Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Apple IT Technology

Apple Says Its New Logon Tech is as Easy as Passwords But Far More Secure (cnet.com) 144

Apple has begun testing passkeys, a new authentication technology it says are as easy to use as passwords but vastly more secure. Part of iCloud Keychains, a test version of the technology will come with iPhones, iPads and Macs later this year. From a report: To set up an account on a website or app using a passkey, you first choose a username for the new account, then use FaceID or Touch ID to confirm that it's really you who's using the device. You don't ever pick a password. Your device handles generation and storage of the passkey, which iCloud Keychain synchronizes across all your Apple devices.

To use the passkey for authentication later, you'll be prompted to confirm your username and verify yourself with FaceID or Touch ID. Developers must update their login procedures to support passkeys, but it's an adaptation of the existing WebAuthn technology. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," Garrett Davidson, an Apple authentication experience engineer, said Wednesday at the company's annual WWDC developer conference.

This discussion has been archived. No new comments can be posted.

Apple Says Its New Logon Tech is as Easy as Passwords But Far More Secure

Comments Filter:
  • Whoops... (Score:5, Insightful)

    by msauve ( 701917 ) on Friday June 11, 2021 @01:19PM (#61477746)
    "it's simultaneously easier, faster and more secure "

    Left out "and now with more proprietary lock-in!"
    • Re:Whoops... (Score:5, Informative)

      by Anubis IV ( 1279820 ) on Friday June 11, 2021 @01:26PM (#61477776)

      Left out "and now with more proprietary lock-in!"

      It's based on WebAuthn [wikipedia.org], which is an open standard published by the W3C, so, no.

      Apple may be the first one to implement it on the client side, but they won't be the last. This push is being driven by a list of companies that includes Google, Microsoft, Amazon, Facebook, Samsung, Visa, MasterCard, PayPal, Yubico, Qualcomm, Broadcom, Intel, and a whole lot more. Apple is saying this is the groundwork for a multi-year, industry-wide effort, so expect to hear a lot more about this over the next few years.

      • Apple may be the first one to implement it on the client side, but they won't be the last.

        They're not even the first to implement it on the client side. Microsoft already made a big bruhaha back in 2018 when they added WebAuthn support (tied to Windows Hello for biometric logins) on the discontinued original Microsoft Edge.

        https://blogs.windows.com/msed... [windows.com]

        Chromium already supported it when Microsoft switched over to Chromium for Edge so it didn't need a re-launch.

        Firefox has had support since v60 back in 2018 as well.

        This is just a case of once again Safari being the woefully out of date odd ma

        • They're not even the first to implement it on the client side. Microsoft [...]

          They're the first to implement client-side support for passkeys via WebAuthn. Sorry for not being clearer about that distinction. As you said, WebAuthn client-side support has been around forquite awhile. Even Safari supports WebAuthn, including with FaceID/TouchID. It's passkeys that are new here.

          Again, apologies for the confusion.

          • And "passkeys" are defined here as backing up your WebAuthn private key to a cloud keychain and sync'ing it between clients' keychains. Which is novel...ish. *waves hand*

            Microsoft Authenticator backs up TOTP keys in the same fashion to the Microsoft cloud for 2FA codes. And if you lose a device or activate a new device you login with your Microsoft account and can restore all of your 2FA rotating codes.

            This is similarly syncing your private key to multiple devices but doing it for WebAuthn instead of TOTP

      • The standard might be open but what happens if you decide to use a new vendor? If I am on an iphone12 using faceID and lose my phone, and say fuckit and switch to a samsung galaxy latest-rev, am I screwed getting into my stuff? Whats the portability of my 'Identity' ? Im feeling like Im losing my identity and now have to rent my own ID.
        • The standard might be open but what happens if you decide to use a new vendor? If I am on an iphone12 using faceID [...]

          You don't need to port your biometric data to your new phone because your biometric data isn't used to authenticate you to the remote site in the first place. Your biometric data (which could've just as easily been a password you typed in, but Apple supports biometrics, so everyone's focused on that) is used on-device to unlock access to the underlying data. That data can be ported to other devices.

