When iOS 18 debuts in September, Apple will bring myriad new security features to users. But the company will also debut a new API for app and website developers that will protect users in more fundamental way. This new API will allow developers to create passkeys for users automatically, which will enable users to log in without their password. The move is meant to help spur wider adoption of passkey technology, which aims to create a password-less future while safeguarding user data like never before—something very on-brand for Apple. Here’s what you need to know.
What are passkeys?
Passkeys are passwordless login options for apps and websites. They consist of two parts: a “private key” saved on your device and an associated “public key” residing with the service or website linked to your account. The keys need to match precisely, through an encrypted dialogue, for you to get access to the account.
But first, you need to prove that you are the owner of your key. You can do this by taking the same step that you take to unlock your device—via facial or fingerprint identification or PIN code. Once your device verifies that it is you trying to gain access to the passkey-protected account, the service or website will check to see if the keys match and then let you in—no passwords or additional 2FA codes needed.
That might sound like a lot of steps, but in reality, it is nearly instantaneous and feels nearly identical to how we’re all used to unlocking our phones today. In the app or website you have a passkey saved for, just tap the login button and your phone will authenticate it’s really you and you’ll be granted access.
Why are passkeys better than passwords?
The problem with current login systems, which typically feature a username and password, is that they have a glaring weak point: us, the users.
Many people use the same password for multiple accounts, so if a bad actor learns a user’s login information for one website, they will likely be able to access the user’s accounts at other websites, too. Passwords also leave users open to phishing attempts, where a bad actor gets the user to hand over the password—either directly or by getting them to reveal it in a roundabout way.
Over the years, the tech industry has tried to strengthen the security of password login systems by adding multifactor authentication (MFA) as an additional requirement when a user tries to log into an account. MFA is the code that is texted or emailed to you, or copied from an authenticator app. But the problem is that MFA codes can be intercepted or phished pretty easily too, by a skilled bad actor.
That’s where passkeys come in. They are cryptographically tied to an individual account and require sign-in by the actual user (via their biometric or device-unlock mechanism). Because of this, passkeys can’t be phished or guessed by an attacker. And if a passkey were somehow stolen and added to a bad actor’s device, it would become useless because the thief wouldn’t have access to the true owner’s biometrics.
Plus, since a passkey is linked to a specific app or website, users can’t be tricked into authenticating themselves on an app or site that’s imitating the real thing.
Who created passkeys?
Apple has been supporting passkeys since iOS 16, and though Apple is pushing passkey support hard in its upcoming operating systems, including iOS 18 and macOS Sequoia (via a new developer API that allows apps and websites to automatically create passkeys for users) Apple didn’t invent passkeys. At least not by itself.
Passkeys were devised by the FIDO Alliance, an association of tech giants that aims to strengthen authentication methods by eliminating the rather vulnerable password system that the world has used since the internet’s first days. Apple, Microsoft, and Google are members of the FIDO Alliance board, as are Amazon, Dell, Intuit, Meta, NTT, PayPal, Samsung, and others.
How do I use passkeys?
If a website or app offers passkey support, it will usually prompt you to create one. Sometimes, however, you’ll need to go to your account’s security settings (usually under the “login” section) and manually initiate the passkey creation. Creating a passkey is as simple as clicking a button. It will then be automatically saved to your device’s password manager, such as the iPhone’s iCloud Keychain.
Once you have the passkey created, logging into a website or app couldn’t be easier. Simply enter your username and then click the “login with passkey” button. Your phone’s biometric authentication system will then confirm that it’s you logging in, and you’ll be granted access. Logging in with a passkey happens in a second—much quicker than filling in your password and then waiting to enter an MFA code, too.
What sites and apps support passkeys?
There is an online directory called Passkeys.directory that tracks sites and apps that offer passkey support. Major sites and apps that already support passkeys include Adobe, Amazon, Apple, Best Buy, Coinbase, CVS, Docomo, Docusign, eBay, GitHub, Google, Home Depot, Kayak, LinkedIn, Microsoft, Nintendo, PayPal, Robinhood, Shopify, Sony, Target, TikTok, Uber, WhatsApp, X, and Yahoo.
However, Passkeys.directory also tracks the major sites and apps that haven’t currently rolled out passkey support, and lets users vote who which sites they most want to see add a passkey option. The top sites and apps people are hoping to see passkey support for include Steam, Netflix, Signal, Reddit, ChaptGPT, Instagram, Facebook, Zoom, and Airbnb.
Where are the banks?
Given that passkeys are resistant to all known forms of phishing and offer much greater security than passwords and current standard MFA systems, you’d think banks would be rushing to adopt the technology. But since Google, Microsoft, and Apple began adding passkey support to their browsers and operating systems in 2022, few of America’s banks—large or small—have implemented passkeys.
Andrew Shikiar, CEO and executive director of the FIDO Alliance, offered me a few reasons why this may be. The most significant is that banks have regulatory and compliance concerns that, for example, shopping or social media websites do not.
“Banks and financial institutions operate in a highly regulated industry, so they are vigilant when it comes to ensuring that user authentication complies with relevant regulations,” Shikiar said. “Synced passkeys introduce a new customer assurance model that compliance leads within banks are still adjusting to.”
However, Shikiar noted that “we are now seeing regulatory and other government bodies begin to give formal guidance on how industry should contemplate passkeys,” including an April 2024 missive from the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) offering guidance about implementation.
But Shikiar says that “banks are hypersensitive to customer experience,” too, and thus more cautious about making changes to the way people login—even if passkeys are quicker and more secure. New login methods require educating customers—and that takes time.
Despite these bottlenecks, Shikiar says that banks are slowly moving away from strictly password-based logins because they “inherently understand that using a passkey as a primary factor is far superior to a password.”
Passkeys and the future
Apple’s iOS operating system has more than a billion users, and when iOS 18 rolls out to the public this fall it will be easier than ever for users to transition their accounts to passkey logins (they can permit apps and websites to do this automatically with the flip of a system settings toggle). Google and Microsoft are likely to follow suit with similar features.
Passkeys won’t eliminate password logins any time soon. Users will still have a password they can use to log in to their account if they choose. But the day will come when you create an account without being asked to create a password at all—and your accounts will be more secure than ever.