Deploy passkeys at work: https://developer.apple.com/wwdc23/10263 Passkeys are a replacement for passwords - Digital credential, tied to a user account and a website or application. - Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor. Passkeys use key pairs: Public key - registered with the website or application you want to authenticate to Private key - held only by the devices you're using Individual passkeys are designed to be linked only with the website or app it was created for, so a passkey which can authenticate to one app or website cannot be used to authenticate to other apps or websites. Passkeys address the following problems: Credential phishing: There is nothing to type for a passkey and each passkey is intrinsically linked to the website or app it’s used for. You can't enter a passkey into a malicious website and have your credentials stolen because nothing gets typed and no link to the malicious website exists for the passkey. Credential theft attacks: If an attacker steals the server-side of the passkey, all they have is the public key half of the passkey keypair. By itself, that's useless to an attacker because public keys are designed to be just that, public information. Without the private key half of the keypair, the attacker has nothing useful when they only have the public keys. Two-factor authentication bypass attacks: With passkeys, there is no longer a need for multiple factors of authentication because the passkey by itself provides adequate security. So without two-factor authentication include in the authentication process, two-factor authentication bypass attacks no longer have something to attack. Deploying passkeys at companies, schools and institutions: Passkeys can be stored in iCloud Keychain, which will share them among all your Apple devices iCloud Keychain is available for: - Personal Apple IDs - Managed Apple IDs For companies, schools and institutions, Managed Apple IDs are the recommended way to support using iCloud Keychain and passkeys used with work-owned services. Passkeys stored in iCloud Keychain of Managed Apple IDs cannot be shared with other folks. They will stay only on the devices where that Managed Apple ID is signed in. There are two different controls administrators can use: Controlling which devices Managed Apple IDs can be signed into: Access management policies are configured in Apple Business Manager / Apple School Manager Control managed Apple ID sign-in based on level of management Default policy: Any Device (requires no management) Effect: Allows managed Apple ID to sign in on any device. Other policies available: Managed Devices Only Effect: Allows managed Apple ID to sign-in only on managed devices. Supervised Devices Only Effect: Allows managed Apple ID to sign-in only on supervised devices. IT administrators can also further control which devices to allow iCloud content, including passkeys in iCloud Keychain, to sync on with the same three convenient options: * on any device * managed devices only * managed supervised devices only How IT administrators can manage passkeys * Ensure that the passkeys are stored in iCloud Keychain of Managed Apple IDs. * Provide syncing of passkeys across all devices where that Managed Apple ID is signed in. * Prove to relying parties that passkeys are created on managed devices This can be managed via Declarative Device Management (DDM). Note: For more information, please see the "Explore advances in declarative device management" session: https://developer.apple.com/wwdc23/10039 Example configuration workflow shown in the session video from 10:18 - 13:51. Requirements in managed environments: - Use Managed Apple IDs, so that you can manage the iCloud Keychain and stored passkeys - Ensure passkeys sync only to managed devices - Store passkeys used for work in iCloud Keychain of managed accounts - Prove to relying parties that passkey creation happens only on managed devices - Turn off sharing of passkeys between employees. Example passkey usage workflow shown in the session video from 14:35 - 15:44.