Apple Says Its New Logon Tech is as Easy as Passwords But Far More Secure

Apple has begun testing passkeys, a new authentication technology it says are as easy to use as passwords but vastly more secure. Part of iCloud Keychains, a test version of the technology will come with iPhones, iPads and Macs later this year. From a report: To set up an account on a website or app using a passkey, you first choose a username for the new account, then use FaceID or Touch ID to confirm that it's really you who's using the device. You don't ever pick a password. Your device handles generation and storage of the passkey, which iCloud Keychain synchronizes across all your Apple devices.

To use the passkey for authentication later, you'll be prompted to confirm your username and verify yourself with FaceID or Touch ID. Developers must update their login procedures to support passkeys, but it's an adaptation of the existing WebAuthn technology. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," Garrett Davidson, an Apple authentication experience engineer, said Wednesday at the company's annual WWDC developer conference.

Whoops...

[msauve]

"it's simultaneously easier, faster and more secure "

Left out "and now with more proprietary lock-in!"

Re:Whoops...

[Anubis IV]

Left out "and now with more proprietary lock-in!"

It's based on WebAuthn [wikipedia.org], which is an open standard published by the W3C, so, no.

Apple may be the first one to implement it on the client side, but they won't be the last. This push is being driven by a list of companies that includes Google, Microsoft, Amazon, Facebook, Samsung, Visa, MasterCard, PayPal, Yubico, Qualcomm, Broadcom, Intel, and a whole lot more. Apple is saying this is the groundwork for a multi-year, industry-wide effort, so expect to hear a lot more about this over the next few years.

Re:

[im_thatoneguy]

Apple may be the first one to implement it on the client side, but they won't be the last.

They're not even the first to implement it on the client side. Microsoft already made a big bruhaha back in 2018 when they added WebAuthn support (tied to Windows Hello for biometric logins) on the discontinued original Microsoft Edge.

https://blogs.windows.com/msed... [windows.com]

Chromium already supported it when Microsoft switched over to Chromium for Edge so it didn't need a re-launch.

Firefox has had support since v60 back in 2018 as well.

This is just a case of once again Safari being the woefully out of date odd ma

Re:

[Anubis IV]

They're not even the first to implement it on the client side. Microsoft [...]

They're the first to implement client-side support for passkeys via WebAuthn. Sorry for not being clearer about that distinction. As you said, WebAuthn client-side support has been around forquite awhile. Even Safari supports WebAuthn, including with FaceID/TouchID. It's passkeys that are new here.

Again, apologies for the confusion.

Re:

[im_thatoneguy]

And "passkeys" are defined here as backing up your WebAuthn private key to a cloud keychain and sync'ing it between clients' keychains. Which is novel...ish. *waves hand*

Microsoft Authenticator backs up TOTP keys in the same fashion to the Microsoft cloud for 2FA codes. And if you lose a device or activate a new device you login with your Microsoft account and can restore all of your 2FA rotating codes.

This is similarly syncing your private key to multiple devices but doing it for WebAuthn instead of TOTP

Re: Whoops...

[e3m4n]

The standard might be open but what happens if you decide to use a new vendor? If I am on an iphone12 using faceID and lose my phone, and say fuckit and switch to a samsung galaxy latest-rev, am I screwed getting into my stuff? Whats the portability of my 'Identity' ? Im feeling like Im losing my identity and now have to rent my own ID.

Re:

[Anubis IV]

The standard might be open but what happens if you decide to use a new vendor? If I am on an iphone12 using faceID [...]

You don't need to port your biometric data to your new phone because your biometric data isn't used to authenticate you to the remote site in the first place. Your biometric data (which could've just as easily been a password you typed in, but Apple supports biometrics, so everyone's focused on that) is used on-device to unlock access to the underlying data. That data can be ported to other devices.

If you lose your device and never backed it up anywhere that data would be gone, so the onus would be on you t

Re:

[im_thatoneguy]

You log back into your services using another mechanism. Same way you would today if you needed to activate a new device.

