Streaming is available in most browsers,
and in the WWDC app.
It's time for a security upgrade: Learn how to add support for passkeys to create a quick and easy sign in experience for people, all while offering a radical increase to account security. Passkeys are simple and strong credentials built to eliminate phishing attacks. We'll share how passkeys are designed with security in mind, show you how people will use them, go over how to integrate passkeys in your log in flow, and explore the platform and web APIs you need to adopt this feature.
- About the security of passkeys
- Connecting to a service with passkeys
- Have a question? Ask with tag wwdc2022-10092
- Search the forums for tag wwdc2022-10092
- Supporting passkeys
- Enhance your Sign in with Apple experience
- Support multiple users in tvOS apps
- What’s new in privacy
♪ Mellow instrumental hip-hop music ♪ ♪ Hi, I'm Garrett, an engineer on the Authentication Experience team. And in this video, I'm excited to talk about passkeys, a next-generation authentication technology. But first, I need to talk about today's authentication technology: passwords. You're probably used to signing in to nearly every app and website with them. Passwords are really hard to use securely. All of us know we're supposed to create strong, unique passwords for every account, but not many people actually do. As you're designing your apps and websites, there's this constant tradeoff between keeping accounts secure and designing a good experience. And even if your apps and websites do everything right, issues like phishing and password reuse can still lead to account compromise. In macOS Monterey and iOS 15, we announced a developer preview of the solution -- passkeys -- and got so much great feedback. In macOS Ventura and iOS 16, we're excited to make passkeys available to everyone. Now is the time to adopt them. With passkeys, not only is the user experience better than a password, but also entire categories of security problems, like weak and reused credentials, credential leaks, and phishing, are just not possible anymore. And they're so easy to use. Let me show you. Let's start with our favorite demo app, Shiny. This app lets me see one cute picture a day and has a typical password-based sign-in flow. I can tap in the user name field and see an AutoFill suggestion for my account. I'll select that, sign in. Then, I can fill in my password.
Then, I wait around for a little bit until an SMS message comes in with my one-time code.
There it is. And eventually, I'm signed in. It took a few steps, but with the help of AutoFill and my password manager, I was able to get there.
Now that I'm signed in, I'll add a passkey to this account. Account Management, Add passkey. Here, I get the system sheet for creating a passkey. Continue. Done! In just a few taps, my device has generated a unique, cryptographically strong key pair for my account and stored it in my iCloud Keychain, so it will sync and work across all of my devices running macOS Ventura and iOS 16.
Now that I have a passkey, let me show you how easy it is to use. I'm going to sign out, and I'm back at the same sign-in form I used earlier. I'm going to focus the user name field like before. Now that I have a passkey saved for my account, it shows up in the QuickType bar. All I have to do is tap it and I'm signed in. One step. When saving the passkey, I didn't have to come up with a new password or try to satisfy any complexity requirements. Each passkey is generated by the system and guaranteed to be strong and only ever used for a single account. And when I'm signing in with it, it can be shown in the existing sign-in flows I'm used to, and it's a single tap to use. And the system will take care of only letting me use it in the correct app or website, with strong built-in phishing resistance. Of course, passkeys work on the web too. Here I am on Shiny's website in Safari. Just like on my phone, when I focus the user name field, my passkey is already there and ready to use, thanks to iCloud Keychain. All I have to do is Touch ID and I'm signed in. That's it. Apple's passkey implementation is built on open standards. We've been working with other platform vendors within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible. After upgrading my account to use a passkey, I'm still able to sign in to it on my friend's PC. Of course, my friend's PC doesn't have the passkey saved locally, but I can still type my user name here. When I press Sign In, I get a sheet that's offering to let me use my phone. Then I get a QR code. Let me scan that.
My phone recognizes that this QR code is for signing in with a passkey. When I select this option, my phone and the browser securely connect to each other. Now I can just Continue, and I'm signed in. This cross-platform sign-in experience is a first-class system feature that's part of the standards behind passkeys. On the surface, it appears incredibly simple, but this is not just a QR code. Behind the scenes, the devices are performing a local key agreement, proving proximity, establishing an end-to-end encrypted communication channel, all to let you sign in in a way that's easy but maintains the strong phishing resistance of passkeys. It works great for allowing me to sign in securely to my account on any device. Another important feature for a password replacement is the ability to share accounts between two or more people. To share a passkey with someone else, I can use AirDrop.
My partner and I also have an account for Shiny that we share, which I've already upgraded to use a passkey. With a passkey, the credential isn't something I could type, but I'm still able to share it with people I trust. On my phone, I'll open up the account details.
Here are all of my accounts, which use both passwords and passkeys. I can tap on our shared account to pull up more details. Here, I can get some information about my saved passkey or add a note to this account. I can also share my passkey. There's my partner's phone. I'll go ahead and select that.
Now my partner has the passkey too.
This whole process is performed by the device and the web browser. The website is not involved at any point in the cross-device communication. Cross-device cross-platform sign-in is a system feature that just works anywhere passkeys can be used. So that's a more technical look into how passkeys work and how they can make such strong security guarantees, even across devices. Next up, multifactor authentication. A common way to think about authentication today is in terms of factors. Different factors are strong or weak against different kinds of attacks, and combining factors can provide better collective coverage. But with passkeys, you don't need to think like that anymore. Here are some of the most common methods used to sign in today. Passwords in your head are vulnerable to pretty much everything. Password managers are good at generating unique, high-entropy strings, may have local protections against device theft, and offer some hints about phishing. Adding an SMS or time-based code can help with theft or phishing in some circumstances but doesn't really solve either. With passkeys though, every passkey is a unique, device-generated key pair. On Apple devices, they're built on a strong foundation of local device protections. Passkeys also completely eliminate the human factor from phishing. And they can't be leaked by an app or website server, because the servers don't have the private keys. Adding factors to a password-based sign-in flow makes sense, as together they can protect against more types of attacks than passwords alone. But a passkey alone protects against so much more that it doesn't need additional factors. I'm looking forward to a future without passwords. Here's how you can get started making that happen. First off, you'll need to adopt WebAuthn on your server, if you haven't already done so. Passkeys should work with any standard WebAuthn server implementation. Once your server is ready to go, adopt our new API in your apps and websites. AutoFill-assisted passkey requests can be dropped right in to your existing sign-in flows, plus we have a range of more advanced UI options as well, if you need them. And finally, transition your users away from passwords. Passkeys are an industry-standard solution to the convenience and security problem of securely signing in to apps and websites. By guiding your customers to passkeys and away from passwords, you can give them an incredibly quick and convenient sign-in experience while raising the security bar for everyone. Thank you. ♪
Looking for something specific? Enter a topic above and jump straight to the good stuff.
An error occurred when submitting your query. Please check your Internet connection and try again.