According to the latest reports, thanks to the latest additions to the FIDO standard, a password-free future may be more convenient – Apple calls it Passkeys in iCloud Keychain. The proposal means that users can automatically log in to a secure website, for example, just by having a second Apple device.
Background
Back in 2020, Apple supported FIDO (Fast Identity Online) and announced last year that it was testing it. The company calls its implementation Passkeys in iCloud Keychain, but it’s just another name for FIDO.
How FIDO will work has been explained before:
The recommendation from the FIDO Alliance is that trusted devices should replace passwords. This will work essentially the same way Apple uses two-factor authentication (2FA) for Apple devices. When you try to log in to a new Apple device with your Apple ID, The company sends a code to a trusted device, which the user then enters.
On Apple systems, that’s an extra step, but the FIDO consortium hopes to replace passwords with a similar approach — one that doesn’t require entering a password.
For example, if a user tries to log in to a website on an iPhone, the user will only need to enter the username, and it will then send an authentication request to the user’s other registered devices, such as the Apple Watch. Users can simply click to authorize. Likewise, when accessing a service on the Mac, the user will be able to authorize approvals on the iPhone — and so on.
Master Key Enhancements in iCloud Keychain
While tapping an Apple Watch or iPhone to authorize a login is already much better than entering a password, Wired reports that the latest proposal even wants to eliminate those actions.
FIDO’s white paper also includes a proposal to supplement its specification to allow a user’s existing device, such as a laptop, to act as a hardware token in itself, similar to a standalone Bluetooth-authenticated device, providing physical Authentication. The idea is that since Bluetooth is a proximity-based protocol, this is still actually phishing-proof.
In other words, it’s the exact same way you unlock your Mac or iPhone with the Apple Watch, or the iPhone unlocks the Apple Watch. The user does not need any additional verification as the identity has already been confirmed by unlocking the first device.
So when a user logs in to a website on a Mac, for example, it checks to see if the iPhone or Apple Watch is within Bluetooth range, and if so, lets it in without taking any action. At this stage, it’s just a suggestion, so we’ll have to wait and see if it’s approved for use.