iOS 17 and macOS Sonoma Automatically Generates Apple ID Passkeys (9to5mac.com) 32
You can now forgo entering your password on icloud.com and apple.com domains thanks to newly added passkey support. From a report: When running iOS 17 on an iPhone, any Apple site on the web can rely instead on Face ID or Touch ID to authenticate your login. As part of iOS 17, iPadOS 17, and macOS Sonoma, your Apple ID is automatically assigned a passkey that can be used for iCloud and Apple sites. If you're running iOS 17 on your iPhone, you can try it out now. Just go to any sign-in page with an apple.com or icloud.com domain, like appleid.apple.com or www.apple.com/shop/bag, and look for the Sign in with iPhone button after your enter your Apple ID email address. We've tried this from Safari on the Mac, although you can use passkeys on non-Apple devices as well. Once you select Sign in with iPhone, a QR code is presented that you scan with your iPhone. If you scan the QR code from the Camera app, you can tap the yellow link box to invoke Face ID or Touch ID to authenticate your identity on the web without ever entering your password.
Awesome. (Score:2)
Passwords can't die soon enough.
Once folks start getting used to passkey authentication, it'll get the rest of the industry moving.
This is one of those "we need big movers to move first instead of being fast followers" kind of things.
Let's do this.
Re: (Score:2)
My work PC has the option disabled by the admins higher up than me, my home desktop doesn't even have the option for passkeys IIRC, and turning it on tanks the usability of the phone to unacceptable levels.
Re: (Score:2)
My issue is backing up key stores. If I lose access to one device, my passwords are synced, so I can use another device without issue. Having ID bound to a device can be really bad if that device fails or is lost.
What would be nice is to have some type of encrypted backups of the key stores. That way, if a sync error happens or a device crashes, that auto mechanism is still in place.
Re: (Score:3)
It is a long read, but it is very interesting to a developer like myself, and makes me think of ways I ha
Re: Enough with the bloat. (Score:2)
Re: Awesome. (Score:3)
The technology works well, just some companies don't support it correctly. Google in particular still doesn't even support FIDO2, which is really fucking old at this point. Chrome mostly does, but Android doesn't, and you can't even set up a Google account with a FIDO2 key if your browser (rightfully) disables U2F. Which also means, among other things, that you can't use mandatory PIN authentication, meaning it can't be 2FA unless you still also use a stupid password.
So much for their dumb claims about goin
Re: (Score:2)
I'm somewhat concerned about the SPoF this has potential to introduce: instead of a million different ways to store passwords, you're using a single repository backed/accessed via API. That will be a prominent target which will be difficult for hackers to ignore.
That said, it'll be a huge benefit to account security in general.
The ability to revoke keys would be crucial, as well. Hopefully that infrastructure becomes available soon.
Re: (Score:2)
Having the ability to back up key stores would be nice. For example, all the Google Auth shared secrets, I back up, so if a device gets lost or crashes, I still have those without needing to recover.
Maybe even have a standard protocol between key stores, so if transferring from key store #1 to another, you can copy the public key of key store #2 to key store #1, have key store #1 export a file encrypted to key store #2's public key, and key store #2 can decrypt and import the backup, all without any data e
Re: (Score:2)
Yes, absolutely - the lifetime on keys would be fantastic. Or even a key 'deadman' - if you don't actively -use- the key for 6 months, it's dead.
Re: (Score:2)
The problem with passkeys is that only Apple has a complete ecosystem.
Biometrics on all their devices, check. Flexible secure processors on all their devices, check. Dedicated department for investigating requests for account recovery when all other options fall through, check. Rank amateurs as competition, check.
Re: (Score:2)
Agreed, but you have to start somewhere. It's a chicken/egg problem. May as well let the first mover get it right and set a good model to follow.
If we let the rank amateurs set the pace, we'll be stuck with this completely stupid "Remember a 36-character password with 4 symbols, 3 digits, at least two uppercase letter and two emojis" nonsense forever.
I'm over it.
I'm over passwords.
I'm over password keepers.
I'm over managing authorized_keys files.
I'm over all of it.
Re: (Score:2)
I'm over password keepers
AFAIK, you are just trading one random set of jibberish (password) for another (private key). The nice thing with passkeys is that you aren't giving the super secret to the web site to store; Rather, you are keeping the secrets close to the vest. But you still need to manage and store the secrets. Which, I think, means that a manager is still required.
Re: (Score:2)
Passwords can't die soon enough.
