In 2020 we commented here on BDI that Apple was joining the FIDO alliance (Fast Identity Online) formed by companies such as Microsoft, PayPal, Lenovo, Google, Samsung and Intel.

This cross-platform group aims to create a single authentication standard for websites and applications that offers a higher level of security for today’s technological times.

And the result of this joint work is coming now, in iOS 16 and all Apple systems.

Check out in this article what it is and how this new feature will work.

The password problem

Currently the classic password system is a problem.

It has become a normal thing to receive news from sites and services that have had their data leaked, exposing thousands of user passwords, who always need to run to change them before having their accounts hacked.

To make matters worse, the user does not always help. Most choose easy-to-remember (and guessable) passwords across multiple accounts, many of them as basic as “123456” or else “password“.

Two-factor authentication can help by adding an extra layer of security. But not everyone has the patience for this extra layer, and many services still use SMS as a factor, which can easily be intercepted or the number cloned.

For this reason, the idea is to completely change the way of authentication in services, using what we have nowadays in technological resources.

login without password

The password keys (passkeys) protect the user against credential reuse, phishingserver leaks and passwords weak. They also provide a superior and streamlined user experience compared to passwords (even more so if you use two-factor authentication), which should help drive adoption.

Password-only authentication is one of the biggest security issues on the internet. Also, having so many passwords can be a nuisance for users, who often repeat the same password across multiple services. Which can lead to digital account theft, data leakage, and even identity theft. While password managers and two-factor authentication bring some improvements, the entire industry has collaborated to create a more convenient and secure login technology. Passwords are a new login method with end-to-end encryption and protection against phishing and data leakage. This makes them much more secure than common types of two-factor authentication. They also work on non-Apple devices.

This authentication can be done directly on the device, through biometrics. So there’s no way for someone on the other side of the world to access your account other than you.

How Password works

The name functionality passkey already exists on the iPhone since iOS 15. However, now it has evolved and is also compatible with android and Windows.

At password keys link a fingerprint key to your user account and then confirm you are logging in via a fingerprint or face scan.

To create a new password with a supported app or website, simply enter a username and authenticate with Touch ID or Face ID.

Your passkey is generated and synced with iCloud Keychain.

As each password is unique and linked only to a specific website or application, if the user is tricked into entering a fake website that could steal their data, the login does not happen and the data is not transmitted.

And since the password never leaves your device and requires your biometrics to be authenticated, it cannot be leaked or stolen.

Login uses the autocomplete system you are already familiar with and there are no steps beyond confirming your username and authenticating. In other words, you tap and enter. It’s a one-step flow, without the need for additional security requirements like two-factor authentication.

Accessing on other platforms

OK, you signed up for a website on your iPhone using a passkey. Does that mean you’ll be stuck with Apple’s system forever? (as mentioned in the other article)

No! That’s the beauty of standardization.

Google and Microsoft will also implement this same process on their systems, which means that if you want to log into the account on a Windows PC or even an Android device, you can authenticate with your iPhone. And vice versa.

For this, the website will show the option to authenticate with a QR code, which must be scanned by the device you are connected to.

This functionality will already be available in iOS 16, but it will depend on the developers for each of them to implement it in their own applications.

Apple has provided extensive documentation for devs, so that as many applications as possible support the new feature as soon as possible.

As it is something that also involves Google and Microsoft, it is believed that it is only a matter of time before this type of authentication becomes an industry standard, and can be used by everyone.