Raise your hand if you hate entering passwords. Okay, now keep your hand raised if you happen to use the same password for multiple accounts or services. Yes, lots of people do this, and it’s a leading cause for users getting hacked.
Think about it. If someone can gain your password for a single service — either through a data breach, social engineering, or phishing attack — your identity and personal information could be compromised. This can lead to anything from people spying on baby cameras to hackers stealing money from your bank account.
Yes, there are alternatives to manually entering passwords, such as the best password managers, but they can still leave users vulnerable. Now Apple, Google, Microsoft and others have banded together via the FIDO Alliance (opens in new tab) to try to replace the password for good. And Apple’s implementation is called Passkeys, which is coming this fall in iOS 16, macOS Ventura and iPadOS 16.
In an exclusive Tom’s Guide interview, I had a chance to speak with Kurt Night, senior director of platform product marketing at Apple, and Darin Adler, VP of internet technologies at Apple, about how Passkeys work and how they could truly make passwords a thing of the past.
What the heck are Passkeys and how do they work?
Passkeys are unique digital keys that are easy to use, more secure, never stored on a web server and stay on your device. The best part? Hackers can’t steal Passkeys in a data breach or trick users into sharing them.
“Passwords are key to protecting everything we do online today, from everything we communicate to all of our finances,” said Knight “But they’re also one of the biggest attack vectors and security vulnerabilities users face today.”
That’s why Apple has been pushing so hard for an alternative. Passkeys use Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across iPhone, iPad, Mac, and Apple TV with end-to-end encryption.
Other companies have tried to replace passwords with dedicated hardware, like a physical security key, but that was mostly focused on enterprise users; it also added another layer of complexity. Passkeys have a real shot to take off because they leverage a device you already have.
Passkeys are based on what’s called public key cryptography. There’s a private key, which is a secret and stored on your device, and there’s a public key that goes on a web server. Passkeys make phishing impossible because you never present the private key; you merely authenticate using your device.
“People almost always have phones with them,” said Adler. “Face ID and Touch ID verification give you the convenience and biometrics we can achieve with an iPhone. You don’t have to buy another device, but also you don’t even have to learn a new habit.”
Wait, what happens if you’re not using an Apple device?
Let’s say you sign up for a streaming service on your iPhone but need to log in on your Roku….