          If you lose your device and never backed it up anywhere that data would be gone, so the onus would be on you t

        • You log back into your services using another mechanism. Same way you would today if you needed to activate a new device.

          This is like Microsoft's Authenticator. You can backup your 2FA code generator to the cloud. New device, move from iphone to Android you download Microsoft's Authenticator app and log into your Microsoft account. Your 2FA codes get automatically downloaded.

          If you use a generic 2FA Code generator and you log into a new device, you have to go to each website, generate a new QR code and

          • My long term concern is people finding themselves denied to things because they fail an id check wne they really are the people they claim to be. I know it sounds dystopian but we might just be on the cutting edge of the worst kind of identity theft of all time. The kind where you can get so locked out you can never get back your accounts: banking, stocks, mortgage, etc. At least with brick and mortar banks you can go in and prove yourself, until big tech convinces governments to make even your drivers lice
      • Something> has to replace the password. So many times on an IT call I have waited for three hours while a poor doddering Civil War veteran tunnels through every piece of paper in the house looking for one. If he does find his hand-scrawled list, the password that's for Gmail or Apple ID or Amazon usually gets rejected ("Oh yes, that one stopped working so I had to change it. I think I added a star to the end of the old one..."). Those masked entry fields are a leading cause for known-good passwords "sud

      • It's based on WebAuthn [wikipedia.org], which is an open standard published by the W3C, so, no.

        Whether something is based on an open standard doesn't preclude it from being locked in. It can use as many standards as it wants, if it is dependent on iCloud and if Apple provides no migration options then it fits the definition of proprietary lock in.

        • if Apple provides no migration options then it fits the definition of proprietary lock in.

          Apple is adding export to CSV in Keychain Access, so

      • by msauve ( 701917 )
        "It's based on WebAuthn, which is an open standard published by the W3C, so, no."

        "Based on" is not "is." WebAuthn already exists, Apple claims this is "new."

        I guess drinking the Kool-Aid make you an idiot.
      • Um...why does the server need your private key, even in encrypted form?
    • Doesn't sound more secure than 2FA either. They've just chosen to remove the *other* factor this time.
  • your credentials " Part of iCloud Keychains" in their cloud. What could go wrong.
    • Just like every single password manager out there.
      • by amorsen ( 7485 )

        My Firefox passwords are stored entirely locally, not synced to any cloud. So no, not like every single password manager out there.

      • One exception. Lastpass is cross platform. Is there a play store app to regain access to your icloud keychain? Or do you have to play apple long enough to divorce them from everything you gave them the keys to?
        • It didn't get as much press, but another feature Apple is adding with this round of updates is the ability to export your keychain's contents to CSV for import to other password managers. So, that at least addresses the lock-in issue, though it does nothing to solve the problem of being unavailable on other platforms, which is exactly why I'd never consider using it.

        • There are many apps that are cross platform. Codebook, 1Password, BitWarden, and enPass are just a few. What I look for are apps that allow you to back up your passwords and 2FA codes in plaintext, so if I wanted to move to another platform, I could.

          I respect Apple's work in this, but I rather not be stuck in one ecosystem, so prefer tools that work anywhere.

    • To be fair, iCloud Keychain came out a few years ago and hasn't had any breaches that I've heard make the news. All they're doing here is adding passkey support to the existing service.

      In all likelihood, passkeys will be added to all of the other major password managers in the next few years, given that it looks to be an open standard with industry-wide support behind it. If you don't trust Apple, cloud services, or Apple's particular implementation, wait until your preferred password manager implements it

      • To be fair, iCloud Keychain came out a few years ago and hasn't had any breaches that I've heard make the news.

        To be fair, breaches you haven't heard of (undisclosed or unknown) are probably worse ...

  • Not just Apple (Score:5, Informative)

    by Anubis IV ( 1279820 ) on Friday June 11, 2021 @01:20PM (#61477752)

    To be clear, this is not "Apple's" tech. Apple is just the first client-side developer to release passkeys based on the open WebAuthn standard developed by FIDO, a consortium that includes all the major tech and financial industry players (e.g. Apple, Google, Microsoft, Amazon, Facebook, Visa, MasterCard, American Express, etc.).