Once folks start getting used to passkey authentication, it'll get the rest of the industry moving.
This is one of those "we need big movers to move first instead of being fast followers" kind of things.
Let's do this.
Let's not. So this is basically an all access pass(key) to all your linked accounts, unlocked by something you have/are, not know. Fingerprint unlock is a joke security-wise and I imagine face unlock isn't really much better. Law enforcement (or anyone) with access to your phone will have access to all those accounts. No separate warrant required to access your Apple Cloud account, etc... I get that this is convenient, but that doesn't necessarily help with overall/global security. How about not being
Re: Awesome. (Score:2)
Google/MS need to beg Intel for passkey support (Score:3)
Intel and AMD are the only ones who can implement passkeys securely on PCs due to lack of foresight of PC operating system developers. TPM is not enough, ME/PSP are needed too. Being forced to use your phone while Apple users can just use the single device they are working on would accelerate the deathmarch of everything non Apple in consumer electronics (and financial services and cars).
With Intel involved it might even be an open standard which allow passkey syncing between Microsoft and Google, instead of trying to compete with each other for lockin while Apple steamrolls them.
PS. until today I never knew Intel already tried using their Management Engine for password management, they made True Key which mostly failed to get adopted and which they seem to have sold to McAfee. Time for a second go at it.
Re: (Score:2)
What is the threat model where current PC operating systems are not adequate?
Passkey is more secure than passwords, and you can still use 2FA on top if you like.
The only scenario where Passkey is compromised is when your machine has malware on it that can get into the encrypted data storage area of the OS. If your system is that compromised you are screwed anyway.
The only advantage that secure processors like the ones built into phones offer is that they can require user input before performing operations,
Re: (Score:2)
Malware and hacks which break containment using files opened by browsers, Office, etc. Windows containment isn't Android containment. Being just as insecure as a password manager is nothing to write home about.
It's dangerous for Microsoft to gamble its reputation on and then in a big hack be publicly confronted with their inferiority to Apple. Google simply would never use a solution running purely on the main processor for ChromeOS period, not their style.
The management engine will use its own secret keys
Thought of three hacks already: (Score:2)
1) Bad guy or collection of them who get your credit card info can buy an iPhone, iPad, or Mac, set it up (with reproducable facial disguise or fake fingerprint glove), and gain access to your accounts on all apple servers.
2) Cop or secret police of some tyrannical country arrests you with an iProduct on you, fingerprints you, 3-d prints or photo-etches and molds a fingertip glove or your print, and logs in with that, or with your picture, or by holding the iGadget up in front of you or running your finger
Re: (Score:3)
1. FaceID is not enough to get an Apple device associated with your Apple ID.
2. The only advantage for the current situation is that they need you temporarily alive to get the password.
3. They can do all that with your password too. The password has to go through an input device though, with passkey only user verification goes through an input device.
Re: Thought of three hacks already: (Score:2)
These hypotheses will not work.
1) Bad guy or collection of them who get your credit card info can buy an iPhone, iPad, or Mac, set it up (with reproducable facial disguise or fake fingerprint glove), and gain access to your accounts on all apple servers.
Apple does not authenticate via credit card, so that's irrelevant. They also require your full password when booting a device (biometrics won't do) and they require two-factor authentication when adding a new device to your account.
2) Cop or secret police of some tyrannical country arrests you with an iProduct on you, fingerprints you, 3-d prints or photo-etches and molds a fingertip glove or your print, and logs in with that, or with your picture, or by holding the iGadget up in front of you or running your finger over it while you're chained to a table.
In this scenario, you have bigger problems than password security (see also https://xkcd.com/538/ [xkcd.com]). But yes, bad actors could physically force you to unlock your device, provided it hasn't been restarted or passed the timeout for a passcode/passwor
Re: Thought of three hacks already: (Score:2)
Re: (Score:2)
1) Bad guy has a wrench [xkcd.com]
Re: Thought of three hacks already: (Score:2)
One issue I see with this (Score:2)
When FaceID / TouchID fails, Apple devices offer the fallback option of using your passcode. So we're back to "something you know" - and most people's passcode is numeric, not as secure as their account password, and observable by a patient adversary.
Re: One issue I see with this (Score:2)
Something Have to something you know⦠(Score:1)
Bad idea - not protected from LEOs (Score:2)
Re: (Score:2)
As with airdrop being retroactively limited to 10 minutes "open to everyone' because that's what the CCP wanted, I wouldn't be surprised at all if they were involved in this as well.