Passwords can be a nightmare. They are often forgotten, exposed in breaches and repeated across services. It is with this in mind that Apple has become the latest big tech company to take game-changing steps towards removing passwords altogether, in favor of biometrics via its Face ID and Touch ID features.
The iPhone maker’s password plans were first revealed at its WWDC conference this week, in a developer session titled, “Move Beyond Passwords.”
The new IOS 15 feature, Passkeys in iCloud Keychain, will arrive on iPhones and Macs via iOS 15 and macOS Monterey. You can use it each time you sign up to a new service, as long as that service supports it.
Based on Webauthn technology, all Passkeys will be generated and stored on your device. Like passwords on the iCloud Keychain, they will be synchronized across all your Apple devices via your Apple ID.
“Because it’s just a single tap to sign in, it’s simultaneously easier, faster and more secure than almost all common forms of authentication today,” says Garrett Davidson, an Apple authentication experience engineer.
Can Apple really kill passwords?
Google has also moved to try to eliminate passwords—or at least add another form of authentication—by making two-factor authentication a default for millions of Gmail users.
But Sean Wright, SME application security lead at Immersive Labs, says he doesn’t see passwords being entirely replaced, at least for the next few years. “They have become so engrained into systems, that it will take a significant effort and cost to change this.”
Even so, Wright thinks biometrics such as Apple’s Face ID and Touch ID are “great,” pointing out that “the convenience of them is far better than any password solution.”
However, the problem with biometrics, says Wright, is: “Once your biometric data has become compromised, how is that handled? This is not like a password—you can’t simply change your fingerprint or facial features.”
In fact, Wright thinks a better approach is to use hardware tokens such as the Yubico YubiKey. “That way if my token is ever compromised, I can simply replace it with another one.”
Jake Moore, cybersecurity specialist at ESET, agrees: “We are still a way off passwordless times, but at least Apple is attempting to pave the way to make account access more secure as well as convenient.”
But Moore also points out that malicious actors will “inevitably attempt to circumnavigate a system by looking at features to exploit, such as the ‘revived method’.”
He explains: “When someone loses their iPhone or it breaks, they will require a recovery method to gain access back into their accounts—which is potentially where malicious actors will target in order to bypass the normal security and gain illicit entry.”
Passkeys is a pretty cool feature for Apple iPhones and Macs, and hopefully one developers will adopt. But even if they do, it will take time to grow, so although the Apple move may help remove reliance on passwords, don’t expect them to die any time in the near future.