Apple to Expand Support for Passwordless Sign-Ins Across Websites and Apps

Apple, Google, and Microsoft today announced plans to expand support for a passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C), promising a faster, easier, and more secure sign‑in process.

Beyond iPhone 13 Better Blue Face ID
The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless sign-in option, according to the announcement. Instead of entering a password, users will sign in through the same action that they take multiple times each day to unlock their devices, such as Face ID on the iPhone.

The new approach is described as "radically more secure" compared to passwords and legacy multi-factor technologies, such as one-time passcodes sent over SMS.

Apple, Google, and Microsoft already support FIDO Alliance standards across their platforms, but expanded support will give users two new capabilities for more seamless and secure passwordless sign-ins, as outlined in the announcement:

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a "passkey") on many of their devices, even new ones, without having to reenroll every account.
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the coming year, the announcement said.

"Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users' personal information safe," said Kurt Knight, Apple's Senior Director of Platform Product Marketing, in a press release.

Top Rated Comments

bierdybard Avatar
3 weeks ago

Can someone explain the security of this? Obviously I doubt that my facial data would be shared with the website, but how does it remain secure?

Would website devs need to drastically change how they code websites or would the phone handle the translation between the website asking for a password and the user just being able to scan their face?
Sure! This happens to be an area of interest for me.

The root of this technology is public-key cryptography. With PKC, there are always two related keys: A private key, and a public key. The public key is easily derived from the private key, but the private key cannot be derived from the public key. The public key can decrypt anything encrypted by the private key and vice-versa, but they cannot decrypt things they themselves encrypt without the other key.

When you are signing up, your local device generates the keys, sends the public key to the service you are accessing (this is effectively your "password", but much more secure), and stores the private key in secure storage (so on an iPhone, the Secure Enclave).

In the future, when you log in, the website sends a challenge, which is just a random string of bytes. You unlock the private key on your local device (for iPhone, using biometrics), and sign the challenge locally. A digital signature is a cryptographic hash of the contents of the message being signed (in this case, the server challenge), which is then encrypted with your private key. When you send the signed challenge back to the server, it uses the public key to decrypt the signature (thus verifying it was you that signed the challenge) and then verifies that the hash of the challenge is correct (thus verifying you signed what the server sent and not some other string of bytes). Since the signature both verifies that 1) your private key is the one that created the signature and 2) the challenge the server sent is the one that was signed, you are securely authenticated without needing to send your secret to the server.

Pretty cool, huh?

Edit: answering the other question: Yes, there are some changes that need to be made to websites to handle this. They need to be able to store the public keys, and they need to be able to handle the challenge and response. The WebAuthn standard handles this for websites, and there are a lot of drop-in libraries for just about any web application stack now.
Score: 40 Votes (Like | Disagree)
kiranmk2 Avatar
3 weeks ago
Hope this works - even using a password manager is more hassle than it needs to be. The use of biometrics will hopefully also remove the need for 2FA codes.
Score: 17 Votes (Like | Disagree)
zorinlynx Avatar
3 weeks ago
My main concern with "passwordless" logins is authentication from "first principles".

If you don't have any of your own devices, and want to log into your accounts from a brand new, unknown device, what do you do? I have a couple of critical passwords memorized so that I can get into my stuff if I lose all my devices. These companies seem intent on eliminating all passwords, but at some point you have to have a way to log in if you're starting from scratch.

Conversely, if they do have a mechanism for logging in from scratch, how do they secure it so a bad actor can't pretend to be you logging in from scratch?
Score: 15 Votes (Like | Disagree)
mrbobdobolina Avatar
3 weeks ago
I have relatives who are very vocal about how much they hate [remembering] passwords. I think this would be a welcome convenience for many people if it works as advertised.
Score: 9 Votes (Like | Disagree)
BootsWalking Avatar
3 weeks ago
For those asking how this works, here's a simplified explanation based on my understanding from reading and watching the online resources about it.

To register on a new site, say widget.com
[LIST=1]
* You go widget.com and navigate to its new-account creation page
* Type in what you want your username to be and then click "create account"
* Your phone will bring up a system sheet confirming you want to create a credential for widget.com. After you confirm, the phone will create a site-specific credential token (called "passkey" in FIDO parlance), the security of which is based on public-key encryption.
* The phone will store the token and private-key portion of the token on your iCloud Keychain. It will share the public-key portion of the token with widget.com so it can save it on their server.

