hoakley September 14, 2022 Macs, Technology

Why Passkeys are so important, and how you can use them now

For as long as I can remember, certainly going back to the late 1970s, passwords have been a cornerstone of computer security. In those days, when I logged on to a remote mainframe using a ‘teletype’ terminal, I entered my username and password, just the same as I do now to log on or authenticate to any of my Macs. Steal someone’s username and password, and you can be that person, with all their permissions and privileges.

Over that period, other mechanisms have been devised to replace passwords for authentication. Like Touch ID and Face ID, most are dependent on hardware, and only available on certain systems. Plug-in hardware keys are an alternative widely used in some enterprise environments, but seldom by ordinary users.

Hardware keys generally use pairs of keys generated using cryptographically secure methods, so they’re effectively impossible to crack. The way they work is complex, but in essence what they do is provide the server or service with the public key from the pair, and keep its private key partner secret. The server then challenges for proof of validity, and once that’s been completed accepts that authentication. Public keys alone can’t be used to discover or guess the private key, and the private key is never divulged.

Passkeys essentially work the same as a hardware key, but everything is handled in your Mac’s (or device’s) secure enclave instead.

The advantages to this are great: you don’t need to remember or fetch any passwords, only your username, which should be auto-filled; if a remote server is compromised and your information stolen, it only contains your username and the public key, which can’t give anyone else access to your account; if an attacker tries to phish for your password, they can’t obtain your Passkey, and you know neither of its keys anyway. Passkeys therefore address all the main weaknesses in password-based authentication.

Requirements

Passkeys are now available for use in Monterey and Ventura, as well as iOS 16. To use them, you need:

Macs to be running macOS 12 or later,
iOS devices to be running iOS 15 or later,
iPadOS devices to be running iPadOS 15 or later,
Safari 16 or another browser/app with Passkey support; although support exists in Safari 15, it doesn’t appear as reliable,
biometric authentication support, such as Touch ID or Face ID, is a great advantage and may be required for some services/sites,
Keychain in iCloud for Passkey sharing,
services with Passkey support.

I haven’t tried macOS 11, as that doesn’t have the API required for Passkey support. I don’t know whether iOS/iPadOS 15, which do have API support, offer Passkeys in Safari or other apps.

Biometric authentication seems the most reliable, although Apple refers to alternatives being available for Intel Macs which don’t support it. For the moment, if you try to access some Passkey-protected accounts on a Mac without biometric support, Safari might presume that you are using a hardware key, and prompt for that, which gets you nowhere.

passkeys01

Setting up Passkey access

Provided a website or service supports Passkeys and your Mac is compatible, setting them up is straightforward.

Perhaps the most prominent early adopter is Best Buy, which I’ll use for this demonstration. First set up a regular account, if you don’t already have one, with your username and a robust password. Then go to the Account Home page within it, select Account Settings, and Face or Fingerprint Sign-In. When you configure that, Safari’s Passkey setup window will appear.

passkeys02

Simply use Touch ID for macOS to create your Passkey and set it up with Best Buy. Then log out and try your new login method. Currently, this is slightly kludgy, in that you first enter your email address as your username, then click on the Sign In with WebAuthn button to log in with your Passkey.

passkeys03

Safari will then invite you to use Touch ID to authenticate with your Passkey.

passkeys04

That’s all there is to it.

These are early days. Until the public release of iOS 16 and Safari 16 on 12 September 2022, Passkeys and hardware keys have been minority pursuits. Now that hundreds of millions of people around the world can readily use Passkeys on their iPhones and Macs, expect this to change rapidly.

Passkeys for 2FA

Although services may not yet offer Passkeys as their primary means of authentication, many more support their use in 2FA. I tested this out with GoDaddy, adding a Passkey as an alternative to a texted PIN to complete 2FA. This is a safe option, as it allows me to provide the second authentication factor by either entering the texted PIN or using the Passkey.

In the Account security page, I selected Security Key as the secondary method for 2-Step Verification. Safari then displayed the window to set a Passkey, which requires Touch ID authentication, following which GoDaddy confirmed that had been successfully set. In this case, I was asked to assign a name to the Passkey.

Checking your Passkey

There isn’t much to check in a Passkey. Both Safari’s Passwords in Preferences and the Passwords pane report that a Passkey has been set for individual accounts, and offer to send them to another Mac or device by AirDrop if you want. Keychain Access doesn’t yet distinguish Passkeys from other keychain contents.

