Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Apple IT Technology

iOS 17 and macOS Sonoma Automatically Generates Apple ID Passkeys (9to5mac.com) 32

You can now forgo entering your password on icloud.com and apple.com domains thanks to newly added passkey support. From a report: When running iOS 17 on an iPhone, any Apple site on the web can rely instead on Face ID or Touch ID to authenticate your login. As part of iOS 17, iPadOS 17, and macOS Sonoma, your Apple ID is automatically assigned a passkey that can be used for iCloud and Apple sites. If you're running iOS 17 on your iPhone, you can try it out now. Just go to any sign-in page with an apple.com or icloud.com domain, like appleid.apple.com or www.apple.com/shop/bag, and look for the Sign in with iPhone button after your enter your Apple ID email address. We've tried this from Safari on the Mac, although you can use passkeys on non-Apple devices as well. Once you select Sign in with iPhone, a QR code is presented that you scan with your iPhone. If you scan the QR code from the Camera app, you can tap the yellow link box to invoke Face ID or Touch ID to authenticate your identity on the web without ever entering your password.
This discussion has been archived. No new comments can be posted.

iOS 17 and macOS Sonoma Automatically Generates Apple ID Passkeys

Comments Filter:
  • Passwords can't die soon enough.

    Once folks start getting used to passkey authentication, it'll get the rest of the industry moving.

    This is one of those "we need big movers to move first instead of being fast followers" kind of things.

    Let's do this.

    • No thanks. Still too many issues.
      My work PC has the option disabled by the admins higher up than me, my home desktop doesn't even have the option for passkeys IIRC, and turning it on tanks the usability of the phone to unacceptable levels.
      • My issue is backing up key stores. If I lose access to one device, my passwords are synced, so I can use another device without issue. Having ID bound to a device can be really bad if that device fails or is lost.

        What would be nice is to have some type of encrypted backups of the key stores. That way, if a sync error happens or a device crashes, that auto mechanism is still in place.

        • The passwords are saved in your keychain. The keychain is encrypted by your AppleID authentication, such that Apple can not unlock it. You need to authenticate your Apple ID to decrypt your keychain when you download it to a new device, which re-encrypts it and stores it in the secure element. That is how it should work. I have read the security guide related to the tech, and it seems well thought out.

          It is a long read, but it is very interesting to a developer like myself, and makes me think of ways I ha
      • The technology works well, just some companies don't support it correctly. Google in particular still doesn't even support FIDO2, which is really fucking old at this point. Chrome mostly does, but Android doesn't, and you can't even set up a Google account with a FIDO2 key if your browser (rightfully) disables U2F. Which also means, among other things, that you can't use mandatory PIN authentication, meaning it can't be 2FA unless you still also use a stupid password.

        So much for their dumb claims about goin

    • by CAIMLAS ( 41445 )

      I'm somewhat concerned about the SPoF this has potential to introduce: instead of a million different ways to store passwords, you're using a single repository backed/accessed via API. That will be a prominent target which will be difficult for hackers to ignore.

      That said, it'll be a huge benefit to account security in general.

      The ability to revoke keys would be crucial, as well. Hopefully that infrastructure becomes available soon.

      • Having the ability to back up key stores would be nice. For example, all the Google Auth shared secrets, I back up, so if a device gets lost or crashes, I still have those without needing to recover.

        Maybe even have a standard protocol between key stores, so if transferring from key store #1 to another, you can copy the public key of key store #2 to key store #1, have key store #1 export a file encrypted to key store #2's public key, and key store #2 can decrypt and import the backup, all without any data e

        • by CAIMLAS ( 41445 )

          Yes, absolutely - the lifetime on keys would be fantastic. Or even a key 'deadman' - if you don't actively -use- the key for 6 months, it's dead.

    • The problem with passkeys is that only Apple has a complete ecosystem.

      Biometrics on all their devices, check. Flexible secure processors on all their devices, check. Dedicated department for investigating requests for account recovery when all other options fall through, check. Rank amateurs as competition, check.

      • by nbvb ( 32836 )

        Agreed, but you have to start somewhere. It's a chicken/egg problem. May as well let the first mover get it right and set a good model to follow.

        If we let the rank amateurs set the pace, we'll be stuck with this completely stupid "Remember a 36-character password with 4 symbols, 3 digits, at least two uppercase letter and two emojis" nonsense forever.

        I'm over it.
        I'm over passwords.
        I'm over password keepers.
        I'm over managing authorized_keys files.
        I'm over all of it.

        • I'm over password keepers

          AFAIK, you are just trading one random set of jibberish (password) for another (private key). The nice thing with passkeys is that you aren't giving the super secret to the web site to store; Rather, you are keeping the secrets close to the vest. But you still need to manage and store the secrets. Which, I think, means that a manager is still required.

    • Passwords can't die soon enough.

      Once folks start getting used to passkey authentication, it'll get the rest of the industry moving.

      This is one of those "we need big movers to move first instead of being fast followers" kind of things.

      Let's do this.

