Explainer: Passwords and passkeys

This article explains how passwords and their replacement passkeys (‘WebAuthn’) work.

Passwords

When you create your password, the characters you enter for it are sent via TLS secure connection to the server. That server then applies a hash function to that password, and stores its hash, not the password. When a cryptographic hash function is used correctly, it should ensure that it’s not practically possible to discover your password from its hash.

When you try to connect to the site, your Mac sends your username (typically your email address) and password over TLS to the server. The server applies the same hash function to those characters, and compares that with the stored hash value for that username account. If they match exactly, then your authentication is complete, and you can access that site as that named user.

Several problems can result. Sometimes, servers store unhashed passwords, a major security failing, or the hash function used is weak, making it feasible to work out original passwords. The biggest shortcoming with passwords, though, is that anyone with your password has full access to your account, hence the widespread use of two-factor authentication (2FA), essentially an admission that passwords themselves aren’t sufficiently secure in the first place.

Passkeys

Each passkey consists of two keys (extremely large integers), one kept private, the other public. Although generated as a pair, it’s not feasible to discover the private key from the public one, ensuring that the private key remains secret.

When you create your passkey-protected account, your Mac creates a new pair of keys to be used only for that account, and the server is given only the public key, which it stores in your account record. While that can still include a username, your public key is sufficient to identify you from others.

When you try to connect to the site, your Mac identifies you, either using your username or public key, and sends your public key to the server. The server then sends your Mac a cryptographic challenge, which requires it to use its private key to generate a response that the server can recognise as coming from the same source as your public key. Access to your Mac’s private key is only provided following successful local authentication, which normally involves biometric identification by Touch ID (or, for devices, Face ID), although there are alternatives for Macs that don’t support Touch ID. The server checks your Mac’s response, and if it matches that expected, your authentication is complete, and you can access that site as that user.

Two-factor authentication should never be necessary, particularly when biometric identification is used to control access to the passkey.

Fallback

There’s nothing more comforting than a little book containing all your usernames and passwords, and passkeys can’t provide that. Even if you had access to your private key, writing it down on paper is hardly a practical solution, and there’s no facility to generate the public key from that anyway. However, it’s the very convenience of passwords which is their undoing: if you or anyone else can enter your password, the protection it provides is too easy to defeat, hence the proliferation of 2FA.

The best way to ensure that you’ll not lose access to a passkey is to share it, in its keychain, in iCloud. That ensures your other Macs and devices can also use that passkey, and use your account. However, that doesn’t provide for the situation in which all Macs and devices that can access that passkey are lost, or unavailable, something covered by iCloud keychain escrow.

Apple describes this in detail in its account of the security of passkeys. In essence, this provides a recoverable keychain to which only the user has access (making it separate from normal iCloud Recovery).

To recover a keychain, the user logs into their iCloud account with their normal Apple ID and password. That triggers 2FA, sending a message to their registered device with a PIN to be entered. Once past that barrier, the user then has to enter the device passcode. Only ten attempts are permitted before the escrow keychain is locked, and the only way any more attempts are allowed is following approval by Apple, otherwise the escrow record will be destroyed. There’s also an option to set up an account recovery contact who can ensure you retain access to your account even when you’ve forgotten your Apple ID password or device passcode.

Bear in mind that Keychain in iCloud, and iCloud keychain escrow, are available anywhere in the world with Internet access. They don’t rely on the physical existence of paper records, nor can they be burned, stolen or mislaid.

8Comments

Add yours

1

Maurizio on October 22, 2022 at 7:29 am

Hello Oward , i am very pleased with this series of articles regarding the keychain. A small detail remains, I should have taken advantage of the first explainer post. You would be kind enough to describe the structure of the directory of ~/library/keychains ? i noticed that the webpassword are no more store on the login.db but are stored in a separate db inside a directory that match the hardware id. How do you migrate thoose db in a new machine whit a different hardware id ? Just copy all the db and the wal overwriting those contained on the directory structure on the new machine ?

Thanks for reading

LikeLiked by 2 people
- 2
  
  hoakley on October 22, 2022 at 9:28 am
  
  If you can, you’re better using Migration Assistant to do that. Web passwords have moved out of the login keychain a while ago, AFAIK. The other really simple solution, although it doesn’t work for certificates, is to share keychains in iCloud. But copying keychains in the old way may cause problems now.
  Howard.
  
  LikeLiked by 1 person
3

Maurizio on October 22, 2022 at 9:42 am

thanks a lot for the prompt answer. Please forgive me for the missing H 🙂

LikeLiked by 1 person
- 4
  
  hoakley on October 22, 2022 at 2:11 pm
  
  No problems.
  Howard.
  
  LikeLike
5

DaveG on October 22, 2022 at 2:03 pm

Is there any provision for shared accounts such as a couple who maintains a single account at a store? Obviously, each store can implement groups that act but many will not.

Separately, it appears the recovery path assumes you still have a working device that authenticates but that is one major scenarios where you need recovery or am I missing something?

Thanks as always for the great informative articles.

LikeLiked by 1 person
- 6
  
  hoakley on October 22, 2022 at 2:11 pm
  
  Thank you.
  Well, if a site or service allows more than one person to access an individual or joint account, that’s a matter of enabling that and providing separate logins for the two users, who should then be able to have their own passkeys. More generally, I think that’s something that sites and services will need to address individually.
  As for the recovery path, you still need a working device in any case, to be able to access anything online. In the event that your sole device is destroyed or lost, your first task is to get a replacement and go through with Apple the job of connecting it to your iCloud account. As you’ve no means of completing 2FA without that, it’s the same issue before you can gain access to anything.
  Howard.
  
  LikeLike
7

marc on October 22, 2022 at 4:06 pm

Thank you for your very informative article on passkeys. They sound like a very useful feature in Ventura. Is there any backward compatibility? If one cannot or does not want to update all computers to Ventura (or devices to iOS16), can one still use a mix of passkeys and passwords? (I apologize if you covered this in one of your earlier articles.)

LikeLiked by 1 person
- 8
  
  hoakley on October 22, 2022 at 8:47 pm
  
  Thank you.
  I have good news for you: although Apple has made great play of passkeys in Ventura, it’s already available in Monterey with Safari 16. The API is actually available for macOS 12 and later, so there’s no reason that you can’t start migrating already.
  Yes, different services allow mixtures of passwords and passkeys. One neat use for starters is staying with your current password, but adding a passkey as one of the allowed methods for 2FA.
  Howard.
  
  LikeLike

Share this:

Related