iOS Passkeys: What Every Developer Needs To Know

Apple has announced the impending release of their passkeys security system. They're going to release it with iOS 16 and macOS Ventura. The feature will be available on all up-to-date Macs, iPhones, iPads, and AppleTVs by September 2022.

IOS passkeys is a passwordless security system that promises to make life easier and more secure for users. It's safe to say that Apple will expect app developers to have iOS passkeys implemented quickly, and that users will demand support soon, too.

Let's look at what iOS passkeys are, how they work, and what you need to know to get them working in your applications fast.

What are iOS Passkeys?

Apple's passkeys is a standards-based technology that aims to replace passwords with a more secure alternative. They're Apple's implementation of the Multi-device FIDO credential, on the client side and WebAuthn on the server. The client side integrates support for the Apple device's biometric face and fingerprint sensors. If users are on a device that lacks these sensors, Apple's passkeys will authenticate users via their two-factor authentication system.

The passkeys are based on both W3C and FIDO standards and use public-key cryptography. Instead of relying on passwords, they use key pairs, which improve the underlying security.

When a user needs to register an account on a website or an app, Apple's OS generates a new unique key pair. The system saves the public key on the application server and since it's the public half of the pair; it doesn’t require protection. But, Apple keeps the private key secret, and it's what the user eventually uses to sign-in to the application.

What is Passwordless Authentication?

Passwordless authentication verifies a user's identity with something other than a password. It's usually implemented with a biometric factor, such as a facial recognition or fingerprints, or with a secondary device, such as a phone or a Yubikey. It's considered more secure than passwords because passwordless authentication eliminates most of the weaknesses associated with them. Attackers can compromise passwords by stealing or sometimes even guessing them. Users are notorious for reusing passwords and creating weak ones.

Apple's iOS passkeys are an implementation of passwordless authentication. Users will authenticate themselves using devices and one-time passcodes.

What Are the Benefits of iOS Passkeys?

Extending Apple's face and fingerprint recognition beyond their devices to websites and third-party applications is already a significant benefit for users, but the benefits don't stop there.

Passkeys sync with iCloud Keychain, so as soon as a user creates a login on any one device is available on all their authenticated devices. Apple's keychain also acts as a cloud backup for passkeys.

Many users might be nervous about backing up their passkeys to the cloud. But, Apple encrypts passkeys end-to-end in iCloud Keychain, so they even they can't read them. A passkey represents a secure relationship between the user and the hosting application.

Each passkey is represented by a new public/private key pair, and iOS passkeys authenticate the server before supplying the key. So, an attacker cannot trick a user into logging into a fake site, rendering phishing attacks harmless against them. By using unique keys for each login, iOS passkeys eliminate entire classes of security issues, including weak passwords, reused credentials, and login information leaked via server breaches. For example, since servers only keep users' public keys, attackers can't steal passwords that are protected by a passkey.

How Do Passkeys Work For Users?

It's clear that for users, passkeys are easier to use than passwords. Let's examine how.

Creating a New Login

Creating a new login requires creating a new password. Savvy users reduce the work required by using a password manager that generates and saves a strong password for them. But most users don't do this. They reuse easy-to-remember passwords that compromise security.

Creating a passkey consists of two taps or clicks: one in the app or website to add the passkey and another on the Apple device to confirm. This creates a key pair, passes the public key to the server, and saves the pair in the user's key chain. The user doesn't have to come up with a password or memorize anything. IOS passkeys create credentials that it guarantees are unique for that account, along with a unique identifier.

Logging In

The password-based login process looks like this:

1. Enter a username and password.

1a. Or select the account in a password manager. This step often requires authentication of its own.

2. Wait for an SMS message for two factor authentication.

2a. Or retrieve a code from an authenticator app.

3. Enter the two factor code to complete the process.

Logging into a website with a passkey requires a single click. Apple's autocomplete will offer to login to sites if they have a passkey. After the user taps, the device will perform biometric authentication and log the user in. If biometric authentication isn't available, Apple will start two-factor authentication. The system also verifies the site or publication before it presents the private key, so phishing simply isn't possible with passkeys.

If a user wants to login with a password on a device they don't own, they need to enter the password. If they're using a password manager with strong passwords, that means manually entering a long and hard-to-remember string of characters. So, they're punished for trying to do the right thing.

Users also have the option of logging into applications on devices that they do not own. If they start the process by entering their username, the app displays a QR code that they can scan with their iOS device.

Users can also share passkeys with trusted friends, so passkeys allow for shared accounts without compromising security by sharing passwords.

IOS Passkeys Roadmap

Apple announced iOS passkeys during the 2021 Worldwide Developer Conference (WWDC) and included the feature as a preview in iOS 15 and MacOS Monterey. At the 2022 WWDC they announced it will be part of the iOS 16 and macOS Ventura. The API code and documentation are already available, so developers can start adding supporting and testing passkeys now.

Google has also promised to release their implementation of passkeys in 2022 as well, and they'll support the same Multi-device FIDO standards. So, websites and servers that support both iOS and Android clients have more motivation to adopt passkeys, since the credentials will have the same requirements for servers.

Adding iOS Passkeys Support

Adding support for passkeys means adding WebAuthn authentication abilities to your server and using Apple's APIs for user authentication in your application.

WebAuthn, also known as the Web Authentication API, is the specification that describes how servers exchange keys with clients, stores public keys and randomly generated credential IDs for users, and authenticate client applications and users. OwnID makes adding server support simple—you can be up and running in hours.

As mentioned above, Apple has details on how to integrate iOS passkey support into your client code. The API does most of the work for you, since it manages key creation, server messaging, and biometric verification. Apple has an example code here.

IOS Passkeys Are Here

In this article, we've discussed Apple's iOS passkeys. After covering what they are and how they work, we touched briefly on passwordless authentication and why it's safer than the alternative. Then we covered the benefits of Apple's implementation and saw how it looks to users. Finally, we touched on how you can get started with iOS passkeys now.

OwnID has the tools and infrastructure you need to get up and running with passkeys quickly and safely. Sign up for a free trial today.

This post was written by Eric Goebelbecker. Eric has worked in the financial markets in New York City for 25 years, developing infrastructure for market data and financial information exchange (FIX) protocol networks. He loves to talk about what makes teams effective (or not so effective!).

‍