Apple 'Passkeys' Could Finally Kill Off the Password For Good (techcrunch.com) 141
Apple demonstrated "passkeys" at WWDC 2022, a new biometric sign-in standard that could finally kill off the password for good. TechCrunch reports: Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography instead of passwords for authenticating users to websites and applications, and are stored on-device rather than on a web server. The digital password replacement uses Touch ID or Face ID for biometric verification, which means that rather than having to input a long string of characters, an app or website you're logging into will push a request to your phone for authentication.
During its WWDC demo of the password-free technology, Apple showed how passkeys are backed up within the iCloud Keychain and can be synced across Mac, iPhone, iPad and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," said Garrett Davidson, an Apple engineer on the Authentication Experience team.
During its WWDC demo of the password-free technology, Apple showed how passkeys are backed up within the iCloud Keychain and can be synced across Mac, iPhone, iPad and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," said Garrett Davidson, an Apple engineer on the Authentication Experience team.
and apple safari for windows / Linux / etc is at ? (Score:3)
and apple safari for windows / Linux / etc is at ?
Re: and apple safari for windows / Linux / etc is (Score:3)
Webauthn is an open standard, so you could implement your own, Yubikey and Duo support the standard.
The problem is indeed take up by your Facebooks, Twitters and Android manufacturers, because the standard allows for better privacy, you can opt to only provide an anonymous profile, killing the cash cows of the past decade.
Re: and apple safari for windows / Linux / etc is (Score:5, Informative)
The problem is indeed take up by your Facebooks....
The problem is that it's biometric, and is a disaster waiting to happen that far outstrips any benefits.
Re: and apple safari for windows / Linux / etc is (Score:5, Informative)
The problem is that it's biometric....
Disregard my prior knee-jerk response. I mistakenly assumed the summary was at least somewhat accurate, which it isn't (no, I'm not new here). This is just good old public key infrastructure formalized as a verification standard, with biometrics being just one of any number of possible ways to generate the private/public keypair.
Passkey is a lot like what Secure Shell has been doing for 20+ years to eliminate the need for passwords, and to protect servers from brute force password cracking. It's a great idea for desktops and other stationary computing devices, but a terrible idea for mobile devices. If someone steals your phone and beats the biometric security (which, historically, has been rather easy to do), or just steals your unlocked mobile device, the thief has easy and direct access to all of your online accounts. And you have the very unpleasant task of trying to beat the thief to your bank and other sensitive sites. You, however, will have many hoops to jump through. The thief, on the other hand, has a completely unobstructed path. You will lose the race.
Re: (Score:2)
Re: (Score:3)
Despite all the hype and myths surrounding it early on, TouchID turned out to be no different than every other fingerprint lock. By that I mean it was trivial to defeat. [arstechnica.com]
Re: (Score:3)
Beating Apple's biometric security is rather easy to do?
Mugger grabs your phone, threatens to beat you up if you don't unlock it for him.
Yes.
Re: and apple safari for windows / Linux / etc is (Score:4, Funny)
The only safe solution would be to (try to) learn your private 4096bit RSA key and use directly that as a password. Under a stressful situation like a mugging, it's very unlikely that you'd be able to remember all the numbers, lest type them in without making a mistake, thus making your phone invulnerable to such attacks. And the more the mugger will beat you, the less likely you'll be to remember! I really don't see any downside to my idea.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Thank you for checking (Score:5, Informative)
Thanks for looking into that and posting a correction.
Indeed the private key can be protected via any method you want. The actual standard uses public and private keys. Apple is using the phone and account login plus biometric to protect the private key.
I've studied web authentication and written security software for the web for over twenty years. WebAuthn is not perfect. It IS better than passwords. Switching from passwords to this would be a definite improvement.
Re: (Score:2)
Citation needed for biometric security on phones being easy to beat. The fingerprint sensors on modern phones are difficult to fool. Face ID is weaker but still far from trivial, e.g. on decent phones it doesn't work with photos. Fingerprint is best though.
Banking apps require another biometric ID when logging into them specifically, so the phone just being unlocked isn't enough. That said, even if you use a 9000 character password, if they grab your unlocked phone they have access to every website you were
Re: (Score:2)
Re: (Score:2)
Back on the iPhone 5, and modern iPhones don't even have a touch sensor.
How about we say a phone released in the last 5 years from Apple, Samsung, Google, OnePlus, some decent brand like that.
