Passkeys on multiple devices

Coming in a bit late in this post, but I thought I add my 2 cents as I was starting to use Passkeys and wanted to know more about them before getting "fully onboard."

Passkeys are based on WebAuthn. In turn, WebAuthn (Web Authentication API) is a web standard developed by the FIDO Alliance and W3C that enables secure, passwordless authentication using biometrics, security keys, and other cryptographic credentials. It allows users to sign in to websites and apps without needing traditional passwords, reducing phishing risks and improving security.

So how does this work?

First-time accessing a WebAuthn-enabled website

• When you try signing into a website that supports WebAuthn the first time, you would be prompted if you want to use a Passkey.
• If you agree, your device (Mac, iPhone, security key, etc.) generates a unique cryptographic key pair which includes a private key & a public key.
• The private key is stored securely on your device (in iCloud Keychain, 1Password, a security key, etc.). On the other hand, the public key is stored on the website’s server.

Each subsequent access to this same website

• During the login process, the website sends a challenge to your device.
• Your device signs the challenge with the private key (which never leaves your device).
• This signed response is sent back to the website for verification using the public key.
• If it matches, you’re logged in—voila, no passwords required.

Which leads us to where exactly are these Passkeys stored?

• If you are using the Apple ecosystem; most likely if you're using a Mac, they would be stored in the local Keychain/Passwords app.
• If you are using a third-party password manager, that supports WebAuthn (like 1Password or Dashlane), they are stored in either the respective app's local vault or their Cloud-based vaults.
• If you use physical security keys, like those provided by YubiKey), they are stored on those keys themselves.
• Finally, if you don't use any form of Cloud syncing, Passkeys are stored on your local device. In this case, each device that is not participating with syncing would have to have their own unique Passkey.

Hopefully, I got that right and maybe you may find this useful in better understanding Passkeys.

John Galt wrote:

Briefly stated a "passkey" is stored locally, on the device. If you want to use a passkey, it will need to be enabled on each device that uses it. Some browsers incorporate it, some websites incorporate it (for certain browsers), and some companies are finally getting on board.

Interesting. I, too, am finally moving toward passkeys. The National Science Foundation's grant submission portal effectively requires them now. I set it up using my phone. The next time I went to log in from my Mac, all I needed was TouchID. Have I forgotten about some other activation? Or is the fact that I have Passwords synced using my Apple Account sufficient?

When I use my work computer, which has no biometrics, I use my phone.

The NSF just went to more secure logins a few months back. Mine got messed up somehow, and I had to call the help desk to log in. As I recall, they only asked for my username before they agreed to reset the biometric part of the login. In retrospect, if someone had gotten my passcode and called in, they could have hijacked my account, I think. Of course, if someone really wants to go to all the trouble to submit an NSF grant, perhaps I should let them.

IdrisSeabright wrote:

Interesting. I, too, am finally moving toward passkeys. The National Science Foundation's grant submission portal effectively requires them now. I set it up using my phone. The next time I went to log in from my Mac, all I needed was TouchID. Have I forgotten about some other activation? Or is the fact that I have Passwords synced using my Apple Account sufficient?

If you have Passwords synced to iCloud your passkeys are available on any device logged in to your Apple ID.

Assuming the owner of that device established an account for some online service that uses a Passkey, we can share that account's Passkey in a manner that's much more secure than sharing a user ID / password combination — which generally requires copy / paste, or even worse, writing it down. (Never write down passwords, anywhere, on anything, ever.)

This all works among Apple devices and services. As for non-Apple devices, I wouldn't know.

One more question.....so when I log on to a site will my computer/device ask me if I want to set a passkey?

Yes, if it offers that capability.

How do you set a passkey for various sites if you aren't asked if you want to use a passkey?

If you are not asked, then the device you're using is not capable of it, or the site does not offer it.