    In terms of benefits, the most obvious one that is sites will no longer have anything private related to you that would be of use to hackers in breaching other sites. They'll basically just have your public key, which is, by definition, public. No more shared passwords between sites.

    In terms of drawbacks, I'm guessing they have a solution, but I have yet to hear how they address the problem of logging in from a friend's device, given that you can't just provide a password like before. So far as I can tell, you need your device to generate a message on the fly. There are lots of ways this could be addressed, but I don't know what their plan is.

    • by Burdell ( 228580 )

      Not just "friend's device"... any other device. Good way to keep the poor people using public library computers out.

    • how they address the problem of logging in from a friend's device

      Haha. You don't think your biometric data is unique enough to track across devices?

      I've assumed this was Apple's plan from the start. This gives them a great reason to "update" their biometric tracking methodology --you know, for security's sake.

      • Biometric data doesn't get synced between Apple devices, so I'm not sure what you think you're getting at. It's stored in the Secure Enclave, just like any private keys that are generated on-device. Sure, it could be used in that way, and may be by some of these companies, but Apple hasn't demonstrated any interest in doing that sort of thing, not even under the banner of convenience. It's actually part of the hassle of setting up a new Apple device: you need to re-register all of the fingers you want to us

      • by Merk42 ( 1906718 )
        Sure, but if that data never leaves the device then it doesn't matter how unique it is.

        Even if you want to be all "hurr they just tell you it doesnt" then are you saying that every iPhone out that has the biometric data of every iPhone user, stored locally?
    • To be clear, this is not "Apple's" tech. Apple is just the first client-side developer to release passkeys based on the open WebAuthn standard developed by FIDO, a consortium that includes all the major tech and financial industry players (e.g. Apple, Google, Microsoft, Amazon, Facebook, Visa, MasterCard, American Express, etc.).

      In terms of benefits, the most obvious one that is sites will no longer have anything private related to you that would be of use to hackers in breaching other sites.

      In other words they have poorly reinvented client certificates -- a two decades old technology.

      • Yes I guess if you don't bother to look up how it works you may think that.

        • Or if you have carefully read the spec you'll think that.
          Because that's essentially what it is - the same PKI, just done over http rather than TCP as in the case of TLS.

          So now you'll first establish a TLS connection which authenticates only the server, than do the same thing again over http to authenticate the client.

          • If you had carefully read the spec you'd see the differences. It looks more like you glossed over the spec and wrote it off as something we did 20 years ago. Try again kiddo.

    • I guess I'm not even sure why people here are calling it such a "drawback" that this technology isn't a good fit for scenarios like you logging into a public device or borrowing someone else's?

      Are you just as bothered by the fact that your house key doesn't unlock your friend's house, even though they invited you over?

    • In terms of drawbacks, I'm guessing they have a solution, but I have yet to hear how they address the problem of logging in from a friend's device, given that you can't just provide a password like before.

      This is effectively a solved problem. You use an One Time Password from a device that you control that is authenticated, or the authentication service directly queries the device and the user approves the request. Microsoft does this with their AzureAD FIDO service. When I log into a new device like a friend's laptop I can say "Use Microsoft Authenticator." The laptop displays a 2 digit ## code. Microsoft's service pings my Authenticator app which provides me 3 options and tells me to match the code on

  • by zekica ( 1953180 ) on Friday June 11, 2021 @01:21PM (#61477754)
    But we don't have a universal way to login in that works even if you lose a device. All this is just more vendor lock-in.
    • How is supporting an open public-key standard vendor lock in?
      I‘m just curious, can you please explain your thoughts?

      • Does Apple allow you to use it without iCloud or allow you to export the keys to other cloud platform usable by an Android based client?

        Just because something uses an open standard doesn't mean it's not in support of vendor lock in.

  • Wouldn't this be same as the current automatic password generation system? If you create a new account Safari detects this and proposes a secure password. Once done, biometric authentication simply unlocks they keychain for authentication with the site. Am I missing something?

    • Unlike passwords that usually are transmitted to the service to authenticate against web authn is (open standard) public-key authentication and it is not proprietary.

      I suppose that information was hard to find or understand.

