Apple says its new logon tech is as easy as passwords but far more secure

With passkeys in iCloud Keychain, the iPhone maker joins Microsoft and Google in advocating for passwordless authentication.

Stephen Shankland principal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science Credentials
  • I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Stephen Shankland
4 min read
Apple Passkey in iCloud Keychain demo

Apple's passkey in iCloud Keychain demo lets you set up accounts with just an iPhone and Face ID (left and center). When you log in to the app or website later, the system confirms your username and the app's name and verifies your identity with Face ID (right).

Apple; screenshots by Stephen Shankland/CNET

Apple has begun testing passkeys, a new authentication technology it says are as easy to use as passwords but vastly more secure. Part of iCloud Keychains, a test version of the technology will come with iPhones, iPads and Macs later this year.

To set up an account on a website or app using a passkey, you first choose a username for the new account, then use FaceID or Touch ID to confirm that it's really you who's using the device. You don't ever pick a password. Your device handles generation and storage of the passkey, which iCloud Keychain synchronizes across all your Apple devices.

To use the passkey for authentication later, you'll be prompted to confirm your username and verify yourself with FaceID or Touch ID. Developers must update their login procedures to support passkeys, but it's an adaptation of the existing WebAuthn technology.

"Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," Garrett Davidson, an Apple authentication experience engineer, said Wednesday at the company's annual WWDC developer conference.

Passkeys are the latest example of growing interest in passwordless logon technology that's designed to be more secure than the list of passwords you've taped to the side of your monitor. Conventional passwords are plagued with security shortcomings, chiefly our inability to create and remember unique ones. That's why Apple, along with Microsoft, Google and other companies, are working to come up with alternatives.

Moving beyond passwords is a monumental endeavor given how ubiquitous they are and how hard it is to get businesses and consumers to embrace changes. It's crucial, however, in an era in which our accounts are at risk from cyberattacks and phishing scams.

"The single most common security vulnerability today is still bad passwords," Jen Fitzpatrick, senior vice president of core systems at Google, said at the Google I/O developer conference in May. "Ultimately, we're on a mission to create a password-free future."

More than 200 million account holders have enabled passwordless login for Microsoft services. By comparison, the security site Have I Been Pwned has tallied more than 613 million stolen passwords. The site's operator, Troy Hunt, is an advisor to Microsoft and in May started adding passwords the FBI discovered to have been compromised.

The tech behind Apple's passkeys is built on the WebAuthn technology that emerged from the FIDO (Fast Identity Online) Alliance, a consortium that's been overhauling authentication with hardware security keys. Apple's approach embraces a fundamental part of WebAuthn, the combination of public and private encryption keys that's already built deeply into communication security and many other established processes.

The technology works only with Apple devices, but Apple recognizes that the success of passkeys requires availability on Windows computers and Android smartphones, too. To that end, Apple is talking to industry partners at FIDO and the World Wide Web Consortium (W3C) about the technology.

Apple's move is welcome, said Mark Risher, Google's director of product management for identity. "We believe that FIDO keys stored on the mobile device will play a fundamental role in replacing passwords," which is why Google decided to automatically enroll users in its two-step verification system, he said. Google built WebAuthn support into Chrome in 2018 and into Android in 2019.

Blocking phishing attacks
Phishing is one problem that FIDO, WebAuthn and Apple's passkeys are designed to fix. The login technology is paired with a specific app or website so it doesn't work if someone tries to fool you into signing onto a counterfeit.

Passkey in iCloud Keychain comparison chart

Apple argues its passkey in iCloud Keychain technology has advantages over other authentication options.

Apple; Screenshot by Stephen Shankland/CNET

Such approaches mean that the servers handling logon no longer need to be filled with treasure troves of secret logon information that tempts hackers. "Servers are less valuable targets because there are no authentication secrets for an attacker to steal," Apple's Davidson said.

Hardware security keys also block phishing but come with a host of drawbacks, for example the need to carry them at all times and difficulty recovering account logon privileges if the fob is lost. 

Passkeys get around both problems, Apple says. Everyone already carries their phone, face and fingers. Accounts can be recovered through Apple's iCloud Keychain If a user's devices are lost, damaged or stolen. It's not yet clear how that aspect of passkeys would work beyond Apple devices. (Apple encrypts iCloud Keychain data, and reconstructing it without a device can require a previously used password.)

Apple doesn't see passkeys as two-factor authentication, a strong login protection approach that commonly pairs passwords with other authentication steps like a biometric scan. But the company believes passkeys are strong enough to reduce the need for two-factor authentication.

Apple is making a preview version of passkeys available in developer builds of future iOS, iPadOS and MacOS. It's disabled by default while Apple and outside developers test out the technology.