Once created, the passkey can be stored in iCloud’s Keychain and synced across multiple devices—meaning your passkeys will be available on your iPad and MacBook without any extra work. Passkeys work in Apple’s Safari web browser as well as on its devices. They can also be shared with nearby Apple devices using AirDrop.
As Apple’s passkeys are based on the wider passwordless standards created by the FIDO Alliance, there’s the potential that they can be stored elsewhere, too. For instance, password manager Dashlane has already announced its support for passkeys, claiming it is an “independent and universal solution agnostic of the device or platform.”
While Apple is launching passkeys with iOS 16 and macOS Ventura, there are several caveats to its rollout. First, you need to update your devices to the new operating system. Second is that apps and websites need to support the use of passkeys—they can do this by using the FIDO standards. Ahead of Apple’s updates, it isn’t clear which apps or websites are already supporting passkeys, although Apple first previewed the technology to developers at its developer conference in 2021.
How Do Apple’s Passkeys Work?
Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), which was developed by the FIDO Alliance and World Wide Web Consortium (WC3). The passkeys themselves use public key cryptography to protect your accounts. As a result, a passkey isn’t something that can (easily) be typed.
When you create a passkey, a pair of related digital keys are created by your system. “These keys are generated by your devices, securely and uniquely, for every account,” Garrett Davidson, an engineer on Apple’s authentication experience team, said in a video about passkeys. One of these keys is public and stored on Apple’s servers, while the other key is a secret key and stays on your device at all times. “The server never learns what your private key is, and your devices keep it safe,” Davidson said.
When you try to sign in to one of your accounts using a passkey, the website or app’s server sends your device a “challenge,” essentially asking your device to prove that it’s you logging in. The private key, which is stored on your device, is able to answer this challenge and send its response back. This answer is then validated by the public key, which then allows you to log in. “This means the server can be sure that you have the right private key, without knowing what the private key actually is,” Davidson said.
What if I Don’t Use Only Apple Devices?
Because Apple developed its passkeys based on the FIDO Alliance standards, the passkeys can work across devices and on the web. If you try to log in to one of your accounts on a Windows machine, you’ll have to use a slightly different method since your passkeys won’t be stored on that machine. (If they are saved in an external password manager, you would need to log in to that first).
Instead, when you log in to a website in Google Chrome, for example, you will have to use a QR code and your iPhone to help you sign in. The QR code contains a URL that includes single-use encryption keys. Once scanned, your phone and the computer are able to communicate using an end-to-end encrypted network via Bluetooth and share information.