This is like Microsoft's Authenticator. You can backup your 2FA code generator to the cloud. New device, move from iphone to Android you download Microsoft's Authenticator app and log into your Microsoft account. Your 2FA codes get automatically downloaded.

If you use a generic 2FA Code generator and you log into a new device, you have to go to each website, generate a new QR code and

Re: Whoops...

[e3m4n]

My long term concern is people finding themselves denied to things because they fail an id check wne they really are the people they claim to be. I know it sounds dystopian but we might just be on the cutting edge of the worst kind of identity theft of all time. The kind where you can get so locked out you can never get back your accounts: banking, stocks, mortgage, etc. At least with brick and mortar banks you can go in and prove yourself, until big tech convinces governments to make even your drivers lice

Re:

[Applehu Akbar]

Something> has to replace the password. So many times on an IT call I have waited for three hours while a poor doddering Civil War veteran tunnels through every piece of paper in the house looking for one. If he does find his hand-scrawled list, the password that's for Gmail or Apple ID or Amazon usually gets rejected ("Oh yes, that one stopped working so I had to change it. I think I added a star to the end of the old one..."). Those masked entry fields are a leading cause for known-good passwords "sud

Re:

[thegarbz]

It's based on WebAuthn [wikipedia.org], which is an open standard published by the W3C, so, no.

Whether something is based on an open standard doesn't preclude it from being locked in. It can use as many standards as it wants, if it is dependent on iCloud and if Apple provides no migration options then it fits the definition of proprietary lock in.

Re:

[Anubis IV]

if Apple provides no migration options then it fits the definition of proprietary lock in.

Apple is adding export to CSV in Keychain Access, so

Re:

[msauve]

"It's based on WebAuthn, which is an open standard published by the W3C, so, no."

"Based on" is not "is." WebAuthn already exists, Apple claims this is "new."

I guess drinking the Kool-Aid make you an idiot.

Re: Whoops...

[bradley13]

Um...why does the server need your private key, even in encrypted form?

Re:

[Anubis IV]

Will your device work without a connection? And if it does, for how long?

Yes, and as long as you have power, I suppose.

The only part of Apple's implementation that relies on the Internet is their syncing of keys between your devices, but that's a convenience feature, not a requirement. There's nothing stopping this from working while offline, so far as I'm aware, so long as your device is able to communicate in some other way with the device to which you are authenticating (e.g. LAN).

This should replace usernames, not passwords

[ron_ivi]

Biometrics, like a face or fingerprint, is not a replacement for the "what you know" part of authentication.

It's a good replacement for the "who you are" part - which corresponds better to a username.

It's easy enough to get someone's picture, and easy enough for oppressive governments to get someone's fingerprint.

Re:This should replace usernames, not passwords

[Anubis IV]

You aren't submitting a biometric key to a site to access your account. Rather, you're submitting a message signed using your private key, which Apple is only allowing you to access once they can validate your biometric signature. It's both "something you have"—a device with your private key—and "something you are"—your biometric signature.

So someone who lifted your fingerprint would not be able to access your bank account from any random computer. They would need one of your devices as well.

Re:

[Antique Geekmeister]

Putting the keys to your house under your doormat is not securing your home. Fingerprint readers are a demonstrably vulnerable biometric tool, and have been demonstrated as easily forged for decades. The infamous "gummy finger" attack, using gelatin coating on other people's fingers with patterns printed by a quite ordinary pattern from easily duplicated fingerprints was published in https://www.cryptome.org/gummy... [cryptome.org] .Mythbusters also did an episode where they showed how easy even suspicious teammates could

Re:

[Anubis IV]

Well, if it's implemented the same way Apple has done everything else with Face/Touch ID, the use of biometrics will be purely optional and will fallback to passwords in the case of any sort of failure. There's nothing about passkeys that's inherently tied to the use of biometrics. They could've just as easily been locked behind a password. And I mentioned it in some other posts, but Apple is adding exporting to CSV to Keychain Access, to people will be able to take their passkeys to other vendor's products