Re: (Score:2)
Citation needed for biometric security on phones being easy to beat. The fingerprint sensors on modern phones are difficult to fool.
The sensor on my phone won't recognize my prints for a while after I've been in the bath or shower. Presumably the prints in my water-logged fingertips are pretty much the same as when my fingers are dry; so if the sensor is that picky, I'm guessing that fooling it would be very difficult.
Re: (Score:2)
It's probably not accepting wet fingers because it is designed to reject anything that doesn't seem like dry skin with flesh underneath.
Re: (Score:2)
Twitter and Android both already support FIDO2 and other technologies for this.
In fact Google has been offering this with Android for years already, but only for their own websites. They have been working with Apple on this more general feature, and Android is expected to have this in the next version which is due in a few months.
Android also supports Yubikey type security keys, both via USB and NFC. I think iPhones support them via NFC as well, not sure.
Re: (Score:3)
I've been using it under Linux, except not with Apple but with Android.
It's good for Apple to also support it, but I don't like the writing style treating it as the second coming that only counted once Apple did it, and then pretend only Apple is doing it.
Imperfect (Score:2)
As always, security canâ(TM)t make things too hard but also has to CYA of the site. We are definitely on the side of too difficul
Re: (Score:2)
What breaks everything is the username on screen and password on the next.
FWIW, I have to do the username screen/password screen login like this every day in Safari for work. The macOS Keychain works just fine for it.
Re: (Score:2)
Mine works fine for those two-page sign in things, Safari, Chrome and random apps on an iPhone.
Maybe you're holding it wrong?
If they want into my account (Score:4, Funny)
They'll have to take a finger from my cold, dead, hand!
Re: (Score:2)
a cold dead hand is no protection.
They can just as easily cut the finger from a live, hemorrhaging hand!
and the live hand gives them the added fun of enjoying your scream. Kind of rough on their cleaning service as you exsanguinate, however . . .
Re: (Score:2)
Ya, no. (Score:3)
Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate.
So... have the phone scan your face or swipe a fingerprint and automatically log you into all your accounts. What could go wrong for you? At least LEOs will love this... Me? I'll make them beat the many different passwords out of me.
Re: (Score:2)
On Android hold down the power button for a second or two. You will get a special menu with a lockdown option that disables biometrics until you enter your password.
You can also set up a panic button. If you press the power button five times rapidly it opens up. Options include recording video (which is backed up to your Google account automatically), playing a loud noise, sending messages and location data to friends etc. You can combine it with the lockdown once the recording starts, but sadly you can't s
Re: (Score:2)
On Android hold down the power button for a second or two. You will get a special menu with a lockdown option that disables biometrics until you enter your password.
Good tip, I hadn't noticed that. Thanks.
Re: (Score:2)
What could go wrong for you?
Significantly less than trusting you (the general "you", not you specifically) to not re-use passwords, not use your daughter's birthday, or any other easily guessable password.
Significantly less than trusting the service you deal with to have basic practices in place like salting password hashes, hell based on past leaks we can't even assume your username and password aren't just simply stored in plain text on a HTTP accessible folder on some server.
We've had 30 years of failure to secure passwords. Time t
Re:What could go wrong... (Score:5, Interesting)
They'll still be phished. It'll just be done in a slightly different mechanism.
The method Apple demoed to allow you to sign into a "Passkey" protected website via non-Apple software was by scanning a QR code. Stuff like that already exists (for example, Discord's web client does this). What the hackers do is proxy the request so that they forward the QR code through their system to your device. You then authenticate by scanning the code, and the phisher's system gets your session token.
We see this happen all the time with Discord. Since there is no difference between a QR code served by the real website and a QR code that's been proxied, there's no way to tell that the original request didn't come from the user.
So, sure, you don't get the actual authentication tokens. But you get a session token and can therefore do anything you want as the user, which is generally just as good.
Re: (Score:2)
Note that in webauthn, when a site requests authentication, the site id is part of the payload, and the browser validates that there's a valid certificate that matches the domain expected by the backend. If an intermediate site tries to relay the challenge, then the browser will choke on the fact that the domain can't match even if a human isn't checking it.
Re:What could go wrong... (Score:4)
While presumably Passkey is built on top of something like WebAuthn, what Apple showed at the keynote was someone pointing their iPhone at a browser window that was showing a QR code to log into a website. All you have to do to phish that is make the login request yourself, grab the QR code, and forward it to your victim. It's just a QR code. The phone can't validate the domain the desktop browser is loading because all it sees is the QR code. Presumably the actual key exchange happens "out of band" so that the desktop browser and the phishing site never get to see the actual authentication - but it doesn't need to. The user has "logged on" but through the phishing site, so the site now has the session token.
