Apple takes significant step towards biometric passwordless authentication
Apple is reportedly testing a new feature on iPhones and other devices allowing users to log in using passkeys with biometric security, the company said at its flagship WWDC conference last week.
The announcement was made by Garret Davidson, an engineer on Apple’s Authentication Experience team, during a developer session named ‘Move Beyond Passwords.’
The new technology is part of iCloud Keychains and will enable Apple device users to set up a username for an account, then associate biometric information with it using FaceID or Touch ID technologies.
A passkey is then generated and synchronized across a user’s Apple devices, enabling login action by face or fingerprint biometrics and de facto eliminating the use of any traditional passwords.
“Most authentication today relies on the user and server sharing a secret – like a password – when the account is created, and resharing that secret during every authentication,” Davidson said at the event.
“Each time that secret is shared, there’s a risk that someone other than the intended recipient learns that secret.”
To circumvent this issue, passkeys technology is based on WebAuthn, a web standard and core component of the FIDO2 Project.
“That exchange works like this,” Davidson explained. “First, I go to sign in to my account. Then, the website asks my device to prove that it’s actually my account. It does this by performing what’s called a ‘challenge’ for me to prove that my device has the private key associated with my account’s public key without actually saying what my private key is.”
In order to perform this action, the server sends back a single-use challenge. The user device has the private key, so it takes that challenge and ‘signs’ it, using the private key.
“Only my private key can produce a valid signature for my account. This signature then gets sent back to the server. The server already has my public key, so it can check this signature against that public key,” Davidson said.
For context, anyone with a user’s public key can check if a signature matches that key.
“However, only I can create a valid signature for the challenge because only I have the private key,” Davidson specified. “Therefore, anyone can easily verify my identity without ever learning what my secret is. And finally, assuming the signature does actually match my public key, the server tells me I’m signed in!”
Following this procedure, users’ private keys never leave their devices. The server is simply able to verify their account without ever learning what the private key is.
Apple’s passkeys currently work only with the company’s consumer devices with built-in biometrics, but the Cupertino-based firm said it recognized the potential of cross-platform support on Windows and Android devices and is currently in talks with industry partners at the FIDO Alliance and the World Wide Web Consortium (W3C).
Passkeys should be available for testing on Apple devices running iOS 15 and macOS Monterey later this year.