Re:

[EvilSS]

Right, but thatâ(TM)s a pretty big security risk in that you could be forced to touch your device to log into a service, whereas a password thatâ(TM)s stored in your head canâ(TM)t be forced. I can see this as being far more convenient but thatâ(TM)s about it. And as far as lock-in goes, I donâ(TM)t see how this would work outside of devices with touchscreens or some form of biometric input. For most computers youâ(TM)d still have to type in a password.

So there are a few mitigations for that, at least on iOS devices (pretty sure Android can be setup in a similar way).
1) You can just turn the biometrics portion off, and require your password/PIN (your choice there too) to unlock the phone.

2) You can disable biometric unlock by holding the power and volume up button for about 2 seconds (or press power 5 times on older touch ID phones I think). The phone even provides haptic feedback so you can do it in your pocket or out of view. The phone then requires

Re: This should replace usernames, not passwords

[NoMoreACs]

[...] a password that's stored in your head can't be forced.

ORLY?

Obligatory xkcd:

https://xkcd.com/538/ [xkcd.com]

Re:

[cayenne8]

Yup.

I don't use any biometrics on my Apple or other products.

I prefer passcodes/passphrases....something no one can force me to do (look at a phone, touch my finger to something)....

I won't keep any ID on it either, like a drivers license.

I'm not about to open my phone to any authorities, not even for a "routine" traffic stop.

Especially not for that.

Hell, I taped over the back of the bar codes, etc on my driver license as that every fscking store around tries scanning my card for purchases requiring a

Re:

[Applehu Akbar]

You seriously need to move out of Chicago.

Re:

[Merk42]

Oh no, I can't Log In to this site on the internet without an internet connection. How horrible!

Re:

[Merk42]

I'm not sure what argument you're trying to make here

First off, you do know this about logging into websites and not just using a device locally, yes?
Second, a site shouldn't have your passwords..I agree it would be horrible if they were just in plantext. Even if they were the most secure hashed thing imaginable... you'd still have to have an internet connection to match what you typed with their hash.
Third, unless you're expecting 100% functionality with some Offline PWA, of course a website won't fully w

Re:

[lexman098]

Doesn't sound more secure than 2FA either. They've just chosen to remove the *other* factor this time.

Apple keeping and storing all

[oldgraybeard]

your credentials " Part of iCloud Keychains" in their cloud. What could go wrong.

Re:

[UnknowingFool]

Just like every single password manager out there.

Re:

[amorsen]

My Firefox passwords are stored entirely locally, not synced to any cloud. So no, not like every single password manager out there.

Re:

[NFN_NLN]

You can even deploy Bitwarden in the cloud, but fully own the instance. So another example of a password manager that isn't owned by someone else.

https://bitwarden.com/help/hos... [bitwarden.com]

Re:

[EvilSS]

You let the browser store your passwords? What, did you run out of post-it notes?

Re:

[UnknowingFool]

I do not count a browser as a password manager. It has some password management features. And your criteria that everything must be stored locally is not my criteria.

Re: Apple keeping and storing all

[e3m4n]

One exception. Lastpass is cross platform. Is there a play store app to regain access to your icloud keychain? Or do you have to play apple long enough to divorce them from everything you gave them the keys to?

Re:

[Anubis IV]

It didn't get as much press, but another feature Apple is adding with this round of updates is the ability to export your keychain's contents to CSV for import to other password managers. So, that at least addresses the lock-in issue, though it does nothing to solve the problem of being unavailable on other platforms, which is exactly why I'd never consider using it.

Re:

[ctilsie242]

There are many apps that are cross platform. Codebook, 1Password, BitWarden, and enPass are just a few. What I look for are apps that allow you to back up your passwords and 2FA codes in plaintext, so if I wanted to move to another platform, I could.