Re: (Score:2)
If that's true then Apple fucked up. QR codes are only supposed to be for initial configuration, to share the shared secret for the site. They are not to be used for authentication.
Authentication is to be done by the device, either the computer or an external one like a Yubikey. The URL of the top frame of the page making the request is sent, so phishing sites can't just put the real site in an iFrame or something. There is no known way to bypass it, and any exploit would require causing the browser to send
Re: (Score:2)
To be specific, at least with Chrome and Android, the browser makes a QR code to tell an unknown phone to reach out to the browser over bluetooth for the first time ever. Once that happens, all registration and login operations are done without a QR code. The QR code never has anything to do with the website, it's a detail between the browser and the authenticator, not something that the site is involved with at all. Once you use QR code to connect a phone to browser, then a visit to an unrelated site sh
Re: (Score:2)
I'd have to go back to the demo video but in the demo the QR code was "stylized" and I think it had the Apple logo in the middle, which highly suggests Apple is generating it themselves and not involving the browser. Especially since the demo made sure to show the Windows taskbar.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I have had a cut on my finger that meant I could not log in using, I can just imagine getting a black eye, or some other injury and no being able to log in.
Re: (Score:3)
Don't worry you can always change your biometrics, Oh wait.
Re: (Score:2)
Already Apple reject my thumb prints too many times.
Security-wise, this is a good thing.
Pro Tip: Register your big toe for unlocking your phone. It may be inconvenient for you, but the Cops/Feds will never think to try that to unlock your phone. :-) Or, you know, use a PIN / Password that they (almost always) can't compel you to disclose.
Passkey backup to iCloud (Score:3)
Re:Passkey backup to iCloud (Score:4, Informative)
Keychain is separate from backups and is end-to-end encrypted.
https://support.apple.com/en-u... [apple.com]
Cool (Score:2)
Can I use WebAuthn to log in to a remote system via ssh? Or am I still going to need to remember a password?
Re: (Score:2)
webauthn is basically 'ssh keypairs are nice, I wish we had it in browsers, and TLS certs don't work because modern web backends are proxies all the way down'.
It further prescribes expectations and provides possibility for model attestation, though that's best ignored because it's highly impractical.
If openssh wanted to, they can have ssh client interact with the same complement of technologies (TPM, bluetooth, etc) to be webauthn-like
Re:Cool (Score:5, Informative)
Not quite exactly like that, but there are similar things.
WebAuthn is a web-specific JavaScript API that allows web pages to interact with hardware authenticator devices. That includes both FIDO2 "roaming authenticators" such as YubiKeys, and built-in "platform authenticators" like TouchID and Windows Hello. FIDO2 devices are accessed via a standard protocol called CTAP, and platform authenticators have platform-specific APIs, but WebAuthn hides those details, so a page can use whatever type(s) of authenticator the browser knows how to talk to.
Recent versions of OpenSSH also support FIDO2 roaming authenticators, so you can use e.g. a YubiKey to log into a remote account. (This doesn't involve WebAuthn; it uses CTAP directly, just like a browser does as the basis for WebAuthn.) However, it requires support on both the client and the server (since it's a new kind of SSH key, which the server must understand), so it won't work with older servers. Also, the build of OpenSSH currently shipped in macOS has it disabled, and it might not work in Windows either (I'm not sure).
Platform authenticators like TouchID and Windows Hello do not use the FIDO2 CTAP protocol, and I don't think OpenSSH currently supports them. It would be possible, but someone would have to write code specifically to support TouchID, specifically to support Windows Hello, and so on.
There's an unofficial OpenSSH plugin for Windows Hello [github.com]. There's also an unofficial tool for using TouchID with OpenSSH [rustrepo.com]. The former is a plugin for OpenSSH's security-key support; the latter is an SSH agent [wikipedia.org] that's backed by the macOS keychain.
OpenSSH can also use keys stored in PKCS#11 [wikipedia.org] devices: smartcards (in smartcard readers) and some devices which emulate smartcards (such as YubiKeys). This is more compatible than the FIDO2 option (doesn't require any special support on the server side, and should work on a Mac), but also more complicated to set up.
