Apple has shown it to everyone again. early May 2022 Apple, Google and Microsoft jointly declared, that passwordless login with security keys should come "sometime in 2023". Now the iPhone company has its version of the login - Apple calls them "passkeys" - right into its new mobile operating system iOS 16 packed. It has been available to users since Monday.
Being able to log into websites and apps without the tiresome passwords has been a utopia for many years that many have grown fond of. It's immediately obvious why. Security measures are one of the most annoying things the Internet has to offer users. At least twice a year, reputable media explain what a good password should look like ("definitely not words from the dictionary!") and that it would really help if users turned on two-factor authentication for all relevant logins - an extra layer of protection that many websites offer.
Nevertheless, new data leaks with millions of usernames and passwords appear on the Internet every week. And yet "password" and "123456" are still among the most used passwords on the web. This statistic may be statistically distorted by some effects, for example, accounts that were not important to users are often hijacked. Nevertheless, the bottom line is that people are obviously not made for passwords.
Cell phone instead of additional hardware
The initiators of the FIDO Alliance also thought so. For years they have been working on a security standard that does not require passwords. In principle, this has been working reliably for a long time, for example with the help of small ones USB keys like the Yubikey. So far, these have mainly been used in large companies. From a technical point of view, the whole thing is an asymmetric encryption system, as known from PGP e-mail encryption. The core of the process is a pair of keys: a public and a secret, private key. In order for the asymmetric encryption to work for the login, users must set up the procedure on every website. There they generate a public key that is stored on the website's servers. Access to the account on the site is only granted to those who have the appropriate private key.
The Yubikey and similar hardware devices still had to be plugged into the computer to transfer the key. The latest version of the FIDO standard, on the other hand, makes something amazing possible: Users simply generate such a private security key using software on their mobile devices. So you can save yourself an additional device, everyone has their mobile phone with them anyway. The private key is then transmitted via the Bluetooth radio standard. When a user calls up a page that requires a login, all she has to do is enter her login name and press Login. The website then automatically checks whether a private key for this user name can be called up and, after a successful check, lets the user into the account. Should the iPhone ever be lost, the accesses are still not lost. The private key is also stored in the Apple cloud, so the user can access it again.
This makes phishing impossible - i.e. tapping user names and passwords via fake websites to which users are lured by email, for example. This type of hacking attack is the great weakness of the password system. Thousands of cybercriminals could now be out of work, and the Internet could become much safer.
But the brave new passwordless world is still a long time coming at Apple. As is so often the case, being a pioneer is pretty lonely. It is possible users According to the Internet forum Reddit, the iPhone is already stored as a security key on numerous websites, but so far only as an additional security feature of a two-factor authentication - i.e. as an alternative to an authentication app, SMS or a Yubikey. While this is still useful for security fans, users will still need a password - it's still the first of two factors. Passwordless login will remain a theory until other popular websites and apps offer the process.