I respect Apple's work in this, but I rather not be stuck in one ecosystem, so prefer tools that work anywhere.

Re:

[Anubis IV]

To be fair, iCloud Keychain came out a few years ago and hasn't had any breaches that I've heard make the news. All they're doing here is adding passkey support to the existing service.

In all likelihood, passkeys will be added to all of the other major password managers in the next few years, given that it looks to be an open standard with industry-wide support behind it. If you don't trust Apple, cloud services, or Apple's particular implementation, wait until your preferred password manager implements it

Re:

[fahrbot-bot]

To be fair, iCloud Keychain came out a few years ago and hasn't had any breaches that I've heard make the news.

To be fair, breaches you haven't heard of (undisclosed or unknown) are probably worse ...

Not just Apple

[Anubis IV]

To be clear, this is not "Apple's" tech. Apple is just the first client-side developer to release passkeys based on the open WebAuthn standard developed by FIDO, a consortium that includes all the major tech and financial industry players (e.g. Apple, Google, Microsoft, Amazon, Facebook, Visa, MasterCard, American Express, etc.).

In terms of benefits, the most obvious one that is sites will no longer have anything private related to you that would be of use to hackers in breaching other sites. They'll basically just have your public key, which is, by definition, public. No more shared passwords between sites.

In terms of drawbacks, I'm guessing they have a solution, but I have yet to hear how they address the problem of logging in from a friend's device, given that you can't just provide a password like before. So far as I can tell, you need your device to generate a message on the fly. There are lots of ways this could be addressed, but I don't know what their plan is.

Re:

[Burdell]

Not just "friend's device"... any other device. Good way to keep the poor people using public library computers out.

Re: Not just Apple

[cantsleep]

how they address the problem of logging in from a friend's device

Haha. You don't think your biometric data is unique enough to track across devices?

I've assumed this was Apple's plan from the start. This gives them a great reason to "update" their biometric tracking methodology --you know, for security's sake.

Re:

[Anubis IV]

Biometric data doesn't get synced between Apple devices, so I'm not sure what you think you're getting at. It's stored in the Secure Enclave, just like any private keys that are generated on-device. Sure, it could be used in that way, and may be by some of these companies, but Apple hasn't demonstrated any interest in doing that sort of thing, not even under the banner of convenience. It's actually part of the hassle of setting up a new Apple device: you need to re-register all of the fingers you want to us

Re:

[Merk42]

Sure, but if that data never leaves the device then it doesn't matter how unique it is.

Even if you want to be all "hurr they just tell you it doesnt" then are you saying that every iPhone out that has the biometric data of every iPhone user, stored locally?

Re:

[WaffleMonster]

To be clear, this is not "Apple's" tech. Apple is just the first client-side developer to release passkeys based on the open WebAuthn standard developed by FIDO, a consortium that includes all the major tech and financial industry players (e.g. Apple, Google, Microsoft, Amazon, Facebook, Visa, MasterCard, American Express, etc.).

In terms of benefits, the most obvious one that is sites will no longer have anything private related to you that would be of use to hackers in breaching other sites.

In other words they have poorly reinvented client certificates -- a two decades old technology.

Re:

[thegarbz]

Yes I guess if you don't bother to look up how it works you may think that.

Re:

[raymorris]

Or if you have carefully read the spec you'll think that.
Because that's essentially what it is - the same PKI, just done over http rather than TCP as in the case of TLS.

So now you'll first establish a TLS connection which authenticates only the server, than do the same thing again over http to authenticate the client.

Re:

[thegarbz]

If you had carefully read the spec you'd see the differences. It looks more like you glossed over the spec and wrote it off as something we did 20 years ago. Try again kiddo.

re: drawbacks

[King_TJ]

I guess I'm not even sure why people here are calling it such a "drawback" that this technology isn't a good fit for scenarios like you logging into a public device or borrowing someone else's?

