FB pixel

Apple takes significant step towards biometric passwordless authentication

Using passkeys in iCloud Keychain with Face ID and Touch ID
 

apple logo building

Apple is reportedly testing a new feature on iPhones and other devices allowing users to log in using passkeys with biometric security, the company said at its flagship WWDC conference last week.

The announcement was made by Garret Davidson, an engineer on Apple’s Authentication Experience team, during a developer session named ‘Move Beyond Passwords.’

The new technology is part of iCloud Keychains and will enable Apple device users to set up a username for an account, then associate biometric information with it using FaceID or Touch ID technologies.

A passkey is then generated and synchronized across a user’s Apple devices, enabling login action by face or fingerprint biometrics and de facto eliminating the use of any traditional passwords.

“Most authentication today relies on the user and server sharing a secret – like a password – when the account is created, and resharing that secret during every authentication,” Davidson said at the event.

“Each time that secret is shared, there’s a risk that someone other than the intended recipient learns that secret.”

To circumvent this issue, passkeys technology is based on WebAuthn, a web standard and core component of the FIDO2 Project.

“That exchange works like this,” Davidson explained. “First, I go to sign in to my account. Then, the website asks my device to prove that it’s actually my account. It does this by performing what’s called a ‘challenge’ for me to prove that my device has the private key associated with my account’s public key without actually saying what my private key is.”

In order to perform this action, the server sends back a single-use challenge. The user device has the private key, so it takes that challenge and ‘signs’ it, using the private key.

“Only my private key can produce a valid signature for my account. This signature then gets sent back to the server. The server already has my public key, so it can check this signature against that public key,” Davidson said.

For context, anyone with a user’s public key can check if a signature matches that key.

“However, only I can create a valid signature for the challenge because only I have the private key,” Davidson specified. “Therefore, anyone can easily verify my identity without ever learning what my secret is. And finally, assuming the signature does actually match my public key, the server tells me I’m signed in!”

Following this procedure, users’ private keys never leave their devices. The server is simply able to verify their account without ever learning what the private key is.

Apple’s passkeys currently work only with the company’s consumer devices with built-in biometrics, but the Cupertino-based firm said it recognized the potential of cross-platform support on Windows and Android devices and is currently in talks with industry partners at the FIDO Alliance and the World Wide Web Consortium (W3C).

Passkeys should be available for testing on Apple devices running iOS 15 and macOS Monterey later this year.

Article Topics

 |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Real-time remote biometrics banned in EU with final green light for AI Act

The European Union’s Artificial Intelligence Act received a final green light allowing it to become the world’s first major regulation…

 

Ethiopian capital Addis Ababa unveiled as host of 2025 ID4Africa AGM

It’s not only the case with sporting events like the FIFA World Cup, or the Olympic Games. The host of…

 

Ryanair accused of GDPR violations with biometric passenger verification

Travel policy advocacy group eu travel tech has lodged a formal complaint with the French and Belgian Data Protection Authorities…

 

Police in US cities that ban facial recognition asking others to do it for them

A major report in the Washington Post has found that law enforcement officers in U.S. several cities where facial recognition…

 

European Union Digital Identity Regulation takes effect

The European Union Digital Identity (EUDI) Regulation entered into force on Monday meaning that Member States will be required to…

 

Real-world insight into building impactful digital ID programs at ID4Africa Day 2

Executives of digital ID and biometrics companies took the front seat on Day 2 of the ID4Africa annual general meeting…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events