Apple to Expand Support for Passwordless Sign-Ins Across Websites and Apps

by

Apple, Google, and Microsoft today announced plans to expand support for a passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C), promising a faster, easier, and more secure sign‑in process.

Beyond iPhone 13 Better Blue Face ID
The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless sign-in option, according to the announcement. Instead of entering a password, users will sign in through the same action that they take multiple times each day to unlock their devices, such as Face ID on the iPhone.

The new approach is described as "radically more secure" compared to passwords and legacy multi-factor technologies, such as one-time passcodes sent over SMS.

Apple, Google, and Microsoft already support FIDO Alliance standards across their platforms, but expanded support will give users two new capabilities for more seamless and secure passwordless sign-ins, as outlined in the announcement:

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a "passkey") on many of their devices, even new ones, without having to reenroll every account.
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the coming year, the announcement said.

"Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users' personal information safe," said Kurt Knight, Apple's Senior Director of Platform Product Marketing, in a press release.

Popular Stories

Apple Logo Zoomed

Tim Cook Teases Plans for Apple's Upcoming 50th Anniversary

Thursday February 5, 2026 12:54 pm PST by
Apple turns 50 this year, and its CEO Tim Cook has promised to celebrate the milestone. The big day falls on April 1, 2026. "I've been unusually reflective lately about Apple because we have been working on what do we do to mark this moment," Cook told employees today, according to Bloomberg's Mark Gurman. "When you really stop and pause and think about the last 50 years, it makes your heart ...
Read Full Article147 comments
iOS 26

iOS 26.3 and iOS 26.4 Will Add These New Features to Your iPhone

Tuesday February 3, 2026 7:47 am PST by
While the iOS 26.3 Release Candidate is now available ahead of a public release, the first iOS 26.4 beta is likely still at least a week away. Following beta testing, iOS 26.4 will likely be released to the general public in March or April. Below, we have recapped known or rumored iOS 26.3 and iOS 26.4 features so far. iOS 26.3 iPhone to Android Transfer Tool iOS 26.3 makes it easier...
Read Full Article37 comments
imac video apple feature

Apple Makes Its Second-Biggest Acquisition Ever

Tuesday February 3, 2026 12:45 pm PST by
Apple recently acquired Israeli startup Q.ai for close to $2 billion, according to Financial Times sources. That would make this Apple's second-biggest acquisition ever, after it paid $3 billion for the popular headphone maker Beats in 2014. This is also the largest known Apple acquisition since the company purchased Intel's smartphone modem business and patents for $1 billion in 2019....
Read Full Article
wwdc sans text feature

Apple Rumored to Announce New Product on February 19

Thursday February 5, 2026 12:22 pm PST by
Apple plans to announce the iPhone 17e on Thursday, February 19, according to Macwelt, the German equivalent of Macworld. The report, citing industry sources, is available in English on Macworld. Apple announced the iPhone 16e on Wednesday, February 19 last year, so the iPhone 17e would be unveiled exactly one year later if this rumor is accurate. It is quite uncommon for Apple to unveil...
Read Full Article
Finder Siri Feature

Why Apple's iOS 26.4 Siri Upgrade Will Be Bigger Than Originally Promised

Friday February 6, 2026 3:06 pm PST by
In the iOS 26.4 update that's coming this spring, Apple will introduce a new version of Siri that's going to overhaul how we interact with the personal assistant and what it's able to do. The iOS 26.4 version of Siri won't work like ChatGPT or Claude, but it will rely on large language models (LLMs) and has been updated from the ground up. Upgraded Architecture The next-generation...
Read Full Article150 comments

Top Rated Comments

bierdybard Avatar
bierdybard
49 months ago

Can someone explain the security of this? Obviously I doubt that my facial data would be shared with the website, but how does it remain secure?

Would website devs need to drastically change how they code websites or would the phone handle the translation between the website asking for a password and the user just being able to scan their face?
Sure! This happens to be an area of interest for me.

The root of this technology is public-key cryptography. With PKC, there are always two related keys: A private key, and a public key. The public key is easily derived from the private key, but the private key cannot be derived from the public key. The public key can decrypt anything encrypted by the private key and vice-versa, but they cannot decrypt things they themselves encrypt without the other key.

When you are signing up, your local device generates the keys, sends the public key to the service you are accessing (this is effectively your "password", but much more secure), and stores the private key in secure storage (so on an iPhone, the Secure Enclave).

