How Apple Passkeys are Used on iOS and macOS

Passkeys are the new standard for logins. This view and the vast potential of passkeys are shared by the big tech giants Apple, Google and Microsoft - all part of the FIDO Alliance, that developed the standard for the underlying technology. In May 2022, the FIDO Alliance published a whitepaper on the new concept called "multi-device FIDO credentials", or short passkeys. Hence, passkeys are not exclusively associated with Apple or any other member of the alliance. However, Apple quickly adopted the branding of passkeys and strongly promoted the launch of Passkeys in iCloud Keychain on their yearly Worldwide Developers Conference (WWDC) in June 2022.

We want togive you a short prospect on the look and feel of passkeys with Apple devices.

We already covered the general concept of passwordless, biometric authentication in previous articles. In a login ceremony from the user's perspective that simply means using Touch ID or Face ID a private key is used to generate a digital signature. This signature then proves to a server that it has been created with this unique private key, without ever risking of giving away the key itself.

This procedure can already be experienced today using the WebAuthn standard that is supported by most browsers and devices (demonstrated below with the Safari browser and Macbooks Touch ID sensor).

Figure 1: Passwordless authentication with Macbooks Touch ID sensor using WebAuthn (Macbook Pro / Touch ID)

One concern that we often heard when talking about WebAuthn is: What happens if I lose my device or dont have it with me?. Thats where passkeys come into play. Your device(s) will take care of passkey synchronization and backups. Once the technology is rolled out later this year, you will be able to use your passkeys on all devices that are linked to the same iCloud account. It works pretty much like the iCloud Keychain today, just without the passwords.

If you lose your device, you just take a different Apple device linked to your account or restore the backup, and you're back in. Your passkeys will already be there and allow you to sign into your services with Touch ID or Face ID straight away. If you sign up on a website on device A and want to access the same website later on device B, passkeys are already available.

To achieve this high level of usability, you need to enable iCloud Keychain synchronization, which does not come at the expense of security. Since Apple uses end-to-end encryption for iCloud Keychain, its a safe place to store the passkeys. Furthermore, to use passkeys, users must also set up two-factor authentication. When signing in for the first time on a new device, two pieces of information are required the Apple ID password and a six-digit verification code that's displayed on the user's trusted devices or sent to a trusted phone number.

Another security feature by Apple is iCloud Keychain escrow, that allows to recover passkeys even in the case when all devices are lost at the same time (for more information about iCloud Keychain escrow click here).

Then, the passkey will be created after authenticating with Face ID or Touch ID. Next time you want to sign in to the website or app, your device will recognize that you previously saved a passkey and asks if you want to sign in using that passkey. Tap continue and authenticate using your biometrics.

Figure 2: Save a passkey for your linked iCloud account (iPhone X / Face ID)

Figure 3: Sign in using a passkey (iPhone X / Face ID)

The cool thing with passkeys is that you can directly sign in on any other device (that supports passkeys) linked to your iCloud account as the passkeys are synced on your iCloud Keychain.

Figure 4: Sign in from another iPhone linked to same iCloud account (iPhone 8 / Touch ID)

If you cant authenticate on the current device, youll be able to select that you want to sign in using another device.

Figure 5: Choose from different sign in options (iPhone X / Face ID)

Once you select that option, a QR code will appear which you can scan on the other device and then authenticate yourself.

Figure 6: Generate a QR code that can be scanned with a different iPhone (iPhone X / Face ID)

Linked to My iCloud Account?

Imagine you want to give a friend access to your shared Netflix account. As that account is probably not linked to your iCloud account, you must somehow transfer the passkey to the other device. In that case, Apple allows to share passkeys via AirDrop. Your friend can simply receive the passkey via AirDrop and import it into their keychain.

Figure 7.1: Share passkeys via AirDrop: select a passkey...

Figure 7.2: ... and AirDrop it

According to Apple this wont pose a problem. If you want to sign in from a device that is not linked to your iCloud account, you can simply generate a QR-Code on your non-Apple device (for instance with Google Chrome on your Windows laptop or with your Android smartphone) and scan it with your iPhone or iPad. Then, you authenticate on your iPhone or iPad with Touch ID or Face ID to sign in thats it. As an additional layer of security, the non- Apple device and the Apple device should be within physical proximity of each other since the process will be using Bluetooth. You cant send photos of QR codes and scan them on your Apple device from far away.

Figure 8: Login from a Windows 10 laptop with Google Chrome displaying a QR Code (step 1)

Figure 9.1: Scan the QR code with an iPhone with Touch ID ...

Figure 9.2: ... or with an iPhone with Face ID and save a passkey as in figure 2 (step 2)

Alternatively, if your non-Apple device supports WebAuthn and has biometric sensors, separate passkeys can be registered for that platform, e.g. for a Windows laptop with a fingerprint sensor using Windows Hello. Though, a cross- platform API is required such as the one provided by Corbado.

Apple brought passkeys to iOS 16 and macOS Ventura with its major software updates on September 19, 2022. With automatic updates, iOS 16 will be distributed to 85% of all Apple users within the end of year.

To prepare you for passkey logins, Corbado offers a free Passkeys Analyzer that analyzes the passkey-readiness of your user base.