BTW, when you say "remember a password", I'm assuming you mean the password for your local SSH private key, not the password for the remote account you're logging into. If you're typing remote passwords, you should switch to SSH keys [archlinux.org] right away, and preferably disable password logins entirely on the remote server ("PasswordAuthentication no" in sshd.conf) to prevent password-guessing attacks. If you have an SSH agent running (this is automatic on macOS and most Linux desktops; don't know about Windows), you'll only have to type the key's passphrase once per login session, which is better than typing remote passwords every time. Then you can start thinking about FIDO2/PKCS#11/etc. to store the key in a hardware token instead of a plain file.
Good news (Score:3)
The US government ruled that your biometrics aren't protected by the Fourth and Fifth Amendments and police can seize them from you all they want :)
Uh, OK. (Score:3)
So, they can use an Apple device to sign in with a non-Apple device?
Force Safari use (Score:2)
Middleman security is one too many layers, sorry. (Score:3)
Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate.
So you are either in the walled garden or it can't work. Also scanning random QR codes - now there is some security!
If this catches on some car manufacturer will implement it to get into their vehicle and when the cloud goes down because someone pushed an untested update, no one can use their car. Wait this might be a good idea after all.
Re: (Score:2)
Note that at least with Android, the browser is presenting the qr code, not the website. Further, the qr code is simply directing the device to go do some bluetooth stuff toward a certain device, not going to some internet url.
No, it cannot. Seriously. (Score:5, Insightful)
Biometrics is, at best, usable as a 2nd factor. Because it has this one tiny problem: If it gets compromised, you cannot change it. You can only stop using it.
Seriously, what is this nonsense? Do these people not even know the very _basics_???
Re: (Score:3)
Seriously, what is this nonsense? Do these people not even know the very _basics_???
Of course they don't. This is Apple were talking about here. You know, the company that wants all of it's customers to be infants, so Apple can handhold all of them. (The more mature people are told to GTFO.)
Then again, it's also the entire industry, because we live in a country where basic computer usage and safety education is apparently demanding too much from society. The same society that bought hook, line, and sinker Steve Job's "It's an appliance" crap from the 1980s. You know a time when most peop
Re: (Score:2)
I do agree to all of that. I find it absolutely staggering that we spend a decade or so to teach people to read and write, but basically nothing on competent computer use and what does and does not work.
Re:No, it cannot. Seriously. (Score:5, Informative)
Broadly speaking, the fingerprint is not how you are authenticating to the site, the fingerprint is how you authenticate to the local device, the local device is what, in turn, authenticates to the site. The site has a normal public key on record for user per authenticator, not biometric data. The scheme of how the authenticator device authenticates the user is a matter up to the device.
Simply, PIN, fingerprint, or whatever is the second factor, possession of a *specific* instance of the device is the first factor.
Re: (Score:2)
Yes, I am aware. But how does that help against the fingerprint leaking? Oh right, it does not. It is just not via compromise of the site.
Re: (Score:2)
If you just have my fingerprint reproduced, then you can't login to the site. You also need to steal my specific phone or whatever authenticator hardware we are talking about. Then you also have to provide my fingerprint to the device.
Compared to a lot of 2FA tokens, where you just need the hardware, but don'tneed to authenticate to the token, this isn't worse.
Re: (Score:2)
I don't disagree entirely, but for 98% of people, fingerprint or face scanning protection is safer than 'password1'.
Even for those of us that use strong passwords, we're relying on someone not storing the passwords in plain text on some AWS instance.
There are no perfect solutions here, only good compromises. This is a far better compromise than most. Someone taking the time to lift your fingerprints is a high bar to entry. Same with well-implemented face scanning—Apple's devices aren't fooled by simpl
Re: (Score:2)
Passwords also have (in USA) First Amendment protections against forced speech. Your face held in front of a camera or your thumb to a sensor are not similarly protected. You can be ordered by a court to unlock a lock but not (some exemptions, but generally) to surrender a password. And you can give false passwords to trigger lockout of devices... hard to do that with biometrics.
Re: (Score:2)
Ehr, wow, I get a picture of your face. You rerecord your face. Shit, my picture still works, it is your face after all and it didn't change. I lift a fingerprint from a glass. You rerecord your fingerprint and... amazingly, my ripped fingerprint still matches.
It's not the signature they're ripping...
Re: (Score:2)
I recommend a look at actually relevant security research instead of shooting off your mouth like a moron.
yubikey (Score:2)
I must admit I don't like the idea of a key on a phone, but as for a Yubikey, or one of the others. AMEN.