In the future, when you log in, the website sends a challenge, which is just a random string of bytes. You unlock the private key on your local device (for iPhone, using biometrics), and sign the challenge locally. A digital signature is a cryptographic hash of the contents of the message being signed (in this case, the server challenge), which is then encrypted with your private key. When you send the signed challenge back to the server, it uses the public key to decrypt the signature (thus verifying it was you that signed the challenge) and then verifies that the hash of the challenge is correct (thus verifying you signed what the server sent and not some other string of bytes). Since the signature both verifies that 1) your private key is the one that created the signature and 2) the challenge the server sent is the one that was signed, you are securely authenticated without needing to send your secret to the server.

Pretty cool, huh?

Edit: answering the other question: Yes, there are some changes that need to be made to websites to handle this. They need to be able to store the public keys, and they need to be able to handle the challenge and response. The WebAuthn standard handles this for websites, and there are a lot of drop-in libraries for just about any web application stack now.
Score: 41 Votes (Like | Disagree)
kiranmk2 Avatar
kiranmk2
49 months ago
Hope this works - even using a password manager is more hassle than it needs to be. The use of biometrics will hopefully also remove the need for 2FA codes.
Score: 17 Votes (Like | Disagree)
zorinlynx Avatar
zorinlynx
49 months ago
My main concern with "passwordless" logins is authentication from "first principles".

If you don't have any of your own devices, and want to log into your accounts from a brand new, unknown device, what do you do? I have a couple of critical passwords memorized so that I can get into my stuff if I lose all my devices. These companies seem intent on eliminating all passwords, but at some point you have to have a way to log in if you're starting from scratch.

Conversely, if they do have a mechanism for logging in from scratch, how do they secure it so a bad actor can't pretend to be you logging in from scratch?
Score: 15 Votes (Like | Disagree)
mrbobdobolina Avatar
mrbobdobolina
49 months ago
I have relatives who are very vocal about how much they hate [remembering] passwords. I think this would be a welcome convenience for many people if it works as advertised.
Score: 9 Votes (Like | Disagree)
BootsWalking Avatar
BootsWalking
49 months ago
For those asking how this works, here's a simplified explanation based on my understanding from reading and watching the online resources about it.

To register on a new site, say widget.com
[LIST=1]
* You go widget.com and navigate to its new-account creation page
* Type in what you want your username to be and then click "create account"
* Your phone will bring up a system sheet confirming you want to create a credential for widget.com. After you confirm, the phone will create a site-specific credential token (called "passkey" in FIDO parlance), the security of which is based on public-key encryption.
* The phone will store the token and private-key portion of the token on your iCloud Keychain. It will share the public-key portion of the token with widget.com so it can save it on their server.

Whenever you visit widget.com in the future, Safari will know you have a saved credential for the site and will confirm you'd like to login, similar to how it works today for traditional passwords saved in your keychain, including you proving you have rightful access to your keychain (Face ID, passkey, etc...). But instead of a password, Safari will present the passkey (token) to the site (which it already has stored on their server to compare), then verify you're the rightful owner of the token by proving to the site that your phone has the private key associated with the token (challenge/response).
Score: 7 Votes (Like | Disagree)
bierdybard Avatar
bierdybard
49 months ago

As a developer, what do I need to do to support this? How does this actually work?

Based on reading Apple's full press release, it sounds to me like this is just:
1 - Your device automatically generates a password when an account is created, the same as Safari can already do.
2 - Your device automatically fills in the password when it's requested, the same as all browsers can already do.
3 - Your devices will automatically sync these passwords with each other, possibly with more interoperability between brands, so, ie, Windows and Linux and Mac and iOS and Android will all implement the same standards so everything will be more seamless when mixing different types of devices together.
4 - The automatic password stuff is all handled in the background, without any UI needing to be involved, so the end user won't ever see a text field that gets populated automatically for them. So from the perspective of a web developer, not much will change. IDK - will this just make it so that input fields of type password and type hidden are rendered the exact same (which is to say, not at all?)
Except it's not passwords, it's public-key cryptography.

If you're running a service, you need to set up the service to handle WebAuthn, or whatever this extended standard will be called.

If you're building a client, you'll need to implement whatever APIs are necessary to do the client-side portion of the authentication. This is what the FIDO standard covers, but again, not sure what the APIs will look like outside of the web browser (again, WebAuthn).

So no, it's not zero-effort, but it is infinitely more secure than either passwords or TOTP (numeric one-time passwords) because the secret never leaves the device. In this scheme, the server only needs the public key, which is not the secret.
Score: 7 Votes (Like | Disagree)
Read All Comments