Are you just as bothered by the fact that your house key doesn't unlock your friend's house, even though they invited you over?

Re:

[im_thatoneguy]

In terms of drawbacks, I'm guessing they have a solution, but I have yet to hear how they address the problem of logging in from a friend's device, given that you can't just provide a password like before.

This is effectively a solved problem. You use an One Time Password from a device that you control that is authenticated, or the authentication service directly queries the device and the user approves the request. Microsoft does this with their AzureAD FIDO service. When I log into a new device like a friend's laptop I can say "Use Microsoft Authenticator." The laptop displays a 2 digit ## code. Microsoft's service pings my Authenticator app which provides me 3 options and tells me to match the code on

Good passwords are rare

[zekica]

But we don't have a universal way to login in that works even if you lose a device. All this is just more vendor lock-in.

Verndor lock-in?

[k2r]

How is supporting an open public-key standard vendor lock in?
I‘m just curious, can you please explain your thoughts?

Re:

[thegarbz]

Does Apple allow you to use it without iCloud or allow you to export the keys to other cloud platform usable by an Android based client?

Just because something uses an open standard doesn't mean it's not in support of vendor lock in.

Unless I'm mistaken..

[MysteriousPreacher]

Wouldn't this be same as the current automatic password generation system? If you create a new account Safari detects this and proposes a secure password. Once done, biometric authentication simply unlocks they keychain for authentication with the site. Am I missing something?

It is public-key authentication

[k2r]

Unlike passwords that usually are transmitted to the service to authenticate against web authn is (open standard) public-key authentication and it is not proprietary.

I suppose that information was hard to find or understand.

Re:

[UnknowingFool]

From what I am reading, the current process shows you the password and username (which you could pick). This skips showing the user the screens has to fill out. "John Smith would you like to authenticate with your FaceID or Touch ID?" I feel it would be more secure to randomize the username selection.

Re:

[Anubis IV]

To the user, yes, it will work very similarly to an automatically generated random password that's automatically filled in. From a security perspective, however, it's very different. Basically, the server stores your public key, rather than anything private like a password. As such, if/when the server is compromised there won't be any passwords there that might be useful elsewhere.

Re:

[jonwil]

If this just an Apple variant on the same tech that I read about previously, the public key (and the private key that underlies it) are uniquely generated for every site based on a secret root private key.

Re:

[omnichad]

Not biometric derived. Encrypted and stored using the secure enclave unlock as a second layer of encryption. This is already well established with how other things are encrypted/decrypted on iOS.

New? Not to the end-user.

[lsllll]

I understand how this is different than using credentials from Google, FB, Twitter, etc, on a million sites that already use it. So I guess it's technically new, but to the end user, how is it different than what they have already on many, many web sites, which offer them to login with one of their tech giants' account?

Will users still be able to use a password ?

[Alain Williams]

It is not at all clear. There are some uses for which a password is preferable, eg a shared device.

Re:

[Merk42]

I would imagine that would be up to the developer of the website. Similar to how sites now have "Create an Account" OR "sign in with Facebook" OR "sign in with Google" etc.

One stop banning from the

[oldgraybeard]

Internet. Just call Apple/Microsoft/Google and said problem user will not be able to log in anywhere on the interwebs. cool

Password Manager

[crow]

So this is essentially the same as an integrated password manager that randomly selects highly secure passwords that you never see. It's networked so that you can use it from all your devices. In fact, I expect internally there is a password for each site that is some random 64-bit number.

Re:Password Manager

[Average]

Somewhat more advanced than that. There is an elliptic-curve public key and private key generated, then the private key is AES-encrypted on your box by Apple's system. The server you're registering with gets both. To log in, you get all that info, decrypt the private key (hopefully only you can), sign a challenge, and the server you're logging into can verify the signature against the public key. Same principle as a FIDO key.

Advantages: No replay attacks should be possible. And your keypair on site A has nothing to do with your keypair on site B.

