What about Passkeys?
I’ve been following the evolution of WebAuthn for quite some time now. However, it was only after Apple popularised it last year with the introduction of Passkeys that I started receiving questions about it.
My answer has always been: “I’m looking forward to supporting it in Secrets, and I hope Apple announces something related to Passkeys and third-party apps at WWDC.”
Today marks the second day of this year’s WWDC, and based on the documentation that’s already available, I can confirm that Apple did what I was hoping for:
The Credential Provider API for password managers has been expanded to support passkeys. Credential providers can save and offer passkeys for apps and websites across the system.
I filed Feedback with Apple at last year’s WWDC asking for precisely this. And this is probably more important than you might think, so read on.
What are Passkeys?
I’ll be brief. Passkeys are basically sets of key pairs (a public and a private key) that can replace password-based authentication with public-key authentication.
In practice, this means that when using passkeys, the server knows your public key, and your device can prove that you own the corresponding private key by answering cryptographic challenges.
This has many advantages: • Every key is “strong.” Unlike passwords, there’s no such thing as a “weak passkey.” • They’re unique. Each service should receive a different public key, and your device will store the matching private key. • Your private key never leaves your device and is linked to the corresponding service. This prevents phishing attacks.
If you’re using a password manager like Secrets, these benefits should sound familiar. Secrets already generates strong and unique random passwords for you. It also warns you if you try to fill in a password on a website that’s not associated with a specific Login.
Passkeys simply ensure these properties by design.
So what’s the big deal?
Hopefully, more and more services will start to offer Passkeys as an authentication option. While Secrets could potentially generate and store Passkeys, they would be challenging to use in any app or browser without a Secrets extension installed.
Unlike password-based authentication, you can’t simply copy and paste a Passkey into an authentication form. And that’s precisely why this announcement is so important.
If the future is Passkeys, users must be incentivised to use them as their primary authentication method. Otherwise, the password will always be the weakest link. In that regard, Passkeys should work everywhere you’d expect, including all the apps on your device.
By allowing third-party password managers to store and use Passkeys in both apps and websites, Apple is taking another step in that direction. It also prevents locking you into the ecosystem.
And now you know one of the things I’ll be working on this summer 😉