It is no different that you having the key to your front door. It yours , if you lose it , you change the locks.
Apple? YeahNO! (Score:2)
Sorry, but if it's Apple, standardizing on the product is insanity
Gawd No!! (Score:2)
I hate this. It is a miserable approach to have a biometric (or a marginally secure device PIN that you have to enter frequently). Why couldn't they just take the leap and either support/resell yubikeys or make their own so you can have a solid physical device plus separate PIN?
Obligatory (Score:2)
I just had my thumb amputated, you insensitive clod!
[disclaimer: no offense was intended to anyone who has lost any digits]
I love this.... (Score:2)
What if there's no phone? (Score:3)
They say that multi-factor authentication with a call to your phone for verification will be required. What if -- gasp! -- I choose not to carry a portable tracking device with me? Will I be denied access to all my information stored online if I don't carry a phone?
This is already happening with some websites and it is truly irritating. I often am away from home, not near a phone, or outside the country where I do not want to receive a text message and this requirement is really a pain.
Re: (Score:2)
When a site does a createcredential/getcredential, the browser asks you how to proceed. Currently it really wants you to use *something* (chrome will accept windows hello under Windows, yubikey under whatever OS, and Android phones over bluetooth, for example). If the site implements it properly, it'll allow you to register multiple authenticator devices.
Re: (Score:2)
Re: (Score:2)
Citizen, you will carry the tracking device on your person everywhere. It's the law.
Re: (Score:2)
And you will gladly pay for it.
What if your face doesn't unlock it? (Score:2)
I turned off fingerprint unlocking on my phone because half the time it didn't work. Whenever the humidity was low, my fingertips would get dry, and apparently that changed the shape of my fingerprints enough to confuse the scanner. Maybe face ID is better, but it's not always going to work. Maybe you get a new mole on your cheek, or a new scar, or who knows what. If your face ID fails enough times, will you be locked out of your account? How do you get it unlocked then? Can someone else use the unlock proc
Re: (Score:2)
Yes that. And what if you have a food allergy or take medication that bloats your face, or what if you fall down the stairs and get a black eye, or break you jaw, or what if you have a bout of psoriasis or lupus, or the simple fact that your face ages and changes as it ages...
Re: (Score:2)
Re: (Score:2)
So it's not "really" passwordless then, just an optional convenience feature. For security purposes, that's no better than a password, because you still have to remember a password (PIN, whatever), and if someone knows it, they can still get in.
Re: (Score:2)
Think again (Score:2)
All well and good (Score:2)
Re: (Score:3)
Absolutely... passkeys should be per device and never synced.
Re: (Score:3)
Yeah, there just no way Apple has thought of this. I mean they have really a small staff of low quality people, and nowhere near the revenue to do it right. :-|
Re: (Score:2)
Oh they thought of it for sure... They have to keep it easy for users so syncing is a feature to make it easier for people to swallow not needing to login from each device separately. Doing it a more secure way like not syncing the passkey would require more user work and would likely be though to make it less likely to be used.
Re: (Score:3)
Re: destined for failure (Score:3)
Yeah, there just no way Apple has thought of this. I mean they have really a small staff of low quality people
So you are telling me the itunes for windows team is behind this new feature?
Re: (Score:2)
If it was a question of revenue pr staff size, Microsoft would not be putting out such abysmal crap. It is not a question of revenue of staff size. Some companies are institutionally clueless and produce bad engineering (sometimes generally, sometimes in some areas only), no matter what.
Re: (Score:2)
Well. If it is biometric, first your device can get hacked and then the bio-pattern is burnt. And second, there are other ways for it to leak, like the recordings you make of yourself.
Face it: Biometrics are at best usable as a weak 2nd factor and that has been known to experts for a long, long time.
Re: (Score:2)
1. Have people use their face as biometric ID
2. Use Clearview AI to gather pictures that people seem to endlessly put online for some reason
3. Print picture with cheap printer / make deepfake video of person of interest doing the head gesture sequence required to unlock device
4. ???
5. Profit!
Re: (Score:2)
Well. If it is biometric, first your device can get hacked and then the bio-pattern is burnt.
So it's insecure because it's unusable if the device is already in a hacked state?
And second, there are other ways for it to leak, like the recordings you make of yourself.
You do know that FaceID requires a full 3D model of the face, not a flat 2D photo/video, right?
Face it: Biometrics are at best usable as a weak 2nd factor and that has been known to experts for a long, long time.