    • From what I am reading, the current process shows you the password and username (which you could pick). This skips showing the user the screens has to fill out. "John Smith would you like to authenticate with your FaceID or Touch ID?" I feel it would be more secure to randomize the username selection.
    • To the user, yes, it will work very similarly to an automatically generated random password that's automatically filled in. From a security perspective, however, it's very different. Basically, the server stores your public key, rather than anything private like a password. As such, if/when the server is compromised there won't be any passwords there that might be useful elsewhere.

  • I understand how this is different than using credentials from Google, FB, Twitter, etc, on a million sites that already use it. So I guess it's technically new, but to the end user, how is it different than what they have already on many, many web sites, which offer them to login with one of their tech giants' account?
  • It is not at all clear. There are some uses for which a password is preferable, eg a shared device.

    • by Merk42 ( 1906718 )
      I would imagine that would be up to the developer of the website. Similar to how sites now have "Create an Account" OR "sign in with Facebook" OR "sign in with Google" etc.
  • Internet. Just call Apple/Microsoft/Google and said problem user will not be able to log in anywhere on the interwebs. cool
  • So this is essentially the same as an integrated password manager that randomly selects highly secure passwords that you never see. It's networked so that you can use it from all your devices. In fact, I expect internally there is a password for each site that is some random 64-bit number.

    • Re:Password Manager (Score:4, Informative)

      by Average ( 648 ) on Friday June 11, 2021 @01:35PM (#61477824)

      Somewhat more advanced than that. There is an elliptic-curve public key and private key generated, then the private key is AES-encrypted on your box by Apple's system. The server you're registering with gets both. To log in, you get all that info, decrypt the private key (hopefully only you can), sign a challenge, and the server you're logging into can verify the signature against the public key. Same principle as a FIDO key.

      Advantages: No replay attacks should be possible. And your keypair on site A has nothing to do with your keypair on site B.

  • What makes me think that you will be stuck all your credentials in an apple controlled, device linked keychain so moving to a new non-apple device will be maximally painful?

    I was peripherally involved in developing the FIDO standards, consulting on the cryptography and standards compliance side. I don't remember enabling vendor lock in to be a goal.

    I want my magic credential store to be on every device and in some cloudy drive somewhere so I can get at my login information from all my devices, synced, witho

    • So you save your keepass-db as a file on a google-backup and sync it to the filesystem of the devices you are using it on. The this file is decrypted and used in userspace by an application to authenticate you to external services.

      Thank you, I‘ll stick to Apples implementation I guess.

      • I use Apples, PCs, Android phones and linux daily. I've owned and may own in the future iPhones.
        If I used Apples implementation it would not work on the majority of devices I use.

  • Developers should agree that, Apple, at its discretion, can claim 30% of any revenue generated by any service that is authenticated by Apple Net ID.

    Apple reserves the right to exempt big boys from the arrangement and stick it to smaller companies without the muscle to stand up to Apple.

  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Friday June 11, 2021 @01:37PM (#61477838) Journal

    ... is that when the time eventually comes that it *does* get hacked, you're completely fucked, because you can't go and change your own biometric information.

    Passwords might get hacked more easily than biometrics, but at least you can go about changing your passwords to mitigate future damage.

    Passwords get hacked as often as they do because people are bad at securing them. Not because passwords themselves are inherently less secure than other methods. This situation can be mitigated by education, not by catering to the lowest common denominator.

    • by Junta ( 36770 )

      Note that the biometrics *only* authenticate you to the device in your hand. The device then uses it's private key material on your behalf to the network.

      So having my fingerprint by itself will do jack unless you also have one of my devices that I enrolled. I do not know how iPhone device onboarding works, but as far as I've read, no one supports coming in cold to do biometric authentication to a new device, but must authorize the device prior to then setting up biometric access to your device.

      So I would b

      • by mark-t ( 151149 )

        No, you wouldn't have to change your fingerprint just because you lost your phone. It could present a more serious problem, however, if your fingerprint was the only thing being used to access your banking information, for example.

        Also, until you go and revoke that access, your hacked phone could still be freely used by the hacker to access any parts of your life that had otherwise been locked behind the biometric authentication - offering the exact same gaping security hole as using the same password f

        • In the theoretical situation where a hacker manages to steal your device and has captured your fingerprints as well, you likely have bigger concerns to deal with, such as why a nation state is after you. But yes, in that scenario they'd have "something you are" and "something you have" and would be able to use that to access a lot of stuff.

