FB pixel

Apple takes significant step towards biometric passwordless authentication

Using passkeys in iCloud Keychain with Face ID and Touch ID
 

apple logo building

Apple is reportedly testing a new feature on iPhones and other devices allowing users to log in using passkeys with biometric security, the company said at its flagship WWDC conference last week.

The announcement was made by Garret Davidson, an engineer on Apple’s Authentication Experience team, during a developer session named ‘Move Beyond Passwords.’

The new technology is part of iCloud Keychains and will enable Apple device users to set up a username for an account, then associate biometric information with it using FaceID or Touch ID technologies.

A passkey is then generated and synchronized across a user’s Apple devices, enabling login action by face or fingerprint biometrics and de facto eliminating the use of any traditional passwords.

“Most authentication today relies on the user and server sharing a secret – like a password – when the account is created, and resharing that secret during every authentication,” Davidson said at the event.

“Each time that secret is shared, there’s a risk that someone other than the intended recipient learns that secret.”

To circumvent this issue, passkeys technology is based on WebAuthn, a web standard and core component of the FIDO2 Project.

“That exchange works like this,” Davidson explained. “First, I go to sign in to my account. Then, the website asks my device to prove that it’s actually my account. It does this by performing what’s called a ‘challenge’ for me to prove that my device has the private key associated with my account’s public key without actually saying what my private key is.”

In order to perform this action, the server sends back a single-use challenge. The user device has the private key, so it takes that challenge and ‘signs’ it, using the private key.

“Only my private key can produce a valid signature for my account. This signature then gets sent back to the server. The server already has my public key, so it can check this signature against that public key,” Davidson said.

For context, anyone with a user’s public key can check if a signature matches that key.

“However, only I can create a valid signature for the challenge because only I have the private key,” Davidson specified. “Therefore, anyone can easily verify my identity without ever learning what my secret is. And finally, assuming the signature does actually match my public key, the server tells me I’m signed in!”

Following this procedure, users’ private keys never leave their devices. The server is simply able to verify their account without ever learning what the private key is.

Apple’s passkeys currently work only with the company’s consumer devices with built-in biometrics, but the Cupertino-based firm said it recognized the potential of cross-platform support on Windows and Android devices and is currently in talks with industry partners at the FIDO Alliance and the World Wide Web Consortium (W3C).

Passkeys should be available for testing on Apple devices running iOS 15 and macOS Monterey later this year.

Article Topics

 |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

New PIA for US Secret Service’s use of facial recognition raises questions

The U.S. Department of Homeland Security (DHS) issued a new Privacy Impact Assessment (PIA) for the U.S. Secret Service’s (USSS)…

 

Report explores efforts to curb environmental risks posed by identity documents

In the past couple of years, the identity industry has been involved in efforts to shift away from the use…

 

Malta opposition party demands minister’s resignation over ID card fraud scandal

Malta’s Green Party, ADPD, has intensified its demands for the resignation of a Maltese government minister following revelations of a…

 

Philippines’ central bank enters arbitration over failed ID card project

After the Philippines’ central bank decided to cancel its contract with identification system company AllCard Inc. (ACI) to produce the…

 

Visa biometrics provider VFS in talks to sell minority stake to Temasek

A significant minority stake of about 20 percent in the Blackstone-owned digital services outsourcing company VFS Global might be sold…

 

UK Virgin Islands launch digital transformation tender

Tourist hotspots Thailand, Sri Lanka, the Seychelles and the Virgin Islands are not just offering beaches and sunshine, they are…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events