Lockin Much?

[TechyImmigrant]

What makes me think that you will be stuck all your credentials in an apple controlled, device linked keychain so moving to a new non-apple device will be maximally painful?

I was peripherally involved in developing the FIDO standards, consulting on the cryptography and standards compliance side. I don't remember enabling vendor lock in to be a goal.

I want my magic credential store to be on every device and in some cloudy drive somewhere so I can get at my login information from all my devices, synced, witho

What vendor lock-in

[k2r]

So you save your keepass-db as a file on a google-backup and sync it to the filesystem of the devices you are using it on. The this file is decrypted and used in userspace by an application to authenticate you to external services.

Thank you, I‘ll stick to Apples implementation I guess.

Re:

[TechyImmigrant]

I use Apples, PCs, Android phones and linux daily. I've owned and may own in the future iPhones.
If I used Apples implementation it would not work on the majority of devices I use.

Fine print:

[140Mandak262Jamuna]

Developers should agree that, Apple, at its discretion, can claim 30% of any revenue generated by any service that is authenticated by Apple Net ID.

Apple reserves the right to exempt big boys from the arrangement and stick it to smaller companies without the muscle to stand up to Apple.

Re:

[Merk42]

When using the Apple Pay API for a website, Apple doesn't take any cut.

The problem with biometrics....

[mark-t]

... is that when the time eventually comes that it *does* get hacked, you're completely fucked, because you can't go and change your own biometric information.

Passwords might get hacked more easily than biometrics, but at least you can go about changing your passwords to mitigate future damage.

Passwords get hacked as often as they do because people are bad at securing them. Not because passwords themselves are inherently less secure than other methods. This situation can be mitigated by education, not by catering to the lowest common denominator.

Re:

[Junta]

Note that the biometrics *only* authenticate you to the device in your hand. The device then uses it's private key material on your behalf to the network.

So having my fingerprint by itself will do jack unless you also have one of my devices that I enrolled. I do not know how iPhone device onboarding works, but as far as I've read, no one supports coming in cold to do biometric authentication to a new device, but must authorize the device prior to then setting up biometric access to your device.

So I would b

Re:

[mark-t]

No, you wouldn't have to change your fingerprint just because you lost your phone. It could present a more serious problem, however, if your fingerprint was the only thing being used to access your banking information, for example.

Also, until you go and revoke that access, your hacked phone could still be freely used by the hacker to access any parts of your life that had otherwise been locked behind the biometric authentication - offering the exact same gaping security hole as using the same password f

Re:

[Anubis IV]

In the theoretical situation where a hacker manages to steal your device and has captured your fingerprints as well, you likely have bigger concerns to deal with, such as why a nation state is after you. But yes, in that scenario they'd have "something you are" and "something you have" and would be able to use that to access a lot of stuff.

That said, they'd have to move fast, because iPhones require that passcodes be re-entered once a week as a security mechanism (6.5 days, technically), as well as after fi

Re:

[mark-t]

The biggest problem I have with it is that it very much of a single-point-failure, and when compromised, a lot of damage can be done, just as using one password for multiple services can cause.

Re:

[Anubis IV]

You got hung up on the biometric angle, but biometrics are purely incidental in all of this. Passkeys are the new technology here, and yes, they are inherently more secure than passwords.

For instance, reuse of passkeys between sites is not a thing, so a breach at one cannot compromise you elsewhere. Sure, everyone could be using unique passwords at each site, but we know that'll never happen as long as we allow people to use passwords. This fixes that. Likewise, every server could be doing cryptographic has

Re:

[mark-t]

The problem I have is that biometrics present a single-point-of-potential-failure that once it has been compromised, can cause an extraordinary amount of damage. If your fingerprint was used to secure your banking info, for example, how do you go about changing your fingerprint to access the bank once someone's figure out how to forge your fingerprint? You can't. You're stuck with it... and have to disable fingerprint access entirely once it's been hacked.

