Apple Just Killed the Password—for Real This Time

Not necessarily to do with books and writing, but PG has grown to hate passwords because he has such a huge collection of them. He uses a password manager to keep track of his many long randomly-generated passwords.

However, if PG is trying to access a website from a machine that doesn’t have his password manager installed (for example when he is not signing in from a computer located at Casa PG), he hates the hassles that arise all too frequently because he has to look up a 34-character random password on his phone, they try to type the password into an alien machine without getting a single character wrong.

From Wired:

YOUR PASSWORDS ARE terrible. Year after year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will actually be the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.

So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don’t exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)

Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

Link to the rest at Wired

16 thoughts on “Apple Just Killed the Password—for Real This Time”

  1. As usual, the press only notices something when Apple (finally) does it.

    That title is waaayyy off base.

    PCs has been doing Passwordless for ages: Fingerprint readers were on PCs 20 years ago. I had one from HP. IBM had them in 2004. For that matter, XBOX consoles had face recognition in 2010 via Kinect: stand before the TV and it would log you in.

    More recently Microsoft Hello has had a unified API to do face recognition as well as fingerprints, two factor recognition, and pins, across multiple devices and online platforms through their Microsoft account which offers a single signin via their authenticator app, since Windows 10. On laptops, you open it up and the system recognizes you and logs you in. Old stuff.

    Wired makes it seem like Apple is unique and the first to address the issue.
    They’re not.
    They’re just a latecomer to the FIDO alliance ( which dates back to 2019 and earlier) catching up with Google and Microsoft and others all over.

    And on top of it all, passwords will still hang around indefinitely.
    It’s way too late to “kill” them.
    And when it comes to personal computers, a lot of people actually disable the entire authentication process, anyway.

  2. <sarcasm> No, it’s only at Wired that nothing gets noticed until it’s official from Cupertino… or utterly distorted by any member of the US Senate. </sarcasm>

    Biometrics are only as secure as the hashtags and other representations used to turn them into easily-XORable numeric strings. Which is to say not very; and in this day of relatively high-resolution cell phone pictures getting tagged on antisocial media and in who knows what other databases, the hacking possibilities are endless.

    One of the advantages of password-like systems is that individual passwords are quickly and easily changed if compromised. Further, unlike biometrics, it’s easy to keep distinct passwords for different uses. Biometrics… not so much. (And that also assumes that appearances never change over time, including silly things like “got a black eye from a foul ball at the company picnic.”)

    • Right. To say nothing of the fact that biometrics also require whatever device you use to take and read them to be working properly.

      • Hell, the TSA has been doing this since about 45 seconds after the first person of Middle Eastern descent came through Kennedy carrying a cellphone and conversing in Arabic. OK, maybe it took as much as ten minutes.

  3. And then, on ordinary practical grounds…

    1) Maybe you use a latest & greatest cellphone or computer with appropriate cameras/fingertip devices. Maybe not.

    2) Maybe you don’t want to carry your cellphone in your insufficiently-large pocket everywhere you go. Maybe (gasp) you aren’t even online while using your device.

    3) Maybe (say it quietly) you’re using a different computer than normal, and it’s not equipped.

    4) Maybe you’ve finally dropped 50 lbs in the last 2 years and your facial biometrics ain’t never gonna match.

    5) Maybe you aren’t willing to put your biometrics into any system where a hostile government can get access to them. Or Apple.

    Convenience is often the enemy of security, and it’s generally too late to take precautions after you’ve fully digested the problem.

    • I spent two years having to manually type my iPhone password whenever I was out and about, because the facial-recognition software had no idea who I was when wearing a gorram COVID mask.

    • Reminds me of the time I’d been doing a lot of sanding in the days before I flew to the States. On arrival, the machine could not read my fingerprints# and I had to go to a little room to be interviewed whilst the security staff decided whether I was a danger to the country. Next time I visited I made sure not to do any woodworking immediately prior to travelling. I actually have dropped 50+ lbs in the last year but it hasn’t affected the few facial recognition systems I use: they were iffy before I lost weight and remain hit and miss to this day.

      # Karen, your point (5) falls down for a foreigner visiting the USA as one is not given a choice about providing fingerprints (unless, of course, I’m not allowed to consider the USA as haing a hostile government?)

    • One basic security measure that I have is no camera or microphone on my home system. The stupid smart phone that I carry, sometimes, has GPS always turned off (for what good that really does) – but has no apps on it, especially any financial ones. About all that they’ll figure out from it is that the family did, or did not, need bananas last Thursday when I texted the wife to ask. I only carry it when out shopping.

      • I disable location, digital data, and WiFi.
        Not out of paranoia but to maximize battery life.
        I rarely use it online anyway. Just voice and SMS.
        Online? At medical offices a few minutes at a time to check email, MSN NEWS, and TPV. 😉

      • I’m a bit worse: I hacked mine. I’ve turned off location services… but for any service other than cell-tower reception that nonetheless gets it, I reset the zero point to McMurdo Bay. So there are penguins on my phone even without a Linux operating system.

        And that makes those spam calls claiming that they’re law enforcement right outside the door (notwithstanding the walrus!), waiting to arrest me unless I send gift cards, very interesting indeed…

  4. Okay, now that the Cupertino hype has toned down, here’s the reality:

    “It’s a new type of login credential consisting of a little bit of digital data your PC or phone uses when logging onto a server. You approve each use of that data with an authentication step, such as fingerprint check, face recognition, a PIN code or the login swipe pattern familiar to Android phone owners.

    Here’s the catch: You’ll have to have your phone or computer with you to use passkeys. You can’t log onto a passkey-secured account from a friend’s computer without a device of your own. ”

    1- As I said before, it is FIDO-based, so not unique to Apple. Just their flavor of what everybody else is doing.

    2- It is just a software version of the old code-generating security dongles from generations past. Those go back 50 years and were first used to “prevent” software piracy. The evolved over time into synchronized code generators, typically using RSA security. To login or enter a secure location you had to have tbe code dongle with you. With “PASSKEY” your phone, tablet, or PC becomes your code generator. But the system is tied to *one* device. Given tbat people can easily have *four* devices or more (Phone, tablet, work PC, home PC, laptops, and consoles) to access Internet sites, the system is actually more complex tban a code dongle.

    3- It *still* needs a password, PIN, or biometrics to get the login code. So it is no different that the two-factor authentication systems tbat email or text you single use codes.

    Typical Cupoertino hyperventilation.

Comments are closed.