I bet there’s nothing you like more than dealing with passwords. Coming up with strong passwords, remembering them, saving them to password managers, entering verification codes. Is there anything more fun?
Well, sorry1 as I am to rain on your parade, the writing is on the wall for the good old password, and the first step to its demise is being rolled out in macOS Monterey and iOS 15—though it will probably take at least a couple years before it comes to fruition.
Passkeys to the kingdom
The reason for that is a new standard called WebAuthn. I know, I know: another standard. But WebAuthn is a spec from the World Wide Web Consortium (W3C), the organization that basically makes the rules for the web; the spec is also part of the FIDO2 framework backed by the eponymous alliance that includes Microsoft, Google, Amazon, MasterCard, Visa, AmEx, and yes, Apple. Both FIDO and WebAuthn have as their goal the elimination of the password, replaced instead with a framework that relies on public key infrastructure (PKI), the same technology behind nearly all modern encryption.
Apple’s native implementation of this system is called Passkeys in iCloud Keychain, and a technology preview is included in both iOS 15 and macOS Monterey. Disabled by default, it’s intended for testing, not production, but it’s clearly a case of Apple skating to where the puck is heading.
Using Passkeys in iCloud Keychain is pretty simple: when you create an account in an app or on a website, you’ll make your username, and the system will pop up a sheet that asks you to confirm you’re creating an account. Hit Continue, it’s confirmed with Face ID, Touch ID, or your passcode, and that’s it. The passkey for the service is stored in your keychain—strong, unique, and with no need for you to remember it.
Later, when you open an app or visit a site and have to log in to your account, you’ll tap a sign in button, and the system will ask if you want to login with your passkey (or another compatible security method—more on which in a bit). Tap Continue, authenticate with your biometrics or passcode, and done.
At first blush, this might seem pretty similar to the way that iCloud Keychain already works, generating strong passwords and remembering them so you don’t have to. But there’s one key advantage: because of the use of the asymmetric public key infrastructure, apps and services don’t have to store a copy of your password. Instead, they get a copy of your public key—and because that information really is designed to be public, it doesn’t need to be secured. That’s great for users because it means that they don’t have to worry about their secret information being stolen, and it’s great for companies because it means that they won’t be targeted to steal people’s passwords. It’d be like trying to steal the text of the King James Bible.
It’s hard to overstate just how significant this change is. While we’re still a few years away from this transition, the fact that Apple has implemented it in its new operating systems is important. Given the company’s huge installed base, it exerts major influence on the tech industry and the adoption of new technology.2
There are still some implementation questions to address: for example, I’m not sure how this works in cases where, say, you want to log in to your account on someone else’s device or in a scenario where you have no devices at all with you. Currently, it’s possible to fall back to other authentication methods, including passwords, but it does eliminate one of the major advantages of Passkeys.
That said, not adopting a system with such potentially momentous security improvements across the spectrum because of edge cases would be a cases of shooting yourself in the foot to spite your face.
A better password today
So, if it’s going to be a while before passwords meet their bitter end, what are we supposed to do in the meantime?
Well, we’re not being hung out to dry. Apple’s made some quality-of-life improvements to the existing password infrastructure. Best of all, iCloud Keychain now includes a generator for Time-based One-Time Passwords (TOTP), those verification codes that you may have previously generated with an app like Google Authenticator or Authy.
And, like one-time passwords sent to you by SMS, macOS and iOS can now automatically fill in those verification codes for you when you log into an account, eliminating the dance of opening a separate app or retrieving a separate device.
Setting up TOTP is easier too: when you create a new account or upgrade an account that offers these codes as a security option, developers can now simply allow users to click a link or tap a button to configure it. Previously, that workflow often required scanning a QR code with a separate device.
Even cooler, if developers set up their system correctly, Safari can automatically detect QR codes and offer to set up the code generation option for users. Mind officially blown.
All of this is intended to encourage developers to move away from sending verification codes via SMS, a practice that is much less secure than password generators, which do all their work locally on your device and thus can’t be intercepted.
The future soon
There are some other password improvements in macOS Monterey and iOS 15 as well. For example, Apple’s systems have expanded their support for hardware security keys, offering an API that all macOS and iOS apps can use.
Between this and the verification code framework, Apple users are poised to see even better and easier to use security in the immediate future. And with Passkeys in iCloud Keychain, the future for secure and easy authentication has never looked more promising. If this is the death knell for password, I’m the one enthusiastically ringing the bell.