Apple to Expand Support for Passwordless Sign-Ins Across Websites and Apps

Apple, Google, and Microsoft today announced plans to expand support for a passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C), promising a faster, easier, and more secure sign‑in process.

Beyond iPhone 13 Better Blue Face ID
The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless sign-in option, according to the announcement. Instead of entering a password, users will sign in through the same action that they take multiple times each day to unlock their devices, such as Face ID on the iPhone.

The new approach is described as "radically more secure" compared to passwords and legacy multi-factor technologies, such as one-time passcodes sent over SMS.

Apple, Google, and Microsoft already support FIDO Alliance standards across their platforms, but expanded support will give users two new capabilities for more seamless and secure passwordless sign-ins, as outlined in the announcement:

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a "passkey") on many of their devices, even new ones, without having to reenroll every account.
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the coming year, the announcement said.

"Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users' personal information safe," said Kurt Knight, Apple's Senior Director of Platform Product Marketing, in a press release.

Popular Stories

Generic iOS 19 Feature Mock Light

iOS 19 Leak Reveals All-New Design

Friday January 17, 2025 2:42 pm PST by
iOS 19 is still around six months away from being announced, but a new leak has allegedly revealed a completely redesigned Camera app. Based on footage it obtained, YouTube channel Front Page Tech shared a video showing what the new Camera app will apparently look like, with the key change being translucent menus for camera controls. Overall, the design of these menus looks similar to...
2024 App Store Awards

Apple Explains Why It Removed TikTok From the App Store in the U.S.

Sunday January 19, 2025 6:58 am PST by
Apple on late Saturday removed TikTok from the App Store in the U.S., and it has now explained why it was required to take this action. Last year, the U.S. passed a law that required Chinese company ByteDance to divest its ownership of TikTok due to potential national security risks, or else the platform would be banned. That law went into effect today, and companies like Apple and Google...
iPhone SE Dynamic Island Majin Bu

iPhone SE 4 Leak Shows Dynamic Island, Casts Doubt on Rumored 'iPhone 16E' Name

Monday January 20, 2025 9:01 am PST by
A new iPhone SE is widely rumored to launch this year, and the device has potentially been confirmed today by known leaker Evan Blass. In a private social media post, Blass shared an image of what appears to be source code mentioning an iPhone SE (4th Gen), which casts doubt on the alternative "iPhone 16E" name rumored for the device. However, the name in the source code could be a...
iOS 19 Roundup Feature

iOS 19 Rumored to Be Compatible With These iPhones

Saturday January 18, 2025 10:28 am PST by
iOS 19 will not drop support for any iPhone models, according to French website iPhoneSoft.fr. The report cited a source who said iOS 19 will be compatible with any iPhone that can run iOS 18, which would mean the following models: iPhone 16 iPhone 16 Plus iPhone 16 Pro iPhone 16 Pro Max iPhone 15 iPhone 15 Plus iPhone 15 Pro iPhone 15 Pro Max iPhone 14 iPhon...
airtag 4 pack blue

AirTag 2 Launching This Year With These 3 New Features

Sunday January 19, 2025 8:11 am PST by
After a four-year wait, a new AirTag is finally expected to launch in 2025. Below, we recap rumored upgrades for the accessory. A few months ago, Bloomberg's Mark Gurman said Apple was aiming to release the AirTag 2 around the middle of 2025. While he did not offer a more specific timeframe, that means the AirTag 2 could be announced by the end of June. The original AirTag was announced...
iPhone 17 Air Size Feature

'iPhone 17 Air' With Rear Camera Bar Allegedly Shown in Leaked Photo

Tuesday January 21, 2025 12:46 pm PST by
A leaker known as "Majin Bu" today shared an alleged image of a component for the rumored, ultra-thin "iPhone 17 Air" model. The blurry, pixelated image shows a pair of rear iPhone shells with a pill-shaped, raised camera bar along the top. On the left side of the bar, there is a circular cutout that appears to be for a single rear camera. On the right side of the bar, there appears to be an ...
apple power beats pro 2

Powerbeats Pro 2 Coming Soon: Apple to Announce Them 'Imminently'

Sunday January 19, 2025 8:25 am PST by
In September, Apple said that it would be launching Powerbeats Pro 2 in 2025, and it appears the wireless earbuds are coming very soon. Powerbeats Pro 2 images found in iOS 18 code In his Power On newsletter today, Bloomberg's Mark Gurman said the Powerbeats Pro 2 are "due imminently." In addition to Apple filing the Powerbeats Pro 2 in regulatory databases last month, Gurman said Apple is...
Generic iOS 18

Everything New in iOS 18.3 Beta 3

Thursday January 16, 2025 12:39 pm PST by
Apple provided the third beta of iOS 18.3 to developers today, and while the betas have so far been light on new features, the third beta makes some major changes to Notification Summaries and also tweaks a few other features. Notification Summary Changes Apple made multiple changes to Notification Summaries in response to complaints about inaccurate summaries of news headlines. For...

Top Rated Comments

bierdybard Avatar
36 months ago

Can someone explain the security of this? Obviously I doubt that my facial data would be shared with the website, but how does it remain secure?

