During WWDC 2022, Apple showed off its access keys, a new biometric login standard that could finally do away with passwords forever.
As Apple explains, “ access keys use iCloud Keychain public key credentials, which eliminates the need for passwords. Instead, are based on biometric identification, such as Touch ID and Face ID in iOS, or on a specific confirmation in macOS to generate and authenticate accounts.
As an authenticator, the Apple device generates a unique public-private key pair for each account it creates on a service, and the authenticator keeps the private key and shares the public key with the server,
Using a password is the most popular method of accessing an account, whether on a personal computer or a remote platform. That said, it does face several challenges, including memorization, which is becoming increasingly relevant due to the proliferation of the number of services that require a password and the compromise it can be subject to.
Numerous studies show the magnitude of data breaches linked to compromised passwords each year. Several factors cause this problem, two of the most well-known being retention, which sometimes forces some users to share their passwords with co-workers, and using the same password for multiple accounts.
Given the situation, the main technological brands Google, Apple and Microsoft are opting for a passwordless approach.
In addition, from September 2021, anyone with a Microsoft account can now completely remove their password of the account to have another security alternative. Microsoft Vice President Vasu Jakka announced it in a blog post:
“We're supposed to create complex and unique passwords, remember them and change them frequently, but no one likes to do that either. In a recent poll on Microsoft's Twitter, one in five people said they would accidentally rather "reply to all," which can be wildly embarrassing, than reset a password.
Starting today, you can now completely remove your Microsoft account password. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services like Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out in the coming weeks.
Numeric password replacement uses Touch ID or Face ID for biometric verification, which means that instead of you having to enter a long string of characters, an app or website you sign in to will send a password authentication request to the telephone.
during his demo of passwordless technology at WWDC, Apple showed how access keys are saved in iCloud Keychain y can be synced across Mac, iPhone, iPad, and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate.
"Because it only takes one click to sign in, it's easier, faster and more secure than almost any form of authentication common today," said Apple Engineer Garrett Davidson of the Authentication Experience team,
Apple is not alone in its efforts to remove the password, As last month, Google and Microsoft partnered with Apple to expand support for passwordless logins across mobile, desktop, and browsers. This new collective commitment was hailed by Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), who at the time called it "the kind of forward-thinking that will ultimately ensure the security of Americans online.
It's through FIDO (Fast IDentity Online), an alliance that has existed since 2013, that the companies have expressed themselves. Together with the World Wide Web Consortium, FIDO is working to create and implement standards for a largely password-free Internet. According to the alliance's blog, these standards are already supported by billions of devices and by all modern web browsers.
Specifically, it is planned to implement support for passwordless FIDO login standards on all platforms. Google mentions Chrome, ChromeOS and Android. The implementation is expected to take place again this year. Instead of a password, a FIDO authorization, called an access key, can be saved on the user's smartphone. This code confirms registration for an online service. Credit card payment authorization works similarly with 3D-Secure 2.0.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.