How Apple passkeys are used on iOS and macOS – start tracking passkeys now
This fall, Apple will roll out passkeys to iOS 16 and macOS Ventura devices. Thereby, it will be possible to sign up passwordless on all devices linked to your iCloud account.
Say hello to Apple’s push of passkeys
Passkeys are the new standard for logins. This view and the vast potential of passkeys are shared by the big tech giants Apple, Google and Microsoft – all part of the FIDO Alliance, that developed the standard for the underlying technology. Three months ago, the FIDO Alliance published a whitepaper on the new concept called "multi-device FIDO credentials”, or short “passkeys”. Hence, passkeys are not exclusively associated with Apple or any other member of the alliance. However, Apple quickly adopted the branding of passkeys and strongly promoted the launch of “Passkeys in iCloud Keychain” on their yearly Worldwide Developers Conference (WWDC) in June 2022. We want to give you a short prospect on the look and feel of passkeys with Apple devices.
A quick recap of biometric authentication with Apple
We already covered the general concept of passwordless, biometric authentication in previous articles. In a login ceremony – from the user’s perspective that simply means using Touch ID or Face ID – a private key is used to generate a digital signature. This signature then proves to a server that it has been created with this unique private key, without ever risking of giving away the key itself.
This procedure can already be experienced today using the WebAuthn standard that is supported by most browsers and devices (demonstrated below with the Safari browser and Macbook’s Touch ID sensor).
What’s the magic with passkeys on Apple devices?
One concern that we often heard when talking about WebAuthn is: “What happens if I lose my device or don’t have it with me?”. That’s where passkeys come into play. Your device(s) will take care of passkey synchronization and backups. Once the technology is rolled out later this year, you will be able to use your passkeys on all devices that are linked to the same iCloud account. It works pretty much like the iCloud Keychain today, just without the passwords.
If you lose your device, you just take a different Apple device linked to your account or restore the backup, and you're back in. Your passkeys will already be there and allow you to sign into your services with Touch ID or Face ID straight away. If you sign up on a website on device A and want to access the same website later on device B, passkeys are already available.
To achieve this high level of usability, you need to enable iCloud Keychain synchronization, which does not come at the expense of security. Since Apple uses end-to-end encryption for iCloud Keychain, it’s a safe place to store the passkeys. Furthermore, to use passkeys, users must also set up two-factor authentication. When signing in for the first time on a new device, two pieces of information are required—the Apple ID password and a six-digit verification code that's displayed on the user's trusted devices or sent to a trusted phone number.
Another security feature by Apple is iCloud Keychain escrow, that allows to recover passkeys even in the case when all devices are lost at the same time (for more information about iCloud Keychain escrow click here).
Then, the passkey will be created after authenticating with Face ID or Touch ID. Next time you want to sign in to the website or app, your device will recognize that you previously saved a passkey and asks if you want to sign in using that passkey. Tap ‘Continue’ and authenticate using your biometrics.
The cool thing with passkeys is that you can directly sign in on any other device (that supports passkeys) linked to your iCloud account as the passkeys are synced on your iCloud Keychain.
If you can’t authenticate on the current device, you’ll be able to select that you want to sign in using another device.
Once you select that option, a QR code will appear which you can scan on the other device and then authenticate yourself.
Can I share my passkeys with other Apple devices not linked to my iCloud account?
Imagine you want to give a friend access to your shared Netflix account. As that account is probably not linked to your iCloud account, you must somehow transfer the passkey to the other device. In that case, Apple allows to share passkeys via AirDrop. Your friend can simply receive the passkey via AirDrop and import it into their keychain.
What if I also use non-Apple devices?
According to Apple this won’t pose a problem. If you want to sign in from a device that is not linked to your iCloud account, you can simply generate a QR-Code on your non-Apple device (for instance with Google Chrome on your Windows laptop or with your Android smartphone) and scan it with your iPhone or iPad. Then, you authenticate on your iPhone or iPad with Touch ID or Face ID to sign in – that’s it. As an additional layer of security, the non-Apple device and the Apple device should be within physical proximity of each other since the process will be using Bluetooth. You can’t send photos of QR codes and scan them on your Apple device from far away.
Alternatively, if your non-Apple device supports WebAuthn and has biometric sensors, separate passkeys can be registered for that platform, e.g. for a Windows laptop with a fingerprint sensor using Windows Hello. Though, a cross-platform API is required such as the one provided by Corbado.
How to get started with Apple passkeys?
Apple announced it'll bring passkeys to iOS 16 and macOS Ventura with its major software updates on September 19. With automatic updates iOS 16 will be distributed to 85% of all Apple users within the end of year. Leading digital companies, like AirBnb or Booking.com, will offer passkey login soon.
Corbado provides APIs that cover all cross-platform and cross-device aspects to let you offer passkey login for all your users and transition them smoothly to passkeys. You don’t need to worry about security updates or supported platforms and devices. We have you covered. We will help you in your gradual migration from passwords to passkeys.
To stay updated about the new devices, browsers and operating systems that provide full support for passkeys, subscribe to our passkeys newsletter.
Enjoyed this read?
Stay up to date with the latest news, strategies, and insights about passwordless authentication and passkeys sent straight to your inbox!