Support for other devices

Apple has shown a method using a QR code which it claims can export a Passkey to a device that can’t share a keychain in iCloud. So far, I haven’t been able to find that feature in macOS or its bundled apps.

49Comments

Add yours

1

Valdo on September 14, 2022 at 7:53 am

Passkey sound nice and simple especially as on my new MacBook Air the passwords do not work. The whole password set is synced via iCloud, but when trying to log in on any website from MBA the passwords are not triggered when accessing the user ID or PASS fields. On iPhone and iPad no problem at all!? Even newly created sets of user ID and Passwords are not saved. Again on iDevices everything is fine.

LikeLiked by 1 person
- 2
  
  Valdo on September 14, 2022 at 9:26 am
  
  P.S.
  When enabling Autofill User ID and Passwords in Safari it is working, but I would like to have control over it, using the Touch ID for log in…
  
  LikeLiked by 1 person
  - 3
    
    hoakley on September 14, 2022 at 10:34 am
    
    As with Apple’s devices, initial login can’t be performed using biometrics, which is good. A few calls for authentication after that still don’t offer Touch ID, though, which is a pain.
    Howard.
    
    LikeLike
- 4
  
  hoakley on September 14, 2022 at 10:29 am
  
  I’m sorry to hear that.
  My normal recommendation is to shut down all Macs and devices, ensure that they all have good Wi-Fi connections, then bring them back up one by one, allowing each ample time to sync properly with iCloud before starting up the next one.
  I wish you success.
  Howard.
  
  LikeLike
  - 5
    
    Valdo on September 14, 2022 at 11:27 am
    
    Thank you Howard, I did it as recommended, but no change and the Keychain is correctly synced along all 3 devices.
    There must be something else as when Autofill is enabled on MB Air the login is immediate but when Autofill is disabled in Safari, the passwords are not invoked as usual on iPhone or iPad.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on September 14, 2022 at 1:01 pm
      
      Sorry. That’s odd.
      Howard.
      
      LikeLike
- 7
  
  Valdo on September 14, 2022 at 7:17 pm
  
  Let’s close this issue. After few MBA restarts, the computer stopped to instantly log in into web accounts (with Autofill enabled) and started to offer automatically User ID’s and requesting Touch ID for passwords.
  
  A glitch???
  
  LikeLiked by 1 person
  - 8
    
    hoakley on September 14, 2022 at 9:11 pm
    
    Well done! Yes, I think glitch is a good word. I hope you can resume more normal life again.
    Howard.
    
    LikeLike
9

bwillius on September 14, 2022 at 9:25 am

Don’t passkeys make us rely even more on hardware? When the main phone get’s lost or is at the doctor logging into most websites isn’t possible anymore. What happens if phone and computer are stolen or whatever? Do we need to deposit a working phone at the bank to be safe now?

LikeLiked by 1 person
- 10
  
  Valdo on September 14, 2022 at 9:28 am
  
  I think the Recovery contact is in such case the solution. (https://appleid.apple.com)
  
  LikeLiked by 1 person
  - 11
    
    bwillius on September 14, 2022 at 9:44 am
    
    @Valdo: thanks! Good to know.
    
    LikeLiked by 1 person
- 12
  
  hoakley on September 14, 2022 at 10:33 am
  
  Thank you. It all depends whether you put your keychain in iCloud. I was very reluctant in the early days, but since it has become so much more reliable, I have four Macs, my iPhone and an iPad Pro which all share the same keychain. If one of those is destroyed or away for repair, it’s not hard to sign another device (a replacement, perhaps) into the same account and rapidly gain equal access.
  Testing with Passkeys so far confirms that they’re shared very rapidly across all connected devices.
  Howard.
  
  LikeLike
  - 13
    
    Banff on September 16, 2022 at 4:57 am
    
    Howard, in trying to think through Passkey dynamics *for my own situation*, I am quoting from your article 2019/09/05/how-to-back-up-your-icloud-keychain.
    “Some users report that their local keychains are kept reliably in sync with what is in iCloud; others have found to their cost that they haven’t been. If I don’t have a local backup, then as far as I am concerned, I have no backup at all. For such crucial data, that is a serious omission, and a single point of failure which I can’t accept. Nor should you.”
    Things have obviously changed and improved in the past 3 years, so I am trying to do a bit of level-setting, at this point:
    (01) As far as syncing (sharing) private Passkeys between Apple devices, it is good to hear that has been quick and flawless in your recent experiences.
    (02) I would think that doing iCK local backups is still important (maybe not so much for syncing), but also for iCloud storage of the private Passkeys themselves. I would appreciate your thoughts.
    
    LikeLiked by 1 person
    - 14
      
      hoakley on September 16, 2022 at 5:59 am
      
      Thank you.
      As Passkeys are so new, and in Ventura pre-release, I simply don’t know how important they are to back up. I think we need to see them in use for a bit before making such decisions, but there’s no harm in continuing to back up your iCloud keychain.
      Howard.
      
      LikeLike
- 15
  
  Raoul on September 15, 2022 at 5:47 am
  
  Here at Uni, we use OKTA for MFA. We moved > 100K staff and students over to MFA inside 4 months! ← needless to say the ServiceDesk queue exploded but we got there in the end.
  Once setup, there’s an option to have recovery keys saved in the event that both PC and MFA devices are missing, and now that were ISO certified when it comes to security, we have to visually check the persons face against a form of Photo ID before any relaxing of security processes can occur to get people back up and running…
  
  It’s certainly a new world we live in…
  
  LikeLiked by 1 person
  - 16
    
    hoakley on September 15, 2022 at 12:42 pm
    
    Wow! Well done.
    It will be interesting to see how well Passkeys integrate into that.
    Howard.
    
    LikeLike
- 17
  
  Milo on September 15, 2022 at 1:24 pm
  
  I think for most types of accounts, reset by e-mail will still be thing. I don’t think Passkey/FIDO2 will replace the username/password combo any time soon and would predict a peaceful coexistence for many years to come.
  
  LikeLiked by 1 person
  - 18
    
    hoakley on September 15, 2022 at 1:55 pm
    
    Peaceful co-existence with the same service, sure, but not with the same account. I think very few people are going to want to be able to access an account/service/site using either Passkeys or password: they will prefer one or the other.
    Howard.
    
    LikeLike
    - 19
      
      Milo on September 15, 2022 at 2:39 pm
      
      I think most services will keep both login methods, even for the same user. As user-friendly as Passkey is, it will take many years for users to be educated about the new “paswordless” paradigm. But it’s a bright future, and I’m looking forward to it.
      
      LikeLiked by 1 person
    - 20
      
      Banff on September 16, 2022 at 1:16 am
      
      In a backend data breach scenario, the Public-Passkey (stored on the website account) *is* useless to cybercriminals. The Login-Password (stored on the website account) *can be* useful to cybercriminals. For this particular reason, having both types (stored on the website account) is not a good idea. Am I missing something?
      
      LikeLiked by 1 person
    - 21
      
      hoakley on September 16, 2022 at 5:51 am
      
      No – that’s exactly what concerns me. More on Sunday morning.
      Howard.
      
      LikeLike
22

Ed on September 14, 2022 at 5:34 pm

So I guess for devices without biometrics (like my M1 Mini) the trick is to set up the passkey with iPhone or iPad, and then share the key from there (with Keychain in iCloud most conveniently).

LikeLiked by 1 person
- 23
  
  hoakley on September 14, 2022 at 6:50 pm
  
  Thank you.
  First, your M1 Mac mini does support biometrics, as all Apple silicon models do, but you need one of Apple’s newer keyboards with Touch ID support.
  I don’t know how, but Apple claims (without explaining) that alternative methods do exist for Macs, like my iMac Pro, which don’t have any built-in support for biometric authentication. One thought that has struck me since is that Unlock with Apple Watch might provide a good alternative, if you have a suitable watch.
  What I experienced was that, having set up a Passkey on that account using an M1 MBP with its Touch ID, when I tried to authenticate using the Passkey on my iMac Pro, I just hit a wall that was expecting a hardware key as it didn’t have biometrics. There seemed no way out, but that’s on macOS 12.6 and Safari 16, so may change with Ventura.
  As I wrote, these are early days and issues like this will undoubtedly be sorted out. But for the moment, the most reliable Passkey support is on Macs (and devices) with Touch ID or Face ID.
  Howard.
  
  LikeLiked by 1 person
  - 24
    
    Ed on September 15, 2022 at 1:43 am
    
    Ah yes, I was imprecise: the M1 Mini does support biometrics but has no built-in way to authenticate (I don’t have the keyboard).
    
    LikeLiked by 1 person
    - 25
      
      hoakley on September 15, 2022 at 5:38 am
      
      In that imprecision, though, you made me check its support carefully, which was valuable, thank you.
      Yes, I too bought an M1 Mac mini before Apple offered keyboards with Touch ID support, and I don’t think I would have paid extra anyway, at that time. Although replacing a keyboard may not be a popular move, at least it’s cheaper than the whole Mac. The other important thing is that all Apple silicon Macs support biometrics, whereas no Intel model does. And I’m pretty sure it doesn’t work over Universal Control either.
      It will be interesting to see how this works out as Passkeys become more widespread.
      Howard.
      
      LikeLiked by 1 person
26

Ed on September 14, 2022 at 5:42 pm

As a long time user of SSH keys this feels very natural, and logical. The main difference is that now there is a key pair for every service, where once I had only one. Automated key management & selection, and storage in the secure enclave, make that extra layer of security by compartmentalisation possible.

LikeLiked by 1 person
- 27
  
  Milo on September 15, 2022 at 1:49 pm
  
  I’m not an expert for FIDO2, but after reading many tutorials, my understanding is, that there is only one public/private key pair per device. That’s just a technicality of course.
  
  LikeLiked by 1 person
  - 28
    
    hoakley on September 15, 2022 at 1:57 pm
    
    When you’re using hardware devices, I think that’s true. However, as far as I can see macOS will create a fresh Passkey for each service.
    Howard.
    
    LikeLike
    - 29
      
      Milo on September 15, 2022 at 2:33 pm
      
      That’s interesting. I’m looking forward to learn more about Apples implementation. I also hope it will be interoperable with other browsers like Chrome or Firefox.
      
      LikeLiked by 1 person
    - 30
      
      hoakley on September 15, 2022 at 9:32 pm
      
      Thank you.
      There’s a full API available in Monterey and later, so there’s no reason why other apps on macOS shouldn’t take full advantage of it.
      Howard.
      
      LikeLike
31

Milo on September 15, 2022 at 2:44 pm

Excellent write up. Just wanted to add, that there are two types of login flows. One where the user has to identify to the service by providing a username (e.g. but not necessarily an email). With the other method the Passkey service will automatically provide the username to the service. In the spec those are called “discoverable credential” and “non-discoverable credential” respectively.

LikeLiked by 1 person
- 32
  
  hoakley on September 15, 2022 at 9:33 pm
  
  Thank you – yes, that much was apparent in Safari.
  Howard.
  
  LikeLike
33

Jeroen Teeuwisse on September 15, 2022 at 5:12 pm

What makes me a bit reluctant to use passkeys (despite all the obvious advantages) is how I would be able to log in to websites, while using e.g. a friends’ Windows computer or some public computer. At the moment I am using 1Password, and as long as I’m logged into their site (assuming for a moment that I do not have my phone with me), I can log into any site I want (any site where I’m a registered user).
Would I have setup a passkey for a particular site, I would not be able (I think, or at least that is my fear) to log in at this site (sitting at my imaginary Windows-using friends computer).

LikeLiked by 1 person
34

Steve Nicolai on September 16, 2022 at 12:22 am

>The other important thing is that all Apple silicon Macs support biometrics, whereas no Intel model does.

Don’t all the T1 and T2 Intel Macs have the necessary hardware for Passkeys? They work with Apple Pay, which uses the Secure Enclave also. They also have the fingerprint sensor.

LikeLiked by 1 person
- 35
  
  hoakley on September 16, 2022 at 5:46 am
  
  Thank you.
  All Intel Macs with a Touch Bar support Touch ID, as that’s one of the most important features of the Touch Bar. But iMac, mini, even Mac Pro without integral keyboards can’t currently use an Apple keyboard with Touch ID support, it appears – those keyboards are apparently only compatible with Apple silicon Macs.
  So while even T1 chips are capable of supporting Touch ID, only some T2-equipped Macs do. And without a T1/T2, you could only use third-party biometrics.
  More here about this on Sunday morning.
  Howard.
  
  LikeLike
36

A.Z. on September 19, 2022 at 11:38 am

What about passkeys backups?

LikeLiked by 1 person
- 37
  
  hoakley on September 19, 2022 at 12:12 pm
  
  Passkeys are stored in the login keychain, so are backed up with that keychain. Currently they’re not identified as Passkeys there, but one day might be.
  Howard.
  
  LikeLike
  - 38
    
    Banff on September 24, 2022 at 3:40 pm
    
    Howard, I had intended to reply to you with my two recent posts from a few hrs ago. Would you have a look at these posts below? Thank you.
    
