Apple to Expand Support for Passwordless Sign-Ins Across Websites and Apps

Apple, Google, and Microsoft today announced plans to expand support for a passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C), promising a faster, easier, and more secure sign‑in process.

Beyond iPhone 13 Better Blue Face ID
The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless sign-in option, according to the announcement. Instead of entering a password, users will sign in through the same action that they take multiple times each day to unlock their devices, such as Face ID on the iPhone.

The new approach is described as "radically more secure" compared to passwords and legacy multi-factor technologies, such as one-time passcodes sent over SMS.

Apple, Google, and Microsoft already support FIDO Alliance standards across their platforms, but expanded support will give users two new capabilities for more seamless and secure passwordless sign-ins, as outlined in the announcement:

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a "passkey") on many of their devices, even new ones, without having to reenroll every account.
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the coming year, the announcement said.

"Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users' personal information safe," said Kurt Knight, Apple's Senior Director of Platform Product Marketing, in a press release.

Top Rated Comments

bierdybard Avatar
25 months ago

Can someone explain the security of this? Obviously I doubt that my facial data would be shared with the website, but how does it remain secure?

Would website devs need to drastically change how they code websites or would the phone handle the translation between the website asking for a password and the user just being able to scan their face?
Sure! This happens to be an area of interest for me.

The root of this technology is public-key cryptography. With PKC, there are always two related keys: A private key, and a public key. The public key is easily derived from the private key, but the private key cannot be derived from the public key. The public key can decrypt anything encrypted by the private key and vice-versa, but they cannot decrypt things they themselves encrypt without the other key.

When you are signing up, your local device generates the keys, sends the public key to the service you are accessing (this is effectively your "password", but much more secure), and stores the private key in secure storage (so on an iPhone, the Secure Enclave).

In the future, when you log in, the website sends a challenge, which is just a random string of bytes. You unlock the private key on your local device (for iPhone, using biometrics), and sign the challenge locally. A digital signature is a cryptographic hash of the contents of the message being signed (in this case, the server challenge), which is then encrypted with your private key. When you send the signed challenge back to the server, it uses the public key to decrypt the signature (thus verifying it was you that signed the challenge) and then verifies that the hash of the challenge is correct (thus verifying you signed what the server sent and not some other string of bytes). Since the signature both verifies that 1) your private key is the one that created the signature and 2) the challenge the server sent is the one that was signed, you are securely authenticated without needing to send your secret to the server.

Pretty cool, huh?

Edit: answering the other question: Yes, there are some changes that need to be made to websites to handle this. They need to be able to store the public keys, and they need to be able to handle the challenge and response. The WebAuthn standard handles this for websites, and there are a lot of drop-in libraries for just about any web application stack now.
Score: 41 Votes (Like | Disagree)
kiranmk2 Avatar
25 months ago
Hope this works - even using a password manager is more hassle than it needs to be. The use of biometrics will hopefully also remove the need for 2FA codes.
Score: 17 Votes (Like | Disagree)
zorinlynx Avatar
25 months ago
My main concern with "passwordless" logins is authentication from "first principles".

If you don't have any of your own devices, and want to log into your accounts from a brand new, unknown device, what do you do? I have a couple of critical passwords memorized so that I can get into my stuff if I lose all my devices. These companies seem intent on eliminating all passwords, but at some point you have to have a way to log in if you're starting from scratch.

Conversely, if they do have a mechanism for logging in from scratch, how do they secure it so a bad actor can't pretend to be you logging in from scratch?
Score: 15 Votes (Like | Disagree)
mrbobdobolina Avatar
25 months ago
I have relatives who are very vocal about how much they hate [remembering] passwords. I think this would be a welcome convenience for many people if it works as advertised.
Score: 9 Votes (Like | Disagree)
BootsWalking Avatar
25 months ago
For those asking how this works, here's a simplified explanation based on my understanding from reading and watching the online resources about it.

To register on a new site, say widget.com
[LIST=1]
* You go widget.com and navigate to its new-account creation page
* Type in what you want your username to be and then click "create account"
* Your phone will bring up a system sheet confirming you want to create a credential for widget.com. After you confirm, the phone will create a site-specific credential token (called "passkey" in FIDO parlance), the security of which is based on public-key encryption.
* The phone will store the token and private-key portion of the token on your iCloud Keychain. It will share the public-key portion of the token with widget.com so it can save it on their server.

