Is this the end of usernames and passwords? It’s Apple’s turn to want it. The Californian manufacturer plans to introduce a new identification function that would eliminate the eternal login window requiring manual identification to access websites and web and mobile applications.
This new technology called Passkey is part of the software update coming this fall that powers their Macs and iPhones. It currently takes the form of a technical overview which is presented to publishers of web and mobile applications. It was introduced to them a bit on the sly this week as part of the WWDC conference that Apple brings to their attention each year. If their reaction is positive enough, Apple believes that Passkey will be rolled out gradually over the next few months and years.
Combining the Keychain Access from Apple products and its iCloud cloud platform, this new tool is based on an open web standard called WebAuthn. This standard replaces identification with a user name and password with an encrypted authentication protocol based on the device used to access an online service. Google Microsoft, Mozilla and Apple web browsers already incorporate this standard.
The operating systems Android, from Google, and Windows 10, from Microsoft are also compatible with WebAuthn. Apple therefore intends to add MacOS and iOS, its own operating systems, to this list. The tech giant is using its influence with the creators of web applications and services to encourage them to do the same.
Cut phishing short
The idea behind this new authentication protocol is to allow online applications to identify their users directly from the device unlocking device they are using to log in. This is the same principle as Windows Hello facial recognition on the PC side, the fingerprint reader of most Android mobile devices as well as Touch ID and Face ID, at Apple.
This method of identification could also replace the USB key used by many organizations and companies to allow their employees to connect to the computer tools of the office.
Technologies like Passkey generate encrypted login credentials that are different from service to service and that even the user ignores. In the case of Apple, since these credentials are stored in the iCloud Online Keychain, they can be used hassle-free from any other device signed in to the same Apple account.
This approach has the advantage of preventing a user from inadvertently transmitting their login information to a third party, for example as part of a phishing campaign aimed at stealing their digital identity.
Google does the same
Apple’s presentation of these new security measures echoes much of the same announcement Google made earlier this spring. The publisher of the Android mobile platform also wants to see passwords that are too easy to guess or forget to disappear. Google will also be more strongly encouraging the two billion or so people who use its platform to update their login details, which have been found in data breaches in the past.
In the next version of Android, Google intends to make it easier to import its users’ login data into its own connection keychain. This keychain will also be shared more fluidly between their mobiles and their Chrome browser, to avoid the user having to memorize everything.
Finally, Chrome will offer shortcuts to the settings of sites identified as having been the victims of a data leak to encourage their users to update their credentials. Here again, the goal is to reduce the impact on the public of the still very frequent cyber attacks on the Internet, one password at a time.