How Apple passkeys are used on iOS and macOS – start tracking passkeys now
Passkeys

How Apple passkeys are used on iOS and macOS – start tracking passkeys now

This fall, Apple will roll out passkeys to iOS 16 and macOS Ventura devices. Thereby, it will be possible to sign up passwordless on all devices linked to your iCloud account.

Say hello to Apple’s push of passkeys

Passkeys are the new standard for logins. This view and the vast potential of passkeys are shared by the big tech giants Apple, Google and Microsoft – all part of the FIDO Alliance, that developed the standard for the underlying technology. Three months ago, the FIDO Alliance published a whitepaper on the new concept called "multi-device FIDO credentials”, or short “passkeys”. Hence, passkeys are not exclusively associated with Apple or any other member of the alliance. However, Apple quickly adopted the branding of passkeys and strongly promoted the launch of “Passkeys in iCloud Keychain” on their yearly Worldwide Developers Conference (WWDC) in June 2022. We want to give you a short prospect on the look and feel of passkeys with Apple devices.

A quick recap of biometric authentication with Apple

We already covered the general concept of passwordless, biometric authentication in previous articles. In a login ceremony – from the user’s perspective that simply means using Touch ID or Face ID –  a private key is used to generate a digital signature. This signature then proves to a server that it has been created with this unique private key, without ever risking of giving away the key itself.

This procedure can already be experienced today using the WebAuthn standard that is supported by most browsers and devices (demonstrated below with the Safari browser and Macbook’s Touch ID sensor).

Apple Macbook Touch ID WebAuthn
Figure 1: Passwordless authentication with Macbook’s Touch ID sensor using WebAuthn (Macbook Pro / Touch ID)

What’s the magic with passkeys on Apple devices?

One concern that we often heard when talking about WebAuthn is: “What happens if I lose my device or don’t have it with me?”. That’s where passkeys come into play. Your device(s) will take care of passkey synchronization and backups. Once the technology is rolled out later this year, you will be able to use your passkeys on all devices that are linked to the same iCloud account. It works pretty much like the iCloud Keychain today, just without the passwords.

If you lose your device, you just take a different Apple device linked to your account or restore the backup, and you're back in. Your passkeys will already be there and allow you to sign into your services with Touch ID or Face ID straight away. If you sign up on a website on device A and want to access the same website later on device B, passkeys are already available.

To achieve this high level of usability, you need to enable iCloud Keychain synchronization, which does not come at the expense of security. Since Apple uses end-to-end encryption for iCloud Keychain, it’s a safe place to store the passkeys. Furthermore, to use passkeys, users must also set up two-factor authentication. When signing in for the first time on a new device, two pieces of information are required—the Apple ID password and a six-digit verification code that's displayed on the user's trusted devices or sent to a trusted phone number.

Another security feature by Apple is iCloud Keychain escrow, that allows to recover passkeys even in the case when all devices are lost at the same time (for more information about iCloud Keychain escrow click here).

Then, the passkey will be created after authenticating with Face ID or Touch ID. Next time you want to sign in to the website or app, your device will recognize that you previously saved a passkey and asks if you want to sign in using that passkey. Tap ‘Continue’ and authenticate using your biometrics.

Figure 2: Save a passkey for your linked iCloud account (iPhone X / Face ID)
Figure 3: Sign in using a passkey (iPhone X / Face ID)

The cool thing with passkeys is that you can directly sign in on any other device (that supports passkeys) linked to your iCloud account as the passkeys are synced on your iCloud Keychain.

Sign in from another iPhone of same iCloud Account
Figure 4: Sign in from another iPhone linked to same iCloud account (iPhone 8 / Touch ID)

If you can’t authenticate on the current device, you’ll be able to select that you want to sign in using another device.

Choose from different sign in options
Figure 5: Choose from different sign in options (iPhone X / Face ID)

Once you select that option, a QR code will appear which you can scan on the other device and then authenticate yourself.

Generate a QR code
Figure 6: Generate a QR code that can be scanned with a different iPhone (iPhone X / Face ID)

Can I share my passkeys with other Apple devices not linked to my iCloud account?

Imagine you want to give a friend access to your shared Netflix account. As that account is probably not linked to your iCloud account, you must somehow transfer the passkey to the other device. In that case, Apple allows to share passkeys via AirDrop. Your friend can simply receive the passkey via AirDrop and import it into their keychain.

Share passkeys via AirDrop - select passkey
Figure 7.1: Share passkeys via AirDrop: select a passkey ...
Share passkeys via AirDrop - AirDrop it
Figure 7.2: ... and AirDrop it

What if I also use non-Apple devices?

According to Apple this won’t pose a problem. If you want to sign in from a device that is not linked to your iCloud account, you can simply generate a QR-Code on your non-Apple device (for instance with Google Chrome on your Windows laptop or with your Android smartphone) and scan it with your iPhone or iPad. Then, you authenticate on your iPhone or iPad with Touch ID or Face ID to sign in – that’s it. As an additional layer of security, the non-Apple device and the Apple device should be within physical proximity of each other since the process will be using Bluetooth. You can’t send photos of QR codes and scan them on your Apple device from far away.

Login from Windows 10 laptop with Google Chrome and QR codeC
Figure 8: Login from a Windows 10 laptop with Google Chrome displaying a QR Code (step 1)
Scan QR code with iPhone with Face ID
Figure 9.1: Scan the QR code with an iPhone with Touch ID ...
Scan QR code with iPhone with Touch ID
Figure 9.2: ... or with an iPhone with Face ID and save a passkey as in figure 2 (step 2)

Alternatively, if your non-Apple device supports WebAuthn and has biometric sensors, separate passkeys can be registered for that platform, e.g. for a Windows laptop with a fingerprint sensor using Windows Hello. Though, a cross-platform API is required such as the one provided by Corbado.

How to get started with Apple passkeys?

Apple announced it'll bring passkeys to iOS 16 and macOS Ventura with its major software updates on September 19. With automatic updates iOS 16 will be distributed to 85% of all Apple users within the end of year. Leading digital companies, like AirBnb or Booking.com, will offer passkey login soon.

Start now! To prepare you for passkey login, Corbado offers a free passkey tracking tool that analyzes the passkey-readiness of your user base. Click here to use it for free.

Corbado provides APIs that cover all cross-platform and cross-device aspects to let you offer passkey login for all your users and transition them smoothly to passkeys. You don’t need to worry about security updates or supported platforms and devices. We have you covered. We will help you in your gradual migration from passwords to passkeys.

To stay updated about the new devices, browsers and operating systems that provide full support for passkeys, subscribe to our passkeys newsletter.

Enjoyed this read?

Stay up to date with the latest news, strategies, and insights about passwordless authentication and passkeys sent straight to your inbox!