Whenever you visit widget.com in the future, Safari will know you have a saved credential for the site and will confirm you'd like to login, similar to how it works today for traditional passwords saved in your keychain, including you proving you have rightful access to your keychain (Face ID, passkey, etc...). But instead of a password, Safari will present the passkey (token) to the site (which it already has stored on their server to compare), then verify you're the rightful owner of the token by proving to the site that your phone has the private key associated with the token (challenge/response).
Score: 7 Votes (Like | Disagree)
bierdybard Avatar
25 months ago

As a developer, what do I need to do to support this? How does this actually work?

Based on reading Apple's full press release, it sounds to me like this is just:
1 - Your device automatically generates a password when an account is created, the same as Safari can already do.
2 - Your device automatically fills in the password when it's requested, the same as all browsers can already do.
3 - Your devices will automatically sync these passwords with each other, possibly with more interoperability between brands, so, ie, Windows and Linux and Mac and iOS and Android will all implement the same standards so everything will be more seamless when mixing different types of devices together.
4 - The automatic password stuff is all handled in the background, without any UI needing to be involved, so the end user won't ever see a text field that gets populated automatically for them. So from the perspective of a web developer, not much will change. IDK - will this just make it so that input fields of type password and type hidden are rendered the exact same (which is to say, not at all?)
Except it's not passwords, it's public-key cryptography.

If you're running a service, you need to set up the service to handle WebAuthn, or whatever this extended standard will be called.

If you're building a client, you'll need to implement whatever APIs are necessary to do the client-side portion of the authentication. This is what the FIDO standard covers, but again, not sure what the APIs will look like outside of the web browser (again, WebAuthn).

So no, it's not zero-effort, but it is infinitely more secure than either passwords or TOTP (numeric one-time passwords) because the secret never leaves the device. In this scheme, the server only needs the public key, which is not the secret.
Score: 7 Votes (Like | Disagree)

Popular Stories

iPhone 16 Camera Lozenge 2 Colors

iPhone 16 Plus Rumored to Come in These 7 Colors

Wednesday April 10, 2024 3:52 am PDT by
Apple's iPhone 16 Plus may come in seven colors that either build upon the existing five colors in the standard iPhone 15 lineup or recast them in a new finish, based on a new rumor out of China. According to the Weibo-based leaker Fixed focus digital, Apple's upcoming larger 6.7-inch iPhone 16 Plus model will come in the following colors, compared to the colors currently available for the...
apple tv 4k yellow bg feature

When to Expect a New Apple TV to Launch

Tuesday April 9, 2024 8:30 am PDT by
It has been nearly a year and a half since the current Apple TV was released, so the device is becoming due for a hardware upgrade. Below, we recap rumors about the next Apple TV, including potential features and launch timing. The current model is the third-generation Apple TV 4K, announced in October 2022. Key new features compared to the previous model from 2021 include a faster A15...
apple silicon feature joeblue

Macs to Get AI-Focused M4 Chips Starting in Late 2024

Thursday April 11, 2024 10:10 am PDT by
Apple will begin updating its Mac lineup with M4 chips in late 2024, according to Bloomberg's Mark Gurman. The M4 chip will be focused on improving performance for artificial intelligence capabilities. Last year, Apple introduced the M3, M3 Pro, and M3 Max chips all at once in October, so it's possible we could see the M4 lineup come during the same time frame. Gurman says that the entire...
iOS 18 WWDC 24 Feature 2

iOS 18 May Feature All-New 'Safari Browsing Assistant'

Wednesday April 10, 2024 6:11 am PDT by
iOS 18 will apparently feature a new Safari browsing assistant, according to backend code on Apple's servers discovered by Nicolás Álvarez. MacRumors contributor Aaron Perris confirmed that the code exists, but not many details are known at this time. Álvarez said it seems like the browsing assistant will use iCloud Private Relay's infrastructure to send relevant data to Apple in a...
maxresdefault

Review: Six Months With the iPhone 15 Pro

Wednesday April 10, 2024 10:53 am PDT by
It's been a bit over six months since the iPhone 15 lineup came out in September, and MacRumors videographer Dan Barbera has been using an iPhone 15 Pro Max sans case since launch. Over on our YouTube channel, Dan did a long term review to demo how his phone has held up and his thoughts on the Action button, battery life, and camera features. Subscribe to the MacRumors YouTube channel for more ...
iPhone 16 Pro Sizes Feature

Alleged iPhone 16 Battery Details Show Smaller Capacity for One Model

Tuesday April 9, 2024 3:46 am PDT by
Apple's upcoming iPhone 16 lineup will feature bigger battery capacities compared to previous-generation models with the exception of the iPhone 16 Plus, which will have a smaller battery than its predecessor. That's according to the Chinese Weibo-based leaker OvO Baby Sauce OvO, a relatively new source of supply chain leaks with an as-yet unproven track record for accuracy. The iPhone 16 ...