Apple will truly achieve password-free login. How will it do it?

At the Worldwide Developers Conference (WWDC) held on Tuesday local time in the United States, Apple announced that it will achieve true password-free login for the first time, so how did it do it? The company explained that it will use Passkey in iOS 16 and MacOS Ventura apps and websites, and use Touch ID or Face ID for authentication.

For years, many companies have promised to provide more secure, password-free login solutions, and 2022 may be the beginning of moving people away from passwords. At this year's Worldwide Developers Conference, Apple announced that it will launch password-free login on Mac, iPhone, iPad, and Apple TV starting in September this year. On iOS 16 and MacOS Ventura, people will no longer use passwords, but will use Passkey to log in to websites and apps. This is the first major shift in the real world to eliminate passwords.

So how does Apple do it? Darin Adler, Apple's vice president of Internet technologies, explained at WWDC that Passkey replaces passwords by creating a new digital key using Touch ID or Face ID. When users create an online account on a website, they can use Passkey instead of a password. "To create a Passkey, simply authenticate with Touch ID or Face ID," Adler said.

When you log in to the site again, Passkey allows you to authenticate using your biometric information without having to enter your password (or have your password manager generate a new password). When you log in to a site on your Mac, a prompt will appear on your iPhone or iPad asking you to verify your identity. Apple says Passkey will be synced across devices using iCloud's Keychain, and that Passkey is stored on your device, not on a server.

Behind the scenes, Apple Passkey is developed based on the Web Authentication API (WebAuthn) and supports end-to-end encryption, so no one can read them, including Apple itself. The system that creates Passkey uses a public-private key identity system to prove the user's identity.

For most people, a password-free system would be a major advance in cybersecurity. In addition to eliminating passwords that could be cracked, no longer using passwords can help reduce the risk of phishing attacks. And if the password doesn't exist in the first place, it can't be stolen in a data breach. Currently, although some applications and websites already allow people to log in using fingerprints or facial recognition, this usually requires them to first create an account with a password.

Apple's Passkey isn't a brand new invention, the company first detailed them at WWDC 2021 and began testing them shortly after. And Apple isn't the only company that wants to eliminate passwords. For nearly a decade, the tech industry group The FIDO Alliance has also been working on developing the basic standards needed to eliminate passwords, and Passkey is Apple's move to support those standards.

FIDO has taken a number of important steps in recent months to accelerate the elimination of passwords. In March, the organization announced a way to store the cryptographic keys that allow logins to be synced between devices, calling it a "multi-device FIDO credential," or "passkey."

Soon after, Apple, Microsoft and Google all announced their support for FIDO standards. Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said that adopting these standards will ensure more people's online security. At the time, the three tech giants said they would begin to roll out the technology "in the coming year." Microsoft's user accounts have been able to give up passwords since September last year, and Google has been working on password-free login technology since 2008.

Once all tech companies have released their own versions of Passkey, the system should work across devices. In theory, a user could log into a Windows laptop with an iPhone, or log into a website in Microsoft's Edge browser with an Android tablet. "All of FIDO's specifications are developed collaboratively, with hundreds of companies involved," said Andrew Shikiar, executive director of FIDO.

Ciquiar has confirmed that Apple is the first company to start rolling out Passkey technology, saying that "this approach will soon have a real impact on consumers around the world." Whether password-free login can be achieved depends on how Passkey technology performs in reality. At present, it is still an open question what will happen to Passkey if you want to abandon Apple's ecosystem and switch to Android or other platforms. Developers still need to make changes to their apps and websites to use Passkey.

In addition, for password-free technology to gain people's trust, people must first understand how it works. Alex Simons, head of Microsoft's identity management project, said: "Any viable solution must be safer, easier, and faster than the passwords and traditional multi-factor authentication methods currently used." In short: If cross-device login systems are difficult to use, people may avoid them and continue to use dangerous but convenient passwords.