Whenever you visit widget.com in the future, Safari will know you have a saved credential for the site and will confirm you'd like to login, similar to how it works today for traditional passwords saved in your keychain, including you proving you have rightful access to your keychain (Face ID, passkey, etc...). But instead of a password, Safari will present the passkey (token) to the site (which it already has stored on their server to compare), then verify you're the rightful owner of the token by proving to the site that your phone has the private key associated with the token (challenge/response).
Score: 7 Votes (Like | Disagree)
bierdybard Avatar
3 weeks ago

As a developer, what do I need to do to support this? How does this actually work?

Based on reading Apple's full press release, it sounds to me like this is just:
1 - Your device automatically generates a password when an account is created, the same as Safari can already do.
2 - Your device automatically fills in the password when it's requested, the same as all browsers can already do.
3 - Your devices will automatically sync these passwords with each other, possibly with more interoperability between brands, so, ie, Windows and Linux and Mac and iOS and Android will all implement the same standards so everything will be more seamless when mixing different types of devices together.
4 - The automatic password stuff is all handled in the background, without any UI needing to be involved, so the end user won't ever see a text field that gets populated automatically for them. So from the perspective of a web developer, not much will change. IDK - will this just make it so that input fields of type password and type hidden are rendered the exact same (which is to say, not at all?)
Except it's not passwords, it's public-key cryptography.

If you're running a service, you need to set up the service to handle WebAuthn, or whatever this extended standard will be called.

If you're building a client, you'll need to implement whatever APIs are necessary to do the client-side portion of the authentication. This is what the FIDO standard covers, but again, not sure what the APIs will look like outside of the web browser (again, WebAuthn).

So no, it's not zero-effort, but it is infinitely more secure than either passwords or TOTP (numeric one-time passwords) because the secret never leaves the device. In this scheme, the server only needs the public key, which is not the secret.
Score: 7 Votes (Like | Disagree)

Related Stories

1password deal blue

Deals: 1Password Offering 50% Off First Year of Individual and Family Plans

Friday May 20, 2022 6:46 am PDT by
1Password has introduced a new deal this week, offering 50 percent off the first year of both its individual and family plans. Like previous offers, this sale is available for new 1Password subscribers only, and it does not require a coupon code. Note: MacRumors is an affiliate partner with 1Password. When you click a link and make a purchase, we may receive a small payment, which helps us...
1password 8 for mac

1Password 8 for Mac Released With New Design and Features

Tuesday May 3, 2022 7:12 am PDT by
AgileBits today announced the release of 1Password 8 for Mac with a redesigned interface and several new features. The popular password manager has been redesigned to better match the look of macOS Monterey, from the sidebar and unified toolbar to the typography and iconography. The new design language extends to 1Password for Safari on the Mac. 1Password 8 improves productivity with a...
iOS 15

Apple Stops Signing iOS 15.4.1 Following iOS 15.5 Release, Downgrading No Longer Possible

Monday May 23, 2022 3:27 pm PDT by
Following the May 16 launch of iOS 15.5, Apple has stopped signing iOS 15.4.1, the previously available version of iOS that came out in late March. Because iOS 15.4.1 is no longer being signed, it is not possible to downgrade to that version of iOS after installing iOS 15.5. Apple routinely stops signing older versions of software updates after new releases come out in order to encourage...
iOS 15

Apple Stops Signing iOS 15.3.1 Following iOS 15.4 Release, Downgrading No Longer Possible

Tuesday March 22, 2022 5:12 pm PDT by
Following the release of iOS 15.4 on March 14, Apple has stopped signing iOS 15.3.1, the previously available version of iOS that came out in February. As iOS 15.3.1 is no longer being signed, it is not possible to downgrade to that version of iOS if you've updated to iOS 15.4. Apple routinely stops signing older versions of software updates after new releases come out in order to encourage...
xbox series x controller microsoft

Microsoft Developing Low-Cost Xbox Streaming Dongle That Could Rival Apple TV

Friday May 27, 2022 1:39 am PDT by
In news that could weigh heavily on the future success of Apple TV, Microsoft has confirmed it is working to bring an affordable streaming device to market that would allow users to play Xbox games without the need for a full-blown console. It has been suggested for years that Microsoft wants to make gaming accessible to more people by cutting out the need to invest in a pricey console. The...
iOS 15

Apple Stops Signing iOS 15.4 Following iOS 15.4.1 Release, Downgrading No Longer Possible

Thursday April 7, 2022 5:58 pm PDT by
Following the March 31 release of iOS 15.4.1, Apple has stopped signing iOS 15.4, the previously available version of iOS that came out earlier in March. As iOS 15.4 is no longer being signed, it is not possible to downgrade to that version of iOS once you've installed iOS 15.4.1. Apple routinely stops signing older versions of software updates after new releases come out in order to...
Brave Browser Welcome Page