My argument is to just cut out the middle-man

Re:

[omnichad]

You can disable biometrics on an iOS device and still use the secure enclave to encrypt things. For example, you can set and use only the PIN.

This is no less secure than using biometrics to unlock the already existing iCloud Keychain. In fact, it's a bit more secure since there is never a point where a "password" is sent across the Internet connection, encrypted or otherwise.

tl;dr The biometric aspect is a separate concern and doesn't have much bearing on how secure this authentication method is vs passwo

Re:

[thegarbz]

Passwords get hacked as often as they do because people are bad at securing them.

Passwords are horrible because more often than not it's the very people you're trusting with your security that don't secure your passwords. Sure use a different password per site, but that leads to headaches and short cuts and ultimately to people not securing their own passwords.

Biometrics used in this implementation aside the idea of a unique key per site for authentication is a huge step in the right direction. No longer do you need to trust that someone isn't storing your password in plain text, or has

I'm just about ready to convert...

[seebs]

I just want clearer guidance on how to change my face and fingerprints when they get compromised.

Re:

[swell]

"how to change my face and fingerprints"

I can't speak for you, but I have ten (10) fingerprints available which should be enough. If not, I just checked and it looks like toeprints might work too. Now those two-faced people may have an advantage in that area.

Re:

[fahrbot-bot]

I just want clearer guidance on how to change my face and fingerprints when they get compromised.

I can't speak for you, but I have ten (10) fingerprints available which should be enough.

Perhaps he/she makes a LOT of mistakes working for the Yakuza [wikipedia.org] and is worried about Yubitsume [wikipedia.org] ...

[Hey, It's just as likely as everyone buying into password-less logon...]

Re:

[Applehu Akbar]

Fingerprints are great unless it's cold, really hot, you recently washed your hands or are over forty.

Threat modelling is a thing

[k2r]

How is this insightful - it‘s just some slashdotter parroting a catchy phrase from some security talk they didn‘t understand.

A copy of my fingerprint will give you 3 tries to log into my iOS device that you stole.
After that (or the next day or if I hard-locked the device) you‘ll need my alphanumeric Passphrase.
It‘s much easier to watch/film me entering my passphrase or to beat me with a rubber hose until I give it to you than to get my fingerprint right (for the device!) on the first

Re:

[thegarbz]

Ask Nicolas Cage https://en.wikipedia.org/wiki/... [wikipedia.org] Also can we talk about that hyperlink ... I would have thought that Wikipedia would santise a / in an article title.

Re:

[swillden]

I just want clearer guidance on how to change my face and fingerprints when they get compromised.

You completely misunderstand the security model of biometrics. They are not passwords. They are not secrets. Your biometric data must be considered public, since you show your face and leave your fingerprints everywhere. The security of biometric authentication arises not from the secrecy of the data, but from the manner of presentation and validation. Since the data is not secret there is neither any need to rotate it, nor any value in rotating it.

Like

[Impy the Impiuos Imp]

Remember there are court fights if you have to give up your password for a warrant. There are no fights over biometric IDs because that is physical, and with a warrant they will just grab you by the back of the head and shove your face in the camera.

Is biometric data really more secure?

[cordovaCon83]

The summary makes it sound like biometric data will be the sole means of authentication in this system. I am not well-versed on biometric authentication. Is biometric data really so secure that we can shy away from multi-factor authentication systems? My understanding was that Multi-Factor Authentication will always be inherently more secure than any singular authentication system. Is this feature really a game-changer, or is this piece PR fluff?

Re:

[Junta]

The factor is *really* the device. You are authenticating by biometric to the local device, *not* to the network service in any way.

You can set up whatever factor(s) you want to your local device in the more generic sense. However face and fingerprint are popular and steers people to 'something you have' factors, which are better in general than 'something you know'.

Not New, Not liked

[gurps_npc]

Yeah, it's been years since phones that could log on by a finger print or face were introduced.

