Inside the tech giants’ efforts to eliminate passwords
Apple’s new passkeys make it possible to log in without memorizing credentials, but some experts warn that biometric systems have their own limitations
In recent years, the number of passwords people must remember has increased at a staggering rate. According to a Lastpass report, employees at small- and medium-sized companies use up to 85 passwords, while those who work at large companies average about 25. Tech giants like Apple and Google are trying to develop solutions so that users don’t have to memorize as many log-in credentials, and they’re attempting to bolster security. But will passwords as we know them today really disappear?
When it released the latest iPhone operating system, Apple also launched passkeys as “a replacement for passwords.” The company noted that the new system “[makes it] faster to log in, easier to use and much more secure.” It allows the user to access any app or service with Face ID or Touch ID, Apple’s facial recognition and fingerprint identification systems. There’s no need to manually enter a password.
Apple says that one of the advantages of passkeys is greater protection against phishing (a technique for accessing a user’s personal and banking data by pretending to be a company or institution that the person already knows). Josep Albors, the director of research and public awareness at ESET Spain, believes that this system is more secure than traditional passwords. “It prevents us from entering our credentials on fraudulent sites ready to steal our information; [with passkeys,] the user’s identification is encrypted from end to end, between our device and the online service we want to access,” he says.
How do Apple’s passkeys work?
When the user creates a passkey, the operating system generates a unique cryptographic key pair that is associated with an account on the app or website. Garrett Davidson, an engineer on Apple’s authentication experience team, explains that one key is public and stored on Apple’s servers, while the other is private and remains on the user’s device at all times. “The server never learns what your private key is, and your devices keep it secure,” he says.
Then, when the user tries to log in to one of his or her accounts, the website or app server sends a “challenge” to the device. Only the private passkey can answer it. The public key is then used to validate the answer, but it cannot solve the challenge on its own. “This means that the server can be sure that you have the right private key, without knowing what the private key actually is,” Davidson explains.
Passkeys are encrypted and synchronized on all Apple devices through the iCloud keychain. For devices that aren’t compatible with this cloud storage system, a QR code is generated, which must then be scanned by the user’s iPhone. At first glance, this login method seems quite promising, but not all applications support the system at this time.
The problem with traditional passwords
In their efforts to address Web security issues, major technology companies face the central challenge of how to eliminate traditional passwords. The FIDO (Fast IDentity Online) alliance, which includes companies such as Apple, Google and Microsoft, seeks to do just that. According to Albors, Microsoft’s approach is highly effective because it replaces passwords with numerical codes generated by a cell phone app, “although Apple’s is more convenient and user-friendly.” Similarly, the Mountain View company has been “setting the stage for a future without passwords for over a decade.”
Traditional credentials have a number of disadvantages. As Fernando Suárez, the president of Spain’s General Council of Official Computer Engineering Associations, points out, users are advised to create a password for each service and memorize it or save it in a password manager. But people don’t always do that. Indeed, a Google survey indicates that 13% of Americans use the same password for all of their accounts, and 52% have the same one for several but not all services.
Moreover, according to NordPass password manager, the most commonly used passwords are weak – for example, “123456,″ “qwerty,” “password,” “111111,″ and “I love you.” Suárez says that “replacing those with biometric systems, which are based on each individual’s unique physical characteristics, makes it possible to authenticate a person’s identity quickly and reliably.”
Nuria Andrés, a cybersecurity strategist at Proofpoint for Spain and Portugal, says that passwords represent the user’s critical first line of defense against an attacker and a successful cyberattack. “Even in the best-case scenario, in which a person accesses a web service with a unique and fairly secure password, it’s possible to launch a targeted attack that reveals the user’s passwords and leaves him or her at the mercy of cybercriminals,” she says.
The limitations of a passwordless world
While Apple’s passkeys have the potential to do away with some password security problems, it’s still too early to assess the potential limitations of password replacements. “Right off the bat, one of the inherent problems of biometric identification-based log-in systems is that the credentials cannot be changed,” says Albors. That’s the disadvantage of using authentication that’s unique to your person, such as your face or fingerprints, as opposed to something you know, like passwords. He also notes that, in rare cases, someone else could gain access to a user’s account if they got around facial identification. A team of researchers at Israel’s Tel Aviv University claims that it has discovered a way to bypass many facial recognition systems.
Suarez notes two possible drawbacks to Apple’s new system. For starters, biometric systems are not foolproof. “You need a password or PIN to use as an alternative in case biometrics don’t work because of a broken camera or some other reason,” he says. Additionally, “by storing the private code on the device itself, if we lose it, we won’t have immediate access to services that use such technology.”
The end of passwords?
Although several companies have been announcing the demise of traditional passwords for years, that promise remains unfulfilled. Jordi Serra, a professor at the Open University of Catalonia’s School of Computer Science, Multimedia and Telecommunications, agrees that Apple’s new system hasn’t been fully implemented yet. “It’s a step toward being able to eliminate passwords in the short term, but it will take time for these systems to become more usable and secure,” he says.
A majority of IT specialists want to protect their accounts by using password alternatives. According to a Ponemon Institute report, these experts believe that using biometric systems would increase their companies’ security. Albors projects that traditional passwords will inevitably disappear since they do not effectively guarantee a secure log-in process; that’s because of the sheer number of online services and because users tend to create and reuse weak passwords. But it is not clear when password use will be phased out entirely: “Although that date is getting closer, it depends on people accepting the different solutions that are currently available.”
Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition