hoakley September 18, 2022 Macs, Technology

Last Week on My Mac: Passkeys and biometrics

Last week’s big adventure was trying out Passkeys from both Ventura and Monterey 12.6 with Safari 16. Finding suitable sites was an interesting exercise in itself, and I give full credit to Best Buy for leading the pack.

Biometrics

What came as a surprise was trying to use my shiny new Passkey, created in Ventura on an M1 MacBook Pro, from my (Intel) iMac Pro. Although Apple’s limited documentation refers vaguely to alternative methods being provided for Intel Macs, as many lack support for Touch ID, I wasn’t expecting to see this alert.

passkeys01

I was so taken aback that, when I wrote the first draft of my article explaining Passkeys, I stated that some form of biometric authentication was going to be required. While there are options available on Intel Macs, such as signing in using your Apple Watch, I can’t believe that those will be necessary. Apple must have better alternatives, surely?

What should have happened is hinted at in the window shown by Safari on an Apple silicon Mac, with support for Touch ID.

passkeys04

On my iMac Pro, I should have been able to go to Other Sign-In Options, and pick an alternative.

As I keep saying, these are early days for Passkeys. Although the API required to support them is available in Monterey, and I’m fully expecting someone to tell me that they can use them in Safari 15, Apple has announced them as a feature new to Ventura. That might send the message that what we’ve got now in Monterey isn’t as finished as we might wish.

A requirement for full-blown biometric authentication would be severely limiting. While there are third-party systems available, Intel Macs with a T2 chip and its secure enclave don’t all support Touch ID. Apple silicon notebooks all include it in their built-in keyboard, and all Apple silicon Macs are compatible with Apple’s Magic Keyboards with Touch ID. If you have an Intel Mac notebook with a T1 or T2 chip, then its integrated Touch Bar does support Touch ID, but no other Intel Macs, even those with T2 chips, currently have support for it.

Unfortunately those of us who bought M1 Mac minis before Apple released keyboards with Touch ID would have to buy a new and more expensive keyboard to enable Touch ID support. Those first came bundled with the M1 iMac in May 2021, but weren’t available separately until August 2021, a full nine months after the mini started to ship. In any case, according to Apple they’re only compatible with Apple silicon Macs, and can’t be used for Touch ID on any Intel model.

They are also significantly more expensive: the cost difference for an ordinary-size Magic Keyboard is around $/€/£ 50, and for a Magic Keyboard with Numeric Keypad it’s $/€/£ 70. Quite why the additional key is so much more expensive on the larger keyboard defies simple explanation. For Ventura to make Passkeys generally successful, Apple needs to make non-biometric means of using them, accessible to those Macs without Touch ID.

Passwords and Passkeys

The other important matter arising with Passkeys is whether you should use them alongside passwords, or instead of them, a question raised on Twitter and by those commenting here.

Passkeys are nothing if they can’t address the security shortcomings of passwords. If we’re still prone to phishing and the consequences of site breaches, then Passkeys just add another layer of complexity and potential failure. If you leave an account set so that you can access it with either a Passkey or password, then it’s only as secure as the weaker of those two systems, passwords.

Suppose you allowed access to your Amazon account by either method. Then one day you received an email from Amazon informing you that there was a problem with Passkey access, and asking you to click a link and enter your username and password to ensure your Passkey access was enabled again. What better way to steal those credentials before handing you on to your normal Passkey sign-in? Of course, none of us would ever be caught by such an obvious phishing attack, but many would.

As long as you can access that account using a password instead of a Passkey, its security is only as strong as the weaker of the two methods. It’s a good move to leave both available until you have established the reliability of Passkey access on each of your Macs and devices with that particular service. Once you’re happy that it works reliably, go back to your account and disable password authentication completely, so relying on the Passkey alone.

It might seem that you’re doing yourself a favour keeping password access as well. In reality the only person you’re doing a favour to is the one you don’t want to steal your credentials and thereby access your account. They most certainly don’t want you to switch to Passkeys.

17Comments

Add yours

1

Alan Ralph on September 18, 2022 at 9:46 am

I currently use Bitwarden for my various logins and two-factor authentication but I am watching Passkey developments with interest. I would love a world where we no longer need to generate and keep safe strong passwords, but I suspect there will be a long transition period and lots more mischief from those looking to steal accounts for their own gain.

LikeLiked by 2 people
2

Dakotamoons on September 18, 2022 at 1:40 pm

Fascinating. Much appreciate the heads up on the good, the bad, and the ugly, re PassKeys, so as always, thank you Howard for keeping us so well informed and presenting all sides to this new security methodology.

LikeLiked by 1 person
- 3
  
  hoakley on September 18, 2022 at 6:58 pm
  
  Thank you.
  Howard.
  
  LikeLike
4

Alexander Celeste on September 18, 2022 at 3:07 pm

Yes, as you seem to have expected, Passkeys were, technically, available in Safari 15 as a feature you could enable in the Develop menu. I started testing them back then as soon as I decided to plunge and get a new keyboard for my M1 Mac mini, although they did not seem to be syncing. They were referred to as “platform authenticator”, which technically they still are in Webauthn terminology.

Thanks also for the Best Buy hint… As of now that is the only external account I can log in to purely with a Passkey. I say external, because as a web developer I have begun figuring out how to do the same kind of passwordless login on my own test WordPress sites, though that (the WP Webauthn plugin) is far from ready to be on production sites as it currently interferes with the Two Factor feature plugin.

LikeLiked by 1 person
- 5
  
  hoakley on September 18, 2022 at 6:58 pm
  
  Thank you.
  Howard.
  
  LikeLike
6

Harald Striepe on September 18, 2022 at 6:18 pm

Given their lack of compatibility with older systems (I still have an Air backup running High Sierra and a Mini limited to Catalina,) still a no-go!

LikeLiked by 1 person
- 7
  
  hoakley on September 18, 2022 at 7:01 pm
  
  Ah. Sorry about that.
  Howard.
  
  LikeLike
8

moiraine on September 18, 2022 at 6:42 pm

Another “backup” option might be to use a physical FIDO2 key like the yubikey, some of them support nfc/lightning and may also be use on iOS devices.

LikeLiked by 1 person
- 9
  
  hoakley on September 18, 2022 at 7:04 pm
  
  Thank you.
  Yubikeys, although similar in many respects, are quite different. I’ve just scoured their docs, and it’s clear that, for the moment at least, Yubikeys and Passkeys are widely separated, and neither can work with the other. Yubikeys seems more interested in enterprise markets, high-value settings like banking. I don’t think that have much interest in selling millions of cheap dongles as might be needed to make Passkey support worth their while.
  Maybe someone else will see this opportunity.
  Howard.
  
  LikeLike
- 10
  
  Milo on September 19, 2022 at 1:08 pm
  
  According to Yubico, the creator of the Yubikey, most recent hardware keys offer support for FIDO2 passwordless credentials. Safari on macOS and iOS has support for the full FIDO2 spec now too. The only exception being the iPad, because it does not have NFC, and the USB-C drivers don’t support security keys (yet?). Therefore, Yubikeys should work on every service where Passkey is advertised. Unless Apple diverged from the spec in a meaningful way, which I doubt.
  
  LikeLiked by 1 person
  - 11
    
    hoakley on September 19, 2022 at 2:19 pm
    
    Er no. Yes, they’re FIDO2 compliant, but they work very differently. You’ll find useful distinctions in this article.
    Yubikeys are hardware keys, in which a single (usually) key pair is generated in the key, can’t be copied elsewhere (the private key is locked in the key’s secure enclave), and can’t be overwritten, or written to except by the key itself. Their most common purpose is to provide a secure means of signing on to a computer, or accessing its main services. They don’t work with keychains, or iCloud, and apps which support them do so through a specific API for hardware keys. They also work slightly differently when connecting.
    Passkeys are purely software, in which multiple key pairs are generated by the computer or device and stored in a keychain, which can be shared in iCloud. They can also be transferred using QR codes. Their most common purpose is to provide authentication for online services, and can’t be used to log on to the Mac or device. They don’t work with hardware keys, and have a specific API for Passkeys. They can connect to services more directly than hardware keys.
    I look forward eagerly to your demonstrating how you saved one of your Passkeys to your Yubikey, and so were able to use the Yubikey to authenticate from another Mac without sharing its keychain.
    Howard.
    
    LikeLike
    - 12
      
      Milo on September 19, 2022 at 3:45 pm
      
      I agree that Passkeys are more convenient for Apple users who already sync their credentials using iCloud. My point is that as long as Passkey adheres to the FIDO2 spec, which it seems to do, everywhere where you can use Passkey, hardware keys will work as well. That’s the purpose of a spec and why companies like Apple/Google/Microsoft etc. agreed on a standard.
      
      I think in the future it will be possible to register multiple keys with services for the purpose of authentication. This is already common when you use hardware keys as a second factor. This way you will be able to enroll your Mac’s Passkey and additionally a hardware key (e.g. as backup).
      
      The fact that you can’t extract a copy of your private key from the hardware is actually a feature in my opinion. This way you can be reasonably sure your keys are safe when you use it on a device that you don’t fully trust. Of course, you should have a plan how to restore access to your account in case you lose the key.
      
      LikeLiked by 1 person
    - 13
      
      hoakley on September 19, 2022 at 4:10 pm
      
      Thank you, but you’re tackling a completely different issue. Yes, sites which support the use of Passkeys should also support the use of hardware keys – that’s already true, and for some sites the way that you get one to work is to configure the other.
      However, look back to the comment that I was responding to, and it was about using Yubikeys as “backups” for Passkeys. I think it’s very clear that you can’t, and unless Yubikeys change considerably, they will never be able to back up single or multiple Passkeys. Of course, you could use them as an alternative, but that’s hardly going to be popular, as a single Yubikey, with a single key pair, costs around $40. Passkeys and iCloud cost around $0 for unlimited storage of Passkeys. I think I know which the vast majority of Passkey users will opt for. You are and will be unable to use both without pre-configuring your sign-on for both. That’s not a ‘backup’ but a costly alternative.
      Howard.
      
      LikeLike
    - 14
      
      Milo on September 19, 2022 at 4:06 pm
      
      To add to my last comment. Having a backup hardware key for logins to your most important services could be a lifesaver under some circumstances. Say you’re on a long vacation and your phone gets stolen or just breaks. With a hardware key that is enrolled with your most important accounts you will still be able to access your email or maybe social media accounts from a friends’ computer. Even on a Windows PC or god forbid a Linux workstation 😉. Back at home you can then still use your Passekey that are saved on your Mac in your Keychain.
      
      LikeLiked by 1 person
    - 15
      
      hoakley on September 19, 2022 at 4:12 pm
      
      “your phone gets stolen or just breaks”
      Simple. You need a replacement phone anyway, which you just sign on to your iCloud account, which you have to anyway to be able to use it to do all the things you need a phone for. Once signed onto your iCloud account, you then have full access to all your Passkeys. Far more convenient, and you’ve saved yourself $40.
      Howard.
      
      LikeLike
    - 16
      
      Milo on September 19, 2022 at 4:45 pm
      
      “Simple. You need a replacement phone anyway, which you just sign on to your iCloud account, which you have to anyway to be able to use it to do all the things you need a phone for.”
      
      But how do you sign in to your iCloud on your new phone when you can’t receive 2FA codes on a trusted device (it’s gone or broken). SMS codes are also not an option because the SIM is gone (stolen phone) or you can’t switch SIM cards because you had an eSIM (broken phone).
      
      With the hardware key you can even sing in to many accounts on your iPhone because the key can comunicate with the phone through NFC!
      
      I still think for some users a hardware key in addition to Passkey is a good choice (even if it’s a small minority). I’m happy I’ll have this option in the future for sure!
      
      LikeLiked by 1 person
    - 17
      
      hoakley on September 19, 2022 at 10:09 pm
      
      If you go anywhere for more than a couple of days, you always take another Mac or device which is also trusted. Look at it this way:
      iPhone + Yubikey = preserved access to a few sites which accept dual credentials, a Passkey and a hardware key; no access to iCloud at all.
      iPhone + secondary device = preserved access to all sites using Passkeys, and full access to iCloud and other Apple services.
      Thinks for a moment…
      Howard.
      
      LikeLike