          That said, they'd have to move fast, because iPhones require that passcodes be re-entered once a week as a security mechanism (6.5 days, technically), as well as after fi

          • by mark-t ( 151149 )
            The biggest problem I have with it is that it very much of a single-point-failure, and when compromised, a lot of damage can be done, just as using one password for multiple services can cause.
    • You got hung up on the biometric angle, but biometrics are purely incidental in all of this. Passkeys are the new technology here, and yes, they are inherently more secure than passwords.

      For instance, reuse of passkeys between sites is not a thing, so a breach at one cannot compromise you elsewhere. Sure, everyone could be using unique passwords at each site, but we know that'll never happen as long as we allow people to use passwords. This fixes that. Likewise, every server could be doing cryptographic has

      • by mark-t ( 151149 )
        The problem I have is that biometrics present a single-point-of-potential-failure that once it has been compromised, can cause an extraordinary amount of damage. If your fingerprint was used to secure your banking info, for example, how do you go about changing your fingerprint to access the bank once someone's figure out how to forge your fingerprint? You can't. You're stuck with it... and have to disable fingerprint access entirely once it's been hacked.

        My argument is to just cut out the middle-man

        • You can disable biometrics on an iOS device and still use the secure enclave to encrypt things. For example, you can set and use only the PIN.

          This is no less secure than using biometrics to unlock the already existing iCloud Keychain. In fact, it's a bit more secure since there is never a point where a "password" is sent across the Internet connection, encrypted or otherwise.

          tl;dr The biometric aspect is a separate concern and doesn't have much bearing on how secure this authentication method is vs passwo

    • Passwords get hacked as often as they do because people are bad at securing them.

      Passwords are horrible because more often than not it's the very people you're trusting with your security that don't secure your passwords. Sure use a different password per site, but that leads to headaches and short cuts and ultimately to people not securing their own passwords.

      Biometrics used in this implementation aside the idea of a unique key per site for authentication is a huge step in the right direction. No longer do you need to trust that someone isn't storing your password in plain text, or has

  • by seebs ( 15766 ) on Friday June 11, 2021 @01:38PM (#61477842) Homepage

    I just want clearer guidance on how to change my face and fingerprints when they get compromised.

    • by swell ( 195815 )

      "how to change my face and fingerprints"

      I can't speak for you, but I have ten (10) fingerprints available which should be enough. If not, I just checked and it looks like toeprints might work too. Now those two-faced people may have an advantage in that area.

      • I just want clearer guidance on how to change my face and fingerprints when they get compromised.

        I can't speak for you, but I have ten (10) fingerprints available which should be enough.

        Perhaps he/she makes a LOT of mistakes working for the Yakuza [wikipedia.org] and is worried about Yubitsume [wikipedia.org] ...

        [Hey, It's just as likely as everyone buying into password-less logon...]

      • Fingerprints are great unless it's cold, really hot, you recently washed your hands or are over forty.

    • How is this insightful - it‘s just some slashdotter parroting a catchy phrase from some security talk they didn‘t understand.

      A copy of my fingerprint will give you 3 tries to log into my iOS device that you stole.
      After that (or the next day or if I hard-locked the device) you‘ll need my alphanumeric Passphrase.
      It‘s much easier to watch/film me entering my passphrase or to beat me with a rubber hose until I give it to you than to get my fingerprint right (for the device!) on the first

    • Ask Nicolas Cage https://en.wikipedia.org/wiki/... [wikipedia.org] Also can we talk about that hyperlink ... I would have thought that Wikipedia would santise a / in an article title.

    • I just want clearer guidance on how to change my face and fingerprints when they get compromised.

      You completely misunderstand the security model of biometrics. They are not passwords. They are not secrets. Your biometric data must be considered public, since you show your face and leave your fingerprints everywhere. The security of biometric authentication arises not from the secrecy of the data, but from the manner of presentation and validation. Since the data is not secret there is neither any need to rotate it, nor any value in rotating it.

