For many users, passkeys might in fact be the best thing ever, depending on how passkey access is secured. They really do look like a good idea.
But... the reality might differ for some of us.
Apple has unveiled its version of passkeys, an industry-standard replacement for passwords that offers more security and protection against hijacking while simultaneously being far simpler in nearly every respect.
You never type or manage the contents of a passkey, which is generated when you upgrade a particular website account from a password-only or password and two-factor authentication login. Passkeys overcome numerous notable weaknesses with passwords:
- Each passkey is unique—always.
- Every passkey is generated on your device, and the secret portion of it never leaves your device during a login. (You can securely sync your passkeys across devices or share them with others.)
- Because passkeys are created using a strong encryption algorithm, you don’t have to worry about a “weak” password that could be guessed or cracked.
- A website can’t leak your authentication credentials because sites store only the public component of the passkey that corresponds to your login, not the secret part that lets you validate your identity.
- An attacker can’t phish a passkey from you because a passkey only presents itself at a legitimately associated website.
- Passkeys never need to change because they can’t be stolen.
- Passkeys don’t require two-factor authentication because they incorporate two different factors as part of their nature.
After a test run with developers over the last year, Apple has built passkey support into iOS 16, iPadOS 16, macOS 13 Ventura, and watchOS 9, slated for release in September or October of this year...
MPG: see also the Apple developer video on passkeys.
I have my doubts about just how well this will work in reality. Note the “built passkey support into iOS 16, iPadOS 16, macOS 13 Ventura...” thing: what about macOS Monterey, and macOS Mojave and older/other OS versions? Doesn’t exist.
How exactly can you adopt passkey technology without “upgrading” every last one of your computers and devices? The slick Apple video does not speak to that. It seems like a lie of omission.
The whole discussion neglects the reality of devices that are not running the latest and greatest operating system eg devices that have no passkey support. Simple: buy all new Apple devices and computers, throw away all your old software, and you will be Happy. Not.
Here are my concerns, many stemming from Apple’s repeatedly proven disdain for backward compatibility:
- What happens if you misplace your phone? How would you login at all?
- What happens when the phone is stolen and the thief has your phone passcode... now you have even more automation for stealing your money and digital life thanks to the real-world security incompetence of Apple.
- Major inconvenience across my Macs without submitting to iCloud syncing, which I loathe for its past unreliability. But maybe it will work great 100% of the time?
- Apple has in the past destroyed interoperability by requiring "upgrades" to the current macOS for iCloud syncing. How can I sync when I have various macOS versions which demand an upgrade and I don’t want to upgrade?
- What about the future, will passkeys suddenly fail to work because I have not performed some required upgrade? Or just cannot sync because iCloud won’t sync with an older OS?
- The QR code based compatibility mode (about 4:42) looks misleading—that capability does not exist on older Macs such as my 2019 iMac 5K running macOS Mojave. It seems to be a case of “upgrade everything and see how great it works”. But I don’t want to “upgrade” many of my Macs—ever.
- I keep notes and such with various accounts; passkeys don't have that from what I see.
- I dislike the idea of having iPhones and iPad the center of my security life.
- I dislike syncing security info to a cloud server no matter what claims are made about it, see for example LastPass Shares Details of Connected Security Breaches. And when Apple cannot get its act together on VPN.
Anon MD writes:
First, Happy New Year!
Second, I could not agree more with your comments about the feckless morons who design the website security theater. Your username is your active email address??!?!? I mean, come on. So that’s a free one for the opposition. And then the questions, like what city were you born in? Well, that’s available on the internet without much effort. Same as half the other stuff. Things like what’s your favorite movie might seem difficult, but there are a finite number of movie titles out there and it would take maybe a couple of milliseconds to attempt all of them in a brute force attack.
One thing I do like with my bank is their requirement that you select an image as part of your security package. So that image is projected back at you when you log in. Presumably the bad guys can’t phish that image because it does not reside on your computer. But who knows? Even that probably has security flaws.
The worst is the stupid password bullshit I have to put up with for access to my medical office computers, our server farms, and the electronic medical records software (all mandated by the US government, of course). When I go to work I have to do UN and PW just to access the individual workstation (and the UN and PW are different for every workstation in the office), then another UN/PW to access the server farms (one EMR system is on one farm and the other older EMR that actually has useable patient info that was never able to be ported over to the new EMR is on another server farm), then another login to access each EMR program itself. Only everything logs you out after ten minutes and then you have to go through the whole fucking exercise of 4-5 UN/PWs all over again all day long. To make it even halfway workable all our staff knows the doctors’ UN/PWs. Otherwise we would never get anything done.
And then even worse, the software “engineers” who are so bad they can’t get a job with Amazon or Google think they are brilliant because they require you to change your password every 90 days. So to have any hope of ever remembering anything and actually getting any work done, you just recycle your passwords like this: “Cl@sterF@ck1”, "Cl@sterF@ck2”, "Cl@sterF@ck3”, etc. So when staff can’t log in to my portal they know to just increment the current password by +1 and they are usually good to go.
The only saving grace is that one program will accept a fingerprint scanner to log you in, and that actually works really well. Of course all the other programs will not work with the fingerprint scanner, for unknown reasons.
This is so bad as to be a not so funny joke.
And forget being able to use a password manager program on a shared office computer where all the workstations are shared.
So in order to get any real work done other than documenting in the electronic medical record, if I have to do a medical search or a calculation for say intraocular lens implant power calculations, all that happens on my personal laptop with my own personal memorized login and my personal websites whose passwords are all 20-24 random character passwords stored in 1Password.
And my master passwords are only on paper in a location known only to my executor and one other family member.
So I personally feel pretty secure in my own computing environment. God help the office environment, though. They are a gnat’s eyelash away from being phished or hacked or whatever, mostly due to their asinine “security” requirements.
Passkeys could bring an end to this catastrophe, but first they would have to be accepted by the federal government and then the feds would have to change policy to allow them to be used in the medical arena. By which time I will probably be dead and besides, the feds would probably require the process work only with Internet Explorer 6.
Maybe 2023 will be better.
MPG: I so enjoyed reading this. :)