Would website devs need to drastically change how they code websites or would the phone handle the translation between the website asking for a password and the user just being able to scan their face?
Sure! This happens to be an area of interest for me.

The root of this technology is public-key cryptography. With PKC, there are always two related keys: A private key, and a public key. The public key is easily derived from the private key, but the private key cannot be derived from the public key. The public key can decrypt anything encrypted by the private key and vice-versa, but they cannot decrypt things they themselves encrypt without the other key.

When you are signing up, your local device generates the keys, sends the public key to the service you are accessing (this is effectively your "password", but much more secure), and stores the private key in secure storage (so on an iPhone, the Secure Enclave).

In the future, when you log in, the website sends a challenge, which is just a random string of bytes. You unlock the private key on your local device (for iPhone, using biometrics), and sign the challenge locally. A digital signature is a cryptographic hash of the contents of the message being signed (in this case, the server challenge), which is then encrypted with your private key. When you send the signed challenge back to the server, it uses the public key to decrypt the signature (thus verifying it was you that signed the challenge) and then verifies that the hash of the challenge is correct (thus verifying you signed what the server sent and not some other string of bytes). Since the signature both verifies that 1) your private key is the one that created the signature and 2) the challenge the server sent is the one that was signed, you are securely authenticated without needing to send your secret to the server.

Pretty cool, huh?

Edit: answering the other question: Yes, there are some changes that need to be made to websites to handle this. They need to be able to store the public keys, and they need to be able to handle the challenge and response. The WebAuthn standard handles this for websites, and there are a lot of drop-in libraries for just about any web application stack now.
Score: 41 Votes (Like | Disagree)
kiranmk2 Avatar
36 months ago
Hope this works - even using a password manager is more hassle than it needs to be. The use of biometrics will hopefully also remove the need for 2FA codes.
Score: 17 Votes (Like | Disagree)
zorinlynx Avatar
36 months ago
My main concern with "passwordless" logins is authentication from "first principles".

If you don't have any of your own devices, and want to log into your accounts from a brand new, unknown device, what do you do? I have a couple of critical passwords memorized so that I can get into my stuff if I lose all my devices. These companies seem intent on eliminating all passwords, but at some point you have to have a way to log in if you're starting from scratch.

Conversely, if they do have a mechanism for logging in from scratch, how do they secure it so a bad actor can't pretend to be you logging in from scratch?
Score: 15 Votes (Like | Disagree)
mrbobdobolina Avatar
36 months ago
I have relatives who are very vocal about how much they hate [remembering] passwords. I think this would be a welcome convenience for many people if it works as advertised.
Score: 9 Votes (Like | Disagree)
BootsWalking Avatar
36 months ago
For those asking how this works, here's a simplified explanation based on my understanding from reading and watching the online resources about it.

To register on a new site, say widget.com
[LIST=1]
* You go widget.com and navigate to its new-account creation page
* Type in what you want your username to be and then click "create account"
* Your phone will bring up a system sheet confirming you want to create a credential for widget.com. After you confirm, the phone will create a site-specific credential token (called "passkey" in FIDO parlance), the security of which is based on public-key encryption.
* The phone will store the token and private-key portion of the token on your iCloud Keychain. It will share the public-key portion of the token with widget.com so it can save it on their server.

Whenever you visit widget.com in the future, Safari will know you have a saved credential for the site and will confirm you'd like to login, similar to how it works today for traditional passwords saved in your keychain, including you proving you have rightful access to your keychain (Face ID, passkey, etc...). But instead of a password, Safari will present the passkey (token) to the site (which it already has stored on their server to compare), then verify you're the rightful owner of the token by proving to the site that your phone has the private key associated with the token (challenge/response).
Score: 7 Votes (Like | Disagree)
bierdybard Avatar
36 months ago

As a developer, what do I need to do to support this? How does this actually work?

Based on reading Apple's full press release, it sounds to me like this is just:
1 - Your device automatically generates a password when an account is created, the same as Safari can already do.
2 - Your device automatically fills in the password when it's requested, the same as all browsers can already do.
3 - Your devices will automatically sync these passwords with each other, possibly with more interoperability between brands, so, ie, Windows and Linux and Mac and iOS and Android will all implement the same standards so everything will be more seamless when mixing different types of devices together.
4 - The automatic password stuff is all handled in the background, without any UI needing to be involved, so the end user won't ever see a text field that gets populated automatically for them. So from the perspective of a web developer, not much will change. IDK - will this just make it so that input fields of type password and type hidden are rendered the exact same (which is to say, not at all?)
Except it's not passwords, it's public-key cryptography.

If you're running a service, you need to set up the service to handle WebAuthn, or whatever this extended standard will be called.

If you're building a client, you'll need to implement whatever APIs are necessary to do the client-side portion of the authentication. This is what the FIDO standard covers, but again, not sure what the APIs will look like outside of the web browser (again, WebAuthn).

So no, it's not zero-effort, but it is infinitely more secure than either passwords or TOTP (numeric one-time passwords) because the secret never leaves the device. In this scheme, the server only needs the public key, which is not the secret.
Score: 7 Votes (Like | Disagree)