the contents of a passkey, which is
  generated when you upgrade a particular website account from
  a password-only or password and two-factor authentication
  login. Passkeys overcome numerous notable weaknesses with

  Each passkey is unique-always.

  Every passkey is generated on your device, and the secret
  portion of it never leaves your device during a login. (You
  can securely sync your passkeys across devices or share them
  with others.)

  Because passkeys are created using a strong encryption
  algorithm, you don't have to worry about a "weak" password
  that could be guessed or cracked.

  A website can't leak your authentication credentials because
  sites store only the public component of the passkey that
  corresponds to your login, not the secret part that lets you
  validate your identity.

  An attacker can't phish a passkey from you because a passkey
  only presents itself at a legitimately associated website.

  Passkeys never need to change because they can't be stolen.

  Passkeys don't require two-factor authentication because
  they incorporate two different factors as part of their

Apple, Google, And Microsoft Commit To Expanded Support For
FIDO Standard To Accelerate Availability Of Passwordless

  MOUNTAIN VIEW, CALIFORNIA In a joint effort to make the web
  more secure and usable for all, Apple, Google, and Microsoft
  today announced plans to expand support for a common
  passwordless sign-in standard created by the FIDO Alliance
  and the World Wide Web Consortium. The new capability will
  allow websites and apps to offer consistent, secure, and
  easy passwordless sign-ins to consumers across devices and

  Password-only authentication is one of the biggest security
  problems on the web, and managing so many passwords is
  cumbersome for consumers, which often leads consumers to
  reuse the same ones across services. This practice can lead
  to costly account takeovers, data breaches, and even stolen
  identities. While password managers and legacy forms of
  two-factor authentication offer incremental improvements,
  there has been industry-wide collaboration to create sign-in
  technology that is more convenient and more secure.

About the security of passkeys   

  Passkeys are a replacement for passwords that are designed
  to provide websites and apps a passwordless sign-in
  experience that is both more convenient and more secure.
  Passkeys are a standard-based technology that, unlike
  passwords, are resistant to phishing, are always strong, and
  are designed so that there are no shared secrets. They
  simplify account registration for apps and websites, are
  easy to use, and work across all of your Apple devices, and
  even non-Apple devices within physical proximity.

Meet passkeys (Video 33+ min)   

  It's time for a security upgrade: Learn how to add support
  for passkeys to create a quick and easy sign in experience
  for people, all while offering a radical increase to account
  security. Passkeys are simple and strong credentials built
  to eliminate phishing attacks. We'll share how passkeys are
  designed with security in mind, show you how people will use
  them, go over how to integrate passkeys in your log in flow,
  and explore the platform and web APIs you need to adopt this


  Based on FIDO Alliance and W3C standards, passkeys replace
  passwords with cryptographic key pairs. These key pairs
  profoundly improve security. Strong credentials. Every
  passkey is strong. They're never guessable, reused, or weak.
  Safe from server leaks. Because servers only keep public
  keys, servers are less valuable targets for hackers.

  Safe from phishing. Passkeys are intrinsically linked with
  the app or website they were created for, so people can
  never be tricked into using their passkey to sign in to a
  fraudulent app or website.

  In iCloud Keychain, passkeys are end-to-end encrypted, so
  even Apple can't read them. A passkey ensures a strong,
  private relationship between a person and your app or

Apple 'Passkeys' Could Finally Kill Off The Password For Good   

  Passkeys are based on the Web Authentication API (WebAuthn),
  a standard that uses public-key cryptography instead of
  passwords for authenticating users to websites and
  applications, and are stored on-device rather than on a web
  server. The digital password replacement uses Touch ID or
  Face ID for biometric verification, which means that rather
  than having to input a long string of characters, an app or
  website you're logging into will push a request to your
  phone for authentication.

  During its WWDC demo of the password-free technology, Apple
  showed how passkeys are backed up within the iCloud Keychain
  and can be synced across Mac, iPhone, iPad and Apple TV with
  end-to-end encryption. Users will also be able to sign in to
  websites and apps on non-Apple devices using an iPhone or
  iPad to scan a QR code and Touch ID or Face ID to
  authenticate. "Because it's just a single tap to sign in,
  it's simultaneously easier, faster and more secure than
  almost all common forms of authentication today," said
  Garrett Davidson, an Apple engineer on the Authentication
  Experience team.