Meet Passkeys In macOS Monterey and iOS 15, Apple introduced a developer preview of passkeys. Good feedback on passkeys was received from folks outside Apple who worked with them. In macOS Ventura and iOS 16, Apple is making passkeys available to all. Passkeys help prevent: * Credential re-use * Weak credentials * Credential leaks * Successful phishing for credentials Demo of passkey use runs from 1:45 through 4:33 of the session video. Apple's passkey implementation is built on open standards. Apple has been working with the FIDO Alliance to make sure that Apple's implementation works on as many Apple and non-Apple devices as possible. Demo of passkey use on non-Apple devices runs from 4:55 through 5:43 of the session video. Passkeys can be shared between people using AirDrop. Demo of passkey sharing using AirDrop runs from 6:43 through 5:43 of the session video. Designing for passkeys: Passkeys are replacements for passwords Both Apple and other vendors have begun building their own support for passkeys. The best use to have your websites and apps work with passkeys is to leverage Autofill, to first fill in the account name and then use that to prompt the user to use the associated passkey for authentication. Passkeys use a unique public-private cryptographic keypair. These public-private key pairs are generated by an Apple device for every account that you would use to sign into a service (like a website, an app which needs authentication, email, etc.) The Apple device in question retains the private key and shares its public key with the server it's trying to authenticate with. For more information on how passkeys work, please see here: https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys * Built on WebAuthn standard * Requires services to support WebAuthn authentication - Any standard Webauthn implementation should work with passkeys Passkeys are part of the ASAuthorization API in the AuthenticationServices framework. Details on passkey implementation in code run from 11:30 through 14:00 of the session video. Relevant sessions from past WWDCs: Introducing Password Autofill for Apps: https://developer.apple.com/wwdc17/206 What's new in Universal Links: https://developer.apple.com/wwdc20/10098 Passkeys do not need to be available on your device. In Apple's implementation, you can also choose the option of using a passkey from a nearby device. User verification: In this context, User verification (UV) refers to use of biometrics or device password. - Apple platforms always require UV when biometrics (Touch ID or Face ID) are available. When writing an app, always use "userVerification: preferred" Using passkeys on the web: Passkeys replace Safari's legacy platform authenticator - Existing credentials will still work and will still be bound to the device they were created on. - New platform credentials will be created as passkeys - To distinguish between them, passkeys will not provide an attestation statement when queried for one. Multi-factor authentication Passkeys help address the requirements for MFA by protecting against: * Password guessing * Credential re-use * Device theft * Phishing * Server leaks A password-based authentication implementation needs additional factors to protect the account against the known weaknesses of password-based authentication. In contrast, passkeys solve the problems that adding additional authentication factors help protect against, so those additional authentication factors aren't necessary. The passkey by itself is enough. Next recommended steps: * Adopt WebAuthn on backend services, so that WebAuthn is used for authentication to those services. * Update your apps and websites to support passkeys (via WebAuthn adoption for backend services.) * Transition users away from passwords