      Let's not. So this is basically an all access pass(key) to all your linked accounts, unlocked by something you have/are, not know. Fingerprint unlock is a joke security-wise and I imagine face unlock isn't really much better. Law enforcement (or anyone) with access to your phone will have access to all those accounts. No separate warrant required to access your Apple Cloud account, etc... I get that this is convenient, but that doesn't necessarily help with overall/global security. How about not being

    • Im ok with face ID. It can only store 1 face. But fingerprint lets you add multiple scans. All that is required is someone to know your PIN to add a new biometric. Considering bio trumps your appleID password, it should require your appleID password. This is a ridiculous weakness in fingerprinting biometrics. Thats in addition to getting drugged at a bar and someone using your face or finger/thumb to log into your most secure shit. Even 2FA is often unlocked with biometrics. Fortunately Im not a high profil
  • Intel and AMD are the only ones who can implement passkeys securely on PCs due to lack of foresight of PC operating system developers. TPM is not enough, ME/PSP are needed too. Being forced to use your phone while Apple users can just use the single device they are working on would accelerate the deathmarch of everything non Apple in consumer electronics (and financial services and cars).

    With Intel involved it might even be an open standard which allow passkey syncing between Microsoft and Google, instead of trying to compete with each other for lockin while Apple steamrolls them.

    PS. until today I never knew Intel already tried using their Management Engine for password management, they made True Key which mostly failed to get adopted and which they seem to have sold to McAfee. Time for a second go at it.

    • by AmiMoJo ( 196126 )

      What is the threat model where current PC operating systems are not adequate?

      Passkey is more secure than passwords, and you can still use 2FA on top if you like.

      The only scenario where Passkey is compromised is when your machine has malware on it that can get into the encrypted data storage area of the OS. If your system is that compromised you are screwed anyway.

      The only advantage that secure processors like the ones built into phones offer is that they can require user input before performing operations,

      • Malware and hacks which break containment using files opened by browsers, Office, etc. Windows containment isn't Android containment. Being just as insecure as a password manager is nothing to write home about.

        It's dangerous for Microsoft to gamble its reputation on and then in a big hack be publicly confronted with their inferiority to Apple. Google simply would never use a solution running purely on the main processor for ChromeOS period, not their style.

        The management engine will use its own secret keys

  • 1) Bad guy or collection of them who get your credit card info can buy an iPhone, iPad, or Mac, set it up (with reproducable facial disguise or fake fingerprint glove), and gain access to your accounts on all apple servers.

    2) Cop or secret police of some tyrannical country arrests you with an iProduct on you, fingerprints you, 3-d prints or photo-etches and molds a fingertip glove or your print, and logs in with that, or with your picture, or by holding the iGadget up in front of you or running your finger

    • 1. FaceID is not enough to get an Apple device associated with your Apple ID.
      2. The only advantage for the current situation is that they need you temporarily alive to get the password.
      3. They can do all that with your password too. The password has to go through an input device though, with passkey only user verification goes through an input device.

    • These hypotheses will not work.

      1) Bad guy or collection of them who get your credit card info can buy an iPhone, iPad, or Mac, set it up (with reproducable facial disguise or fake fingerprint glove), and gain access to your accounts on all apple servers.

      Apple does not authenticate via credit card, so that's irrelevant. They also require your full password when booting a device (biometrics won't do) and they require two-factor authentication when adding a new device to your account.

      2) Cop or secret police of some tyrannical country arrests you with an iProduct on you, fingerprints you, 3-d prints or photo-etches and molds a fingertip glove or your print, and logs in with that, or with your picture, or by holding the iGadget up in front of you or running your finger over it while you're chained to a table.

      In this scenario, you have bigger problems than password security (see also https://xkcd.com/538/ [xkcd.com]). But yes, bad actors could physically force you to unlock your device, provided it hasn't been restarted or passed the timeout for a passcode/passwor

      • If i give you rohypnol (the date rape drug) youre out for 6hrs. During that time your device and biometrics are available to steal valuable shit like bank accounts etc. even if i have to type in your appleID password theres a really good chance you'll give it up under the influence and never remember any of it. If you have anything worth stealing I would stay as analog as possible.
    • by Merk42 ( 1906718 )
      Hack for password based logins:
      1) Bad guy has a wrench [xkcd.com]
    • You dont need the complexity of #1. Just drug their cocktail and while they are unconscious just use their own phone and their body for biometrics.
  • When FaceID / TouchID fails, Apple devices offer the fallback option of using your passcode. So we're back to "something you know" - and most people's passcode is numeric, not as secure as their account password, and observable by a patient adversary.

  • Not certain how I like passkeys. But maybe I am a security degenerate. My spouse and I share account credentials. Looks like this gets more complicated
  • Enabling something like this is a horrible idea, as LEOs can now force you to unlock all related cloud accounts. Password or PIN are the only authentication methods that currently protected under the law.
    • by waspleg ( 316038 )

      As with airdrop being retroactively limited to 10 minutes "open to everyone' because that's what the CCP wanted, I wouldn't be surprised at all if they were involved in this as well.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...