FWIW, I have been using 1Password for years and as I mentioned earlier it does support using Passkeys and can store them in their 1Password Vault. One nice feature of this app is that when you access a website that is WebAuthn-enabled, 1Password will also prompt you if you want to use a Passkey with this site.

... and here you go: Demystifying Passkeys - Apple Community

Briefly stated a "passkey" is stored locally, on the device. If you want to use a passkey, it will need to be enabled on each device that uses it. Some browsers incorporate it, some websites incorporate it (for certain browsers), and some companies are finally getting on board.

If you start using passkeys had you better still remember all your passwords?

Ideally, no, and it's an impracticable requirement different services tend to have wildly different password requirements. Case in point, one bank I used to do business with considered Safari's "secure password generator" insufficiently secure, and forced me to use what was to them a more secure password. That password?

"Password01"

That was ok. I wish I were joking. Needless to say I took my business elsewhere.

Passkeys are supposed to make passwords obsolete. That's a laudable goal, but it requires that the device itself is capable of some kind of secure, usually biometric authorization. For Macs, that's Touch ID or other means such as Unlock your Mac with Apple Watch - Apple Support. For iOS, it's Face ID. Theoretically — and this is something Steve Jobs advocated long ago — once you're in, you're in, and there shall henceforth be no more harassments for passwords or 2FA or other insults.

However, as you know, there are circumstances in which you will be asked for a passcode or password anyway. Apple is slowly, inexorably, moving away from that requirement... as it should be.

As far as security goes, passwords are horrible, and horribly outdated.

Boring video: Meet passkeys - WWDC22 - Videos - Apple Developer

Looks like John Galt has already provided you the answer to your question.

I would think that there will be three likely scenarios when accessing websites going forward:

1. The website does not support WebAuthn.
2. The website does support WebAuthn and prompts you.
3. The website does support WebAuthn, but doesn't prompt you.

Your question relates to the last of these. One way to verify that the website does actually support WebAuthn, is that they may provide a Passkey "banner" that you would have to manually select to start the process. Alternately, when you use their login page, they may offer the Passkey option. If you see neither, then chances are pretty good that the first scenario is in play.

Consider it done ... thanks!

Or is the fact that I have Passwords synced using my Apple Account sufficient?

That's what does it. There is probably a way to "opt out" of that synchronization but I haven't bothered to look into it.

Lack of biometrics or other secure means of authentication is probably the reason we have had to endure things like having passwords time out after some arbitrary number of days, not being able to reuse the last dozen or so passwords, requiring some number of "special" characters, or numerals, or mixed case, or whatever, when none of that is "special" to a computer... etc. The whole concept has become a farce. Realizing that, Apple is at least a decade ahead of anyone else on the subject.

Remember this? (paywall but you get the idea)

Of course, if someone really wants to go to all the trouble to submit an NSF grant, perhaps I should let them.

😆

John Galt wrote:

Lack of biometrics or other secure means of authentication is probably the reason we have had to endure things like having passwords time out after some arbitrary number of days, not being able to reuse the last dozen or so passwords, requiring some number of "special" characters, or numerals, or mixed case, or whatever, when none of that is "special" to a computer... etc. The whole concept has become a farce. Realizing that, Apple is at least a decade ahead of anyone else on the subject.

I hadn't bothered to learn much about them or try the until this whole NSF thing. I really like how it works. It's much simpler than the authenticator I need to use for work. Or for the other federal grant portal.

As far as adoption goes, people seems receptive to passkeys in a manner analogous to APFS. Lots of concerns, and some of them were justifiable, but after a while people get used to it and don't question it any more. It "just works". Nobody gave the slightest thought to APFS when iOS incorporated it in 10.3.

It's not as though people had any meaningful understanding of traditional file systems either, but they have been around too long for anyone to have even raised any concern. For that matter so have passwords — to my knowledge passwords were never transmitted from one system to another in plain text, and Macs haven't stored them in any readable form anywhere for years, but they were familiar enough to everyone that nobody was concerned.

The same thing will apply to passkeys... until they too are supplanted by something else.