    LikeLiked by 1 person
    - 39
      
      hoakley on September 24, 2022 at 4:40 pm
      
      Sorry, this is the one day each week I try to spend time with my family – I’ve responded now.
      Howard.
      
      LikeLike
40

Banff on September 24, 2022 at 10:45 am

As the industry and Apple’s rendition of passkeys finalizes and matures (together with ongoing iOS/iPadOS and Apple mobile hardware advances), could you envision iCK backups ever being done on iPhone/iPad or iPad Pro (in addition to macOS machines)? Too bad it couldn’t be done as part of iCloud backup, but then passkeys are end-to-end encrypted and don’t fit that data type. One reason I ask is that although my family is 100% Apple ecosystem, I have always been the single point of failure when it comes to using/maintaining/protecting macOS and macOS production machine. Rest of the family is ‘mobile only’ for good reason (none are inclined toward any form of geekishness). Secondly, it seems (to me) that there needs to be a plan B for the many millions of iPhone/iPad owners that have no interest in macOS machines, many of whom also probably have no thought about the possibility of passkey data corruption [ I have my own ways and means of backing up our usernames and passwords]. In that (passkeys) regard, are we/they all potentially sitting ducks? I would appreciate your perspective.

LikeLiked by 1 person
- 41
  
  Banff on September 24, 2022 at 11:20 am
  
  I would also like to acknowledge that, yes, paper is the best original and/or backup. I keep quite a number of my accounts on paper. I really don’t like going down this path of sign-in credentials, file mediums, etc. ( I can easily get lost in the weeds). All the more reason and appreciation for your clarity as related to passkey backups.
  
  LikeLiked by 1 person
  - 42
    
    hoakley on September 24, 2022 at 4:39 pm
    
    For some data, that can be true. I hold Apple certificates with which I sign my software. There’s no way to back those up on paper either, so maybe we just need to accept that paper is no longer the single solution it used to be?
    Howard.
    
    LikeLike
- 43
  
  hoakley on September 24, 2022 at 4:37 pm
  
  Thank you.
  I don’t know. I can tell you how to back up your iCloud Keychain in macOS, but there’s nothing comparable in iOS/iPadOS as far as I know. But I’m no expert on devices.
  That said, I’ve never had to use a keychain backup.
  Howard.
  
  LikeLike
44

Michele Galvagno on September 25, 2022 at 12:37 pm

If I understood correctly, Passkeys are setup once for each website requiring a password, either during registration or by going to one’s account. It is not something that you enable globally beforehand. Thank you

LikeLiked by 1 person
- 45
  
  hoakley on September 25, 2022 at 12:40 pm
  
  That’s correct. So long as you’re running compatible apps like Safari 16, just go ahead and start trying to set services up to use them.
  Howard
  
  LikeLike
46

Michele Galvagno on September 25, 2022 at 1:20 pm

Last question, sorry: I am running Safari 16 on macOS 12.6. If I do not see the option it is because the website has not been updated to use it?

LikeLiked by 1 person
- 47
  
  hoakley on September 25, 2022 at 2:15 pm
  
  Currently, you’re unlikely to be given the option when creating a new account, but it’s an option you have for an existing account. Once set up using a password, you can access your account’s settings, and there may find different methods for authenticating to the account. Passkeys might in future be given there explicitly, but in current sites they might use the same as a hardware key (which uses the same protocols), or biometrics such as Touch ID or Face ID. The site help info may give more help.
  In the first instance, I recommend setting Passkeys up as an alternative to password authentication, or if that’s not available you can use them as an alternative means of 2FA, which is rather neat.
  Howard.
  
  LikeLiked by 1 person
48

Jolin on October 11, 2022 at 9:40 am

Howard, excellent write-up as usual, a great reference to point people to. One note, though – you say BestBuy is the most prominent early adopter. I’ve been using passkeys to sign in to eBay for the last year, until recently with Safari 15. eBay is available in multiple countries, so probably more relevant for more people if they want to try it out.

LikeLiked by 1 person
- 49
  
  hoakley on October 11, 2022 at 4:20 pm
  
  Thank you.
  I’m delighted that you’ve had success with eBay. The number of sites and services is growing every day – BestBuy was just a convenient early-adopter. Each has their own way of presenting the option, and I don’t think any yet offers it as the first primary means of logging in, so its has to be set as an option on an existing account.
  Howard.
  
  LikeLiked by 1 person