Apple revealed at WWDC 2021 passkeys the new authentication feature. The technology allows users to log into apps, websites and services using Face ID, Touch ID or a security key on the iPhone, eliminating the need to enter passwords. According to the company, the “Passkeys in iCloud Keychain” is a faster and more secure form of authentication. Access keys will have end-to-end encryption and will be synced across devices via iCloud. The feature is still in early testing phases by developers, but will have its preview released on iOS 15.
The new authentication function developed by Apple will work using a technology called WebAuthn, a public security key standard that allows logins using biometric authentications. The idea is that public and private access keys based on the WebAuthn protocol are synchronised on iOS , iPadOS and macOS devices through iCloud. Therefore, the feature will only be available for Apple devices.
To sign in to a website or app using the feature, you will need to create a username for the new account and use Face ID or Touch ID to confirm identity. The person will not have to choose a password because the device itself, through iCloud synchronization, will generate and store the access key that will give access to the platform.
When the user wants to log in to a particular service, all he has to do is inform the user’s name and verify his identity with Face ID or Touch ID. The new login option will only be available for the website, app or service that supports this new technology.
Replacing the use of passwords with access keys brings more security, as common passwords can constantly fail. At the last Google I/O developer conference, Google Senior Vice President of Core Systems Jen Fitzpatrick stated that the most common security vulnerability still comes from bad passwords.
One of these flaws is the phishing attack, a recurrent method by cybercriminals to spread viruses on devices. Alternate access keys prevent this type of attack as the resource is paired with a specific app or website. Therefore, it is not possible to spoof a login.