Apple Resources - Passkeys (replaces passwords)
http://edu-observatory.org/olli/Apple_Resources/Passkeys.html



  Passkeys are only on your devices, never out on the internet.
  
  Every passkey is generated on your device, and the secret
  portion of it never leaves your device during a login. (You
  can securely sync your passkeys across devices or share them
  with others.)

  Because passkeys are created using a strong encryption
  algorithm, you don't have to worry about a "weak" password
  that could be guessed or cracked.


Passkeys
  https://developer.apple.com/passkeys/   

Passkeys adoption
  https://www.corbado.com/passkeys/adoption

Sign in with passkeys on iPhone
  https://support.apple.com/guide/iphone/sign-in-with-passkeys-iphf538ea8d0/ios   

About the security of passkeys
  https://support.apple.com/en-us/HT213305   






Why Passkeys Will Be Simpler and More Secure Than Passwords https://tidbits.com/2022/06/27/why-passkeys-will-be-simpler-and-more-secure-than-passwords/ Apple has unveiled its version of passkeys, an industry-standard replacement for passwords that offers more security and protection against hijacking while simultaneously being far simpler in nearly every respect. You never type or manage the contents of a passkey, which is generated when you upgrade a particular website account from a password-only or password and two-factor authentication login. Passkeys overcome numerous notable weaknesses with passwords: Each passkey is unique-always. Every passkey is generated on your device, and the secret portion of it never leaves your device during a login. (You can securely sync your passkeys across devices or share them with others.) Because passkeys are created using a strong encryption algorithm, you don't have to worry about a "weak" password that could be guessed or cracked. A website can't leak your authentication credentials because sites store only the public component of the passkey that corresponds to your login, not the secret part that lets you validate your identity. An attacker can't phish a passkey from you because a passkey only presents itself at a legitimately associated website. Passkeys never need to change because they can't be stolen. Passkeys don't require two-factor authentication because they incorporate two different factors as part of their nature. Apple, Google, And Microsoft Commit To Expanded Support For FIDO Standard To Accelerate Availability Of Passwordless Sign-Ins https://www.apple.com/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/ MOUNTAIN VIEW, CALIFORNIA In a joint effort to make the web more secure and usable for all, Apple, Google, and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms. Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure. About the security of passkeys https://support.apple.com/en-us/HT213305 Passkeys are a replacement for passwords that are designed to provide websites and apps a passwordless sign-in experience that is both more convenient and more secure. Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, are always strong, and are designed so that there are no shared secrets. They simplify account registration for apps and websites, are easy to use, and work across all of your Apple devices, and even non-Apple devices within physical proximity. Meet passkeys (Video 33+ min) https://developer.apple.com/videos/play/wwdc2022/10092/ It's time for a security upgrade: Learn how to add support for passkeys to create a quick and easy sign in experience for people, all while offering a radical increase to account security. Passkeys are simple and strong credentials built to eliminate phishing attacks. We'll share how passkeys are designed with security in mind, show you how people will use them, go over how to integrate passkeys in your log in flow, and explore the platform and web APIs you need to adopt this feature. Passkeys https://developer-mdn.apple.com/passkeys/ Based on FIDO Alliance and W3C standards, passkeys replace passwords with cryptographic key pairs. These key pairs profoundly improve security. Strong credentials. Every passkey is strong. They're never guessable, reused, or weak. Safe from server leaks. Because servers only keep public keys, servers are less valuable targets for hackers. Safe from phishing. Passkeys are intrinsically linked with the app or website they were created for, so people can never be tricked into using their passkey to sign in to a fraudulent app or website. In iCloud Keychain, passkeys are end-to-end encrypted, so even Apple can't read them. A passkey ensures a strong, private relationship between a person and your app or website. Apple 'Passkeys' Could Finally Kill Off The Password For Good https://it.slashdot.org/story/22/06/06/2010255/apple-passkeys-could-finally-kill-off-the-password-for-good Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography instead of passwords for authenticating users to websites and applications, and are stored on-device rather than on a web server. The digital password replacement uses Touch ID or Face ID for biometric verification, which means that rather than having to input a long string of characters, an app or website you're logging into will push a request to your phone for authentication. During its WWDC demo of the password-free technology, Apple showed how passkeys are backed up within the iCloud Keychain and can be synced across Mac, iPhone, iPad and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," said Garrett Davidson, an Apple engineer on the Authentication Experience team. sam.wormley@gmail.com