The recommendation is not to come up with a password yourself, and certainly never to use that password multiple times. The threat of password leaks and phishing shows the weakness of such conventional passwords.
The problem is that this threat can affect all passwords. Face ID or Touch ID might seem like a secure and quick method to log on, but if the password or passcode behind that layer of security is easily guessed then nothing is secure.
Even if all passwords are organised via a password manager that automatically creates secure passwords, many users will still have an easy to remember, and possibly easily guessed, password as the entry point to the tool.
An extra layer of security comes in if password entry has the double protection of being verified on another device. Or if the password is authenticated by a two-factor system (2FA) such as Google Authenticator. Now, instead of using fixed credentials such as a username and password to login, separate verification codes are required every time you login. But even this isn’t completely secure.
However, even these 2FA systems are not completely safe and cumbersome. Now, for the first time, macOS is set to gain a new 2FA authentication system that will offer additional login protection.
With Apple’s new integrated system, coming in macOS Monterey and iOS 15, such codes will be filled in automatically.
A new system
Apple is said to be already working on a completely new concept that can completely replace conventional passwords in the next few years. The solution being investigated by Apple will outsource the login to a “Sign in with Apple” system, also known as Federated Identity.
Here’s how it could work: Instead of using vulnerable credentials, security keys are used for login. But, instead of these credentials being stored with the user and the service, a private and public key is generated every time by the Apple device. The service only receives the public key, which is worthless for hackers. Only the private key can be used to log in to the device (also known as Private Key Challenge).
For this development Apple is said not to be relying on in-house development, but rather on the industry standard WebAuthn. This is not new and is already supported in Safari from iOS 14.5, it is also usable in macOS Big Sur. This standard is also already being used by hardware solutions such as a Yubi key, which is plugged in via USB or Lightning and thus also meets the highest security standards.
What is new, however, is the support of these key files in the iCloud Keychain (which is still in beta). Apple is introducing a new type of “passkey” where no hardware is required. The data is transferred via iCloud and should be available – automatically synchronised – on all devices.
One advantage is the ease of use: registration is possible with one click or tap.
The function will be available for the first time from iOS 15 and Monterey. Beta testers currently have to activate it for testing purposes: on macOS Monterey this is done via the Safari developer menu, on iOS via the developer settings.
This article originally appeared on Macwelt. Translation by Karen Haslam.