  • Like (Score:5, Insightful)

    by Impy the Impiuos Imp ( 442658 ) on Friday June 11, 2021 @01:46PM (#61477874) Journal

    Remember there are court fights if you have to give up your password for a warrant. There are no fights over biometric IDs because that is physical, and with a warrant they will just grab you by the back of the head and shove your face in the camera.

  • The summary makes it sound like biometric data will be the sole means of authentication in this system. I am not well-versed on biometric authentication. Is biometric data really so secure that we can shy away from multi-factor authentication systems? My understanding was that Multi-Factor Authentication will always be inherently more secure than any singular authentication system. Is this feature really a game-changer, or is this piece PR fluff?
    • by Junta ( 36770 )

      The factor is *really* the device. You are authenticating by biometric to the local device, *not* to the network service in any way.

      You can set up whatever factor(s) you want to your local device in the more generic sense. However face and fingerprint are popular and steers people to 'something you have' factors, which are better in general than 'something you know'.

  • Yeah, it's been years since phones that could log on by a finger print or face were introduced.

    Some people like it. Many do not. Too easy to fool. They always (as in this case) require text to be typed in, it is not more secure.

    Now, if you call this a replacement for USERNAMES, that would make more sense.

  • With a passphrase, if your keyboard breaks - you just plug in another keyboard. But with this, if your camera array (FaceID) or TouchID sensor won't work, you're screwed.

    ...unless you have a backup method for authentication, in which case the purported security advantages of these methods becomes meaningless.

    • by k2r ( 255754 )

      Your backup is iCloud keychain. If you lose all your Apple-Devices you better remember your iCloud-Password AND your Security-Code if you want to restore it to a new device.
      Now complain that iCloud keychain is too safe.

      Your fingerprint is just a temporary (3 failed tries or some hours of inactivity or emergency locking) supplement for your device passphrase. You can perfectly fine not use the biometric features of iOS but enter your passphrase each time you want to unlock.

      • Now complain that iCloud keychain is too safe.

        No, I'd rather point out that I've seen iCloud Keychain get corrupted on more than one occasion, for a few different individuals. And since (unlike with most other password managers) you aren't allowed to export a copy of it, you're SOL if that happens.

  • When your phone is stolen or lost or damaged, you can't do anything becuase it has all your information.

    Something, something, eggs in one basket.

  • by fahrbot-bot ( 874524 ) on Friday June 11, 2021 @02:30PM (#61478006)

    Something happens to your iPhone (lost, stolen, broken, wet) and you can't log into anything until you get a new one? No thanks. I realize this is like a password manager, but at least I can have a copy somewhere else. So, at the moment at least, this is another way to tie you to your iPhone and/or other Apple devices. From TFA:

    The technology works only with Apple devices, but Apple recognizes that the success of passkeys requires availability on Windows computers and Android smartphones, too. To that end, Apple is talking to industry partners at FIDO and the World Wide Web Consortium (W3C) about the technology.

    Accounts can be recovered through Apple's iCloud Keychain If a user's devices are lost, damaged or stolen. It's not yet clear how that aspect of passkeys would work beyond Apple devices. (Apple encrypts iCloud Keychain data, and reconstructing it without a device can require a previously used password.)

    Apple says this also gets around problems using hardware security keys, but it's just swapping one device for another:

    Hardware security keys also block phishing but come with a host of drawbacks, for example the need to carry them at all times and difficulty recovering account logon privileges if the fob is lost.

    Passkeys get around both problems, Apple says. Everyone already carries their phone, face and fingers.

    Noting that I don't always have my phone (or at least not handy) and don't want to be tied to it simply login to something -- or if Apple (et al) have there way, everything ...

  • What if I don't want to use a FaceID or Touch ID?

    Fortunately I don't own any Apple devices, but if I did, I'd hate this unless there's a mode that uses a plain ol' password.

  • I'm sure this will be greatly appreciated by both law enforcement and marketing companies.
  • Just curious. If your fingerprints are already in a system (border entry, criminal, corporate, whatever) could it be used against the touchid button on my mac? The only fingerprints I know of are on border patrol of a country I trust, but while this sounds really useful I would be leery of having no plaintext copy of the passwords.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...