Apple wants to free the world from password hell

Bank account, identity, access to office software: passwords are as essential as they are annoying (and not necessarily secure). But Apple has decided to free us from it.

With the next software update for iPhones, iPads and other Macs this fall, users will be able to connect to their various online accounts without having to enter their password or delegate this task to a manager. The Apple brand technology will generate a unique (and innovative) access code, called “passkey”, which will allow authentication by facial recognition or fingerprints.

Passwords have long been used to secure online accounts, but they are far from perfect. Even if it is recommended to create a complex password per account, Internet users often tend to recycle the same one, get tricked and connect to fake sites or see their details disseminated after hacks. Password managers improve things a bit, but anyone who manages to recover the general password has access to all your accounts.

Apple’s device (and similar ones from other tech giants) intends to fix these issues and replace passwords altogether. Its objective, explained last week Darin Adler, vice-president of Apple in charge of digital technologies during the Worldwide Developers Conference of the group, is to offer a solution that is both safer and simpler.

These codes are unique, so they are never reused. They are compatible with Apple and other devices, as well as old and new accounts. You can store them on your device (and not on the Apple server, application or website): hackers who break into these sites will therefore fail. And since there is no password to communicate, they are impervious to phishing.

“The codes are in the depths of the operating system, explains Ondrej Krehel, head of digital investigations and incident management at SecurityScorecard, a cybersecurity platform. Which should be enough to put most hackers off, because they’ll have a hard time finding anything usable. »

Passwords, resign!

The Cupertino company is not the only one dreaming of a password-free future. Its passkey system is indeed a standard established by the Fast Identity Online Alliance (Fido for short), which brings together more than 250 technology companies, including Microsoft and Google. Fido has been working on the question of a single online authentication format for almost a decade.

With older versions of the standard, you had to enter the password for each account once and then be able to connect to it without re-entering them. The new generation removes this requirement and allows companies to adopt different approaches: biometric authentication, security keys, PIN codes stored on a device…

Access codes such as those that Apple will offer are made up of two elements: a public code, which is on the service provider’s server, and a private code, which is on the user’s device. Apple connects them and offers a connection by Face ID or Touch ID, the only part visible to users

“The central idea, explains Andrew Shikiar, Executive Director and Marketing Director of Fido, is that there are no more secrets that can be deciphered by a human on the Internet. “Eventually, we will no longer connect at all as we do today,” he adds.

The fact that millions of Apple customers will have access to passwordless login within months (when they download iOS 16 or macOS Ventura) will give Fido a boost, experts say.

“People have to remember hundreds of passwords these days, so passcodes are a huge step forward,” said Mike Newman, managing director of My1Login, a security specialist Passwords.

How it works ?

Access codes such as those that Apple will offer are made up of two elements: a public code, which is on the service provider’s server, and a private code, which is on the user’s device. Apple connects them and offers a connection by Face ID or Touch ID, the only part visible to users.

At the first connection, instead of creating a password, you will have to show the tip of your nose or your fingers to your Apple device. If it’s an iPad or a Mac, Touch ID will take care of the recognition. If it’s an iPhone, it will be Face ID.

Once activated, the passkeys will be stored on the iCloud keychain (Apple’s password management system) so that they are accessible from all the brand’s devices (computers, iPhone, iPad and Apple TV). For the system to work, however, developers will have to integrate this technology, which may initially hamper its generalization.

Classic connections can be replaced by a connection without a password.

Imagine your bank switching to Apple passkeys. When you connect to your account from your application, you will no longer need to enter your username and password: the username will be enough to launch Face ID. And presto, connection established!

It is also possible to use it to connect to the service from a non-Apple device, but the procedure is a little longer. From the Chrome browser or a computer running Windows, you must enter your username, then click on “connect”; a pop-up window then asks you if you want to verify your identity, then displays a QR code that must be scanned with the camera of the iPhone or iPad, then click on “continue” and use Face ID .

Some developers may never switch to passwordless login, and others may continue to keep passwords, at least to cover their backs. As it stands, it still requires an old-fashioned password to secure the iCloud Keychain, but mankind has never been closer to a brighter tomorrow.

(Translated from the original English version by Marion Issard)

Leave a Comment