Yes, people should instead remember unique sentence long pass phrase that has to be remembered for every single log in and also changes at unique intervals. No flaws there!
Re: (Score:2)
Well. If it is biometric, first your device can get hacked and then the bio-pattern is burnt.
So it's insecure because it's unusable if the device is already in a hacked state?
No, it is insecure because it cannot be changed when it gets compromised. Do not be dense.
And second, there are other ways for it to leak, like the recordings you make of yourself.
You do know that FaceID requires a full 3D model of the face, not a flat 2D photo/video, right?
Can be generated from a video in many cases. Seriously. Get some understanding of the problem.
Face it: Biometrics are at best usable as a weak 2nd factor and that has been known to experts for a long, long time.
Yes, people should instead remember unique sentence long pass phrase that has to be remembered for every single log in and also changes at unique intervals. No flaws there!
I see you do not know current password standards either. For example, the last main security standards body stopped recommending enforced password changes in 2020. Also, in the real world a password effectively stops getting more secure somewhere around 8 to 12 characters if it is handled correctly by the applications and not
Re: (Score:2)
Re: (Score:2)
No physical 3D sculpture needed. Seriously.
Re: (Score:2)
Why would that be "too cumbersome"? That just doesn't make any sense.
He's also right, biometric keys should never leave the device. That would be very bad.
Re: (Score:2)
You can turn key sync off.
Re:Passwords in the cloud (Score:5, Informative)
Technically, isn't this just as true with something like LastPass, 1Password or Bitwarden?
They all keep your individual site passwords, encrypted, in the cloud. So a hacker who obtains the "master password" for the password management tool can get to your entire vault.
In reality, people accept that there's always going to be SOME kind of weak link to password security. What you're going for isn't perfection, but rather, a way to enforce reasonable amounts of security while not hampering the usability. (Any of these tools encourage use of strong individual passwords and remove the need to re-use the same few passwords all over the web so the user can remember them.) The master password that allows access to what's in the cloud is never stored in the cloud, on anyone else's computer ... It's only on your own personal computer. So that means data breaches of any of the sites you use won't help them access your password vault. And meanwhile, you presumably/hopefully used strong and unique passwords on the breached site(s) since the password manager made that feasible for you.
Re: (Score:3)
Re: (Score:2)
Since synchronization between devices is a feature, it means that either the biometric base data is backed up and synchronized, or the underlying encryption key is (in addition to the encrypted data).
In iCloud Keychain, passkeys are end-to-end encrypted, so even Apple canâ(TM)t read them.
Re: (Score:2)
That is why I don't use any of those to store any password that is really secure. Seriously I don't trust apple with my banking login, and should not have to.
The private key should be stored on a separate device, I also don't trust my phone or computer, or any device I can install software onto to store that private key.
Something like YubiKey is better.
Re: (Score:2)
This uses Ubikey if you want.
PAM (Pluggable Authentication Modules) has supported this on Solaris, Linux, and MacOS for ages, except for one major detail. The file encryption needed to be decrypted first before you could use PAM, thereby essentially defeating PAM. Core BIOS has shown some potential in fixing this problem, but really, it's because security hasn't really been a concern for most OS companies, including Apple, so it has been a pain to configure.
Re: (Score:2)
WebAuthn is basically private/public keypairs mediated by web browsers. So it's different in that the service getting the authentication is *never* privy to something that might be used to authenticate to another service.
Implemented *properly*, a user should be able to register multiple authenticators, allowing the user to have multiple authenticators without having to sync them.
Re: (Score:2)
I will say that for most people, they are unlikely to register multiple authenticators at the same time, so if a site operator wanted to add webauthn, there's a high chance a normal user will be screwed without their authenticator.
Of course, a recovery process will generally be offered, though that mechanism itself is likely to represent a path to overcome the security. Generally it's given a pass since the volume of people recovering from lost authenticator is small enough to allow a bit more tedious audi
Re: (Score:2)
Apple showed how passkeys are backed up within the iCloud Keychain and can be synced
So the credentials (passwords) needed to get to all my websites and other secure stuff is in the cloud and can be synced to new devices? This means to me that Apple has a way to decrypt the data.
There is probably a master key that you will need to enter on the new device in order for it to download the keychain.
It may also involve 2FA with an already signed-in iCloud device to verify that you are trying to add the new device.
Apple can't decrypt your Keychain. Isn't that how Apple Keychain already works?