New Brave Browser Feature Bypasses 'Harmful' Google AMP Pages

Wednesday April 20, 2022 2:15 am PDT by
Privacy-focused browser Brave has announced a new feature that bypasses pages rendered with Google's AMP framework and automatically redirects users to the original website. AMP, or Accelerated Mobile Pages, is Google's non-standard subset of HTML that renders page content to make it look like its coming from the original publisher's website, when in fact it's being served from Google's...
half off 1pass 2

Deals Exclusive: Get Your First Year of the 1Password Individual Plan for 50% Off

Wednesday February 16, 2022 10:36 am PST by
We've partnered with 1Password again this month, this time offering our readers a chance to get 50 percent off their first year of 1Password for Individuals. This offer is available to new customers only, and it doesn't require a coupon code. Note: MacRumors is an affiliate partner with 1Password. When you click a link and make a purchase, we may receive a small payment, which helps us keep...

Popular Stories

iPhone 14 Pro Purple Front and Back MacRumors Exclusive

iPhone 14 Pro Renders Highlight Multiple Design Changes

Wednesday May 25, 2022 8:56 am PDT by
Leaker Jon Prosser today shared ostensibly accurate renders of the iPhone 14 Pro, providing the most accurate look yet at what the device could look like when it launches later this year. In the latest video on YouTube channel Front Page Tech, Prosser revealed renders of the iPhone 14 Pro made by Apple concept graphic designer Ian Zelbo, highlighting a range of specific design changes...
iPad Pro USB C Feature Coral

Deals: Apple's iPad Pro Reaches Up to $449 Off in Amazon's Latest Sales

Wednesday May 25, 2022 10:09 am PDT by
Amazon is marking down a wide variety of 11-inch and 12.9-inch iPad Pro models this week, with prices starting as low as $749.00 for the 11-inch tablet. You'll find the full list of sales below, all of which can be found on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep...
apple account card

Wallet App Now Supports Apple Account Cards on iOS 15.5

Wednesday May 25, 2022 5:01 pm PDT by
Apple appears to have recently updated the Wallet app to allow users to add an Apple Account Card, which displays the Apple credit balance associated with an Apple ID. If you receive an App Store or Apple Store gift card, for example, it is added to an Apple Account that was previously visible in the App Store and Apple Store apps. As of today, the Apple Account balance can also be added to...
iphone 13 pro max display bleen

iPhone 14 Max Reportedly Weeks Behind Schedule [Updated]

Thursday May 26, 2022 7:25 am PDT by
The iPhone 14 Max is currently behind schedule by around three weeks, according to Haitong International Securities analyst Jeff Pu. Yesterday, Nikkei Asia reported that at least one iPhone 14 model was three weeks behind schedule due to the impact of lockdowns on Apple's supply chains in China, but it was not clear which iPhone 14 model this related to. Now, Pu has clarified that the model...
iPhone 13 Always On Feature

iPhone 14 Pro Screen Refresh Rate Upgrade Could Allow for Always-On Display

Tuesday May 24, 2022 7:23 am PDT by
Last year's iPhone 13 Pro models were the first of Apple's smartphones to come with 120Hz ProMotion displays, and while the two iPhone 14 Pro models will continue to feature the technology, their screens could well boast expanded refresh rate variability this time round. To bring ProMotion displays to the ‌iPhone 13 Pro models‌, Apple adopted LTPO panel technology with variable refresh...
Apple Tap to Pay iPhone

Apple Stores Rolling Out iPhone-to-iPhone Contactless Payments Starting Today

Wednesday May 25, 2022 6:54 am PDT by
Apple in February unveiled a new "Tap to Pay on iPhone" feature that will allow compatible iPhones to accept payments via Apple Pay, contactless credit and debit cards, and other digital wallets, with no additional hardware required. Apple began testing the feature at its Apple Park Visitor Center earlier this month, and now Bloomberg's Mark Gurman has tweeted that the feature will begin...
apple tv 4k design green

Apple Releases tvOS 15.5.1 for Apple TV HD and Apple TV 4K

Wednesday May 25, 2022 9:42 am PDT by
Apple today released tvOS 15.5.1, a minor update to the tvOS operating system that first launched in September 2021. tvOS 15.5.1 comes about 10 days after the launch of tvOS 15.5. tvOS 15.5.1 can be downloaded over the air on the Apple TV through the Settings app by going to System > Software Update. ‌‌‌‌‌‌Apple TV‌‌‌‌‌‌ owners who have automatic software updates...