Passkeys: New Apple password app could ensure faster distribution

Simply log in to web services without a password using a device PIN, fingerprint or face scan: What sounded like a dream of the future two years ago, when Apple first presented the concept at the WWDC developer conference under the name Passkeys, is now a reality. Passkeys, the FIDO2-based login standard, which is set to replace the password as the default login method on the Internet in the medium term, is becoming a reality for users. Major web services such as Google, PayPal and Amazon offer the secure login procedure, the major browsers support it and even the payment service providers Visa and Mastercard are joining in and protecting online payments via Passkey.

Nevertheless, the passwordless, phishing-resistant login procedure is still far from being used by the majority of internet users. According to a survey conducted by the German Federal Office for Information Security (BSI), this is partly due to a lack of awareness of the procedure. Although 38 percent of those surveyed were aware of the term passkey, only 18 percent said they actually used it. Among the majority of passkey users surveyed, 72%, the procedure enjoys a high or very high level of trust. Among other things, they rated the high level of user-friendliness positively.

This is actually continuing to improve. Until now, Passkey users had to make a well-considered decision on which of the five key management options to choose. Not all of them allow the secure passkeys to be used across all operating systems. Google has now added a new feature to its Chrome browser that at least partially overcomes this point of criticism: it allows cross-operating system storage and use under Android and on desktop devices under Windows, ChromeOS, Linux and macOS.

A full 44% of those surveyed by the BSI are skeptical about the login procedure. They are particularly concerned about security and complexity, and some want to wait for explicit usage recommendations first. According to the BSI, the option to use a passkey is "often difficult for consumers to recognize and is therefore often confused with other procedures". The agency believes that providers have a duty to provide better information. In any case, the authority has now issued a clear recommendation to use passkeys where possible.

Passwords app with automatic passkey setup function

With the recently released operating system updates – namely iOS 18, iPadOS 18 and macOS Sequoia – being rolled out to Apple devices, these have a new version of the system's own key management system in their luggage. This could make it easier for providers to introduce users to the passwordless login procedure in future: It is easier to find than before and could encourage more Internet users to use a key management system, which would mean they have already mastered the first requirement for passkey use. "Apple Passwords", as the password management function of Apple devices has been called since iOS 17.4, is no longer hidden as part of the keychain management in the system settings, but pre-installed on the devices as a stand-alone app with a new user interface.

The Passwords app can now be found in the Applications subfolder on the Mac. On the iPhone and iPad, the app icon has sneaked onto the home screens with the update to iOS 18. The new version has a colorful user interface, meets more than the basic requirements of a password manager and also implements a new feature of the FIDO2 standard WebAuthn, which should promote the further spread of passkeys: Through the new so-called WebAuthn Conditional Registration Extension , Apple's Passwords app can automatically set up passkeys for its users with web services. The prerequisite is that the browser used and the web service in question support the WebAuthn extension. Currently, this only applies to Safari version 18 or higher; however, popular web services such as Google or GitHub do not yet appear to have implemented the function.

(kst)