Passkeys: Apple unveils its plan to kill passwords

Apple plans to replace passwords with access codes (Passkeys). With the help of biometrics, you can use Face ID or Touch ID on your iPhone to connect elsewhere.

It was during WWDC 2022 that Apple gave a small preview of what will be the end of passwords in its ecosystem. The American company took advantage of the presentation of its new computer operating system, macOS Ventura, to show its battle plan. The system is called “Passkeys” — Codes d’accès, in French.

The idea of ​​Access Codes is to provide an alternative way of identifying oneself to passwords. It is a question of replacing them by using a product of the American brand, such as an iPhone or a Mac. It is through him that we will connect. For this, the Safari web browser, designed by Apple, will be mobilized, in particular.

An overview of how Passkeys works. // Source: Apple

This new approach, develops the Cupertino company, is perceived as much safer, including in the face of ” all the usual two-factor authentication methods “, according to the group. Strong authentication is currently the most recommended solution for the general public. It offers high level protection, while remaining convenient to use.

In effect, it takes the password out of the computer security equation. In doing so, it neutralizes attacks based on it, such as phishing, which consists of tricking an individual into giving their username and password, but also social engineering, which has the same objective, and database leaks containing such codes.

Ventura is Apple’s first platform to feature passcode support, via Safari. But we guess that the Passkeys are intended to spread to the rest of the ecosystem, especially since the bricks on which this system is based are already in place, or almost. Safari is available on all Apple devices and biometrics is also widely deployed.

WWDC 2022 –  June 6 _ Apple 1-22-42 screenshot
The promise of access codes: put an end to certain computer threats.

Apple intends to mobilize biometrics to turn the page on passwords

The access codes will use biometrics instead of the password. Biometrics consists of using physiological parameters to check whether or not a person has the right to access a particular resource. For Apple, this involves reading a fingerprint (Touch ID) or facial recognition (Face ID).

These solutions have long been part of Apple’s most popular products, along with the iPhone or iPad. The idea, in short, is to use one or the other, not to unlock your terminal, but to connect to your Mac, to a website or to an application. If access codes are to replace passwords, they must therefore be usable everywhere.

In theory, access codes would also solve the problem of memorizing passwords: no need to make an intellectual effort, since there is nothing left to remember. Everything goes through your physical characteristics, which you don’t need to recite. Just read them. It’s very simple on paper. And it’s a dreaded topic for password managers.

The switch to more biometrics raises sensitive questions, because if the password is a sensitive element, a biometric parameter is critical data. It is common to say that if a password is hacked, just replace it on the fly. For biometrics, you cannot change your face, fingerprints, iris or voice.

Face ID with a mask is new in iOS 15.4.
Apple has evolved Face ID with the circumstances of the covid pandemic. // Source: Numerama

Obviously, Apple has taken care to limit the risk of hacking as much as possible. ” Face ID data never leaves the device and is never backed up to iCloud or anywhere else “recalls the company. In the case of facial recognition, which was introduced with the iPhone X, it is from a mathematical representation of the face that the comparison is made.

Apple also plans to erect barriers to protect these access codes. They are intended to remain on the device (for example the iPhone): they are never stored on a web server. They have the possibility of circulating between the different devices belonging to the same individual (iPhone, iPad, Mac, Apple TV), via end-to-end encryption and the iCloud Keychain.

Apple’s assertions will certainly be put to the test in the days, weeks and months to come, when the system becomes more democratic and computer security specialists or more malicious people try to construct strategies to misuse access codes — by exploiting software or hardware vulnerabilities.

Passcodes are unique digital keys that stay on the device and are never stored on a web server


But if zero risk does not exist in IT, the risk-benefit balance is likely to tip in favor of Passkeys. Compared to the current panorama of passwords, which are stolen, stolen, too weak, too common, too similar to each other, access codes seem to present less exposure – in any case much less than passwords.

It will be to be judged on parts. Still, the access codes have other merits: they are very accessible and easy to use. They seem to generate less friction when connecting to a service, terminal, site or app. They can even be used to lock down something very mundane, like a note on Mac, without having to create (and remember) another mass word.

This plan is not a solitary fad of Apple. It is in fact part of a larger plan that mobilizes other tech giants, starting with Microsoft (Windows) and Google (Android). Others, like Amazon, Intel, Facebook, Lenovo, Mastercard, PayPal, Qualcomm, Thales, Samsung, Yahoo, Visa, ARM, eBay, Huawei, Netflix, Sony and Twitter, are also on the way.

At the beginning of May, Apple, Google and Microsoft announced the joining of their forces to make emerge faster a world without passwords. The three giants have agreed that this requires that these unique digital keys can be used beyond each ecosystem. In short, an iPhone would unlock a Windows PC. And so on.

Follow WWDC news

Leave a Comment