Passkeys: Replace passwords with a safer sign-in method

Passwords, move over. Passkeys streamline the authentication process without the burden of password management, all while providing next-generation account security.

October 10 2022 by

Hannah Hamilton

Skeleton keys hanging on a hook

Email, social media, shopping sites, streaming services, financial institutions, online gaming, that random site that had an obscure item you wanted—the number of various internet accounts each of us has is numerous and ever-growing. And security standards are ever-changing, with the introduction of multi-factor authentication, biometrics and more. It seems like every website demands different password requirements, making it difficult to create secure passwords, much less keep track of what password goes with what account.

To solve this challenge, many of us have turned to password managers that auto-generate secure passwords that autofill once we try to sign in. While convenient, these managers don’t work in all situations, and still require us to jump through MFA hoops.

In iOS 16 and macOS Ventura, Apple ushered in the next generation of account authentication by creating a tool that eliminates the need for password management while providing next-level security: passkeys. Passkeys are an excellent way to secure your personal devices or to add another layer to your organization’s security posture.

What are Apple passkeys?

Passkeys are credentials that don’t rely on passwords and are built directly into your device. It’s easy to generate a passkey from the account settings for services that allow passkeys. Once you create a passkey, your device saves the credential into your iCloud keychain, meaning you can use it across your devices. To login with a passkey after creation, you can simply navigate to the page you want to login to; the passkey sheet appears and authenticates with biometrics-- no MFA required.

Ok, so passkeys are a passwordless, device-specific way to authenticate. Not having to remember a password also means that I don’t have anything to type into a browser to login, right? So what if I need to login on someone else’s device?

By typing your username into the appropriate field on the site you’re logging into, your browser knows to prompt you with a sheet to verify your identity. Here, you would use your device to scan a QR code. Your phone recognizes that this code is for signing in with a passkey saved to your device; upon FaceID or TouchID authentication, you are logged in on their computer (even non-Apple ones)! You can also use AirDrop if you want to share your passkey to be stored on another device.

Under lock and (pass)key

As mentioned above, passkeys provide a new level of security. But how so? Unlike passwords, passkeys aren’t stored on external servers, but instead rely on a pair of keys. The public key is indeed public and stored on the server, but the private key that is unique to your device is always kept away from the server. These keys are used when you are signing in by this process:

  1. The server sends your device a single-use challenge.
  2. Your passkey uses the ES256 algorithm to solve the challenge with your private key.
  3. Your device sends the solution (not your private key) to the server.
  4. The server validates the solution using your public key.

Since the server never holds information about your private key, it’s less valuable for attackers.

When you use your passkey on someone else’s device, authentication doesn’t only rely on you scanning the QR code with your device. It also relies on a bluetooth advertisement, making proximity important and reducing the likelihood of a remote attack. This cross-device, cross-platform method keeps credentials contained by communicating with the web browser instead of the website or app you are logging into.

These security features mean that passkeys protect against:

  • Guessing
  • Credential reuse
  • Device theft
  • Phishing
  • Server leaks

Apple Passkeys sound great, but are they enough?

Passkeys provide a convenient layer of security that simplifies authentication. But alone they are not enough; there is always a need for multiple layers of defense. Beyond passkeys, business and organizations should be layering on critical device and patch management tools, endpoint security and web filtering technologies that work in tandem to protect the user from a variety of threats.

Jamf Connect reinforces your company's authentication workflows.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.