Some people like it. Many do not. Too easy to fool. They always (as in this case) require text to be typed in, it is not more secure.

Now, if you call this a replacement for USERNAMES, that would make more sense.

I have misgivings about this

[93 Escort Wagon]

With a passphrase, if your keyboard breaks - you just plug in another keyboard. But with this, if your camera array (FaceID) or TouchID sensor won't work, you're screwed.

...unless you have a backup method for authentication, in which case the purported security advantages of these methods becomes meaningless.

Re:

[k2r]

Your backup is iCloud keychain. If you lose all your Apple-Devices you better remember your iCloud-Password AND your Security-Code if you want to restore it to a new device.
Now complain that iCloud keychain is too safe.

Your fingerprint is just a temporary (3 failed tries or some hours of inactivity or emergency locking) supplement for your device passphrase. You can perfectly fine not use the biometric features of iOS but enter your passphrase each time you want to unlock.

Re:

[93 Escort Wagon]

Now complain that iCloud keychain is too safe.

No, I'd rather point out that I've seen iCloud Keychain get corrupted on more than one occasion, for a few different individuals. And since (unlike with most other password managers) you aren't allowed to export a copy of it, you're SOL if that happens.

Goodie

[smooth wombat]

When your phone is stolen or lost or damaged, you can't do anything becuase it has all your information.

Something, something, eggs in one basket.

Re:

[omnichad]

While true, at that point you can't switch to Android yet. You have to first buy a new Apple device to regain access to your accounts.

And then ...

[fahrbot-bot]

Something happens to your iPhone (lost, stolen, broken, wet) and you can't log into anything until you get a new one? No thanks. I realize this is like a password manager, but at least I can have a copy somewhere else. So, at the moment at least, this is another way to tie you to your iPhone and/or other Apple devices. From TFA:

The technology works only with Apple devices, but Apple recognizes that the success of passkeys requires availability on Windows computers and Android smartphones, too. To that end, Apple is talking to industry partners at FIDO and the World Wide Web Consortium (W3C) about the technology.

Accounts can be recovered through Apple's iCloud Keychain If a user's devices are lost, damaged or stolen. It's not yet clear how that aspect of passkeys would work beyond Apple devices. (Apple encrypts iCloud Keychain data, and reconstructing it without a device can require a previously used password.)

Apple says this also gets around problems using hardware security keys, but it's just swapping one device for another:

Hardware security keys also block phishing but come with a host of drawbacks, for example the need to carry them at all times and difficulty recovering account logon privileges if the fob is lost.

Passkeys get around both problems, Apple says. Everyone already carries their phone, face and fingers.

Noting that I don't always have my phone (or at least not handy) and don't want to be tied to it simply login to something -- or if Apple (et al) have there way, everything ...

What about NO? Does NO work for you?

[JustAnotherOldGuy]

What if I don't want to use a FaceID or Touch ID?

Fortunately I don't own any Apple devices, but if I did, I'd hate this unless there's a mode that uses a plain ol' password.

Re:

[omnichad]

Then you would use your PIN, which in newer iOS versions could be a long alphanumeric password.

Convinently ties your account to biometrics

[joe_frisch]

I'm sure this will be greatly appreciated by both law enforcement and marketing companies.

Biometric DBs and TouchId

[mattr]

Just curious. If your fingerprints are already in a system (border entry, criminal, corporate, whatever) could it be used against the touchid button on my mac? The only fingerprints I know of are on border patrol of a country I trust, but while this sounds really useful I would be leery of having no plaintext copy of the passwords.

Re:

[fahrbot-bot]

They cannot compel you to give your password (Second Amendment) ...

Pretty sure you mean "Fifth" -- relying on the Second to protect your password is probably going to cause you some trouble.

Re:

[mordred99]

Yep .. It was early and coffee hadn't kicked in yet. Which ever the amendment for not self testifying (incrimination) and unreasonable search and seizure (4th).