{"id":133796,"date":"2023-05-15T14:00:23","date_gmt":"2023-05-15T14:00:23","guid":{"rendered":"https:\/\/developer.apple.com\/news\/?id=mgdnfp8w"},"modified":"2023-05-15T14:00:23","modified_gmt":"2023-05-15T14:00:23","slug":"spotlight-on-passkeys","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/05\/15\/spotlight-on-passkeys\/","title":{"rendered":"Spotlight on: Passkeys"},"content":{"rendered":"
<\/div>\n

If you\u2019ve ever dreamed of creating a more secure and phishing-resistant sign-in experience, we have good news.<\/p>\n

\u201cThere is a high chance that in a few years, Apple\u2019s release of passkeys as part of iOS 16 will be remembered as the beginning of a revolutionary change in how companies implement sign-in for their products,\u201d wrote Matthias Keller, Kayak\u2019s<\/em> chief scientist and SVP of technology, in a 2022 op-ed piece on the subject. <\/p>\n

Passkeys offer a faster, easier, and more secure sign-in experience for your apps and websites. They\u2019re strong, resistant to phishing, and designed to work across Apple devices, as well as nearby non-Apple devices. And because they\u2019re integrated with Touch ID and Face ID, people can use passkeys like they would any other sign-in system or routine. <\/p>\n

A passkey is a cryptographic entity used in place of a password that\u2019s made up of two keys: one public, one private. The public key is registered with an app or website and kept on a web server, while the private key is stored on devices. When someone attempts to sign in, the app or website creates a challenge. The private key signs the challenge to create a signature and the public key is used to verify that signature without revealing what the private key is.<\/p>\n

While there\u2019s a lot going on behind the scenes, most people won\u2019t know \u2014 or need to think about \u2014 any of it. With passkeys, there\u2019s nothing to create, guard, or remember. Plus, the private key is stored in iCloud Keychain and is end-to-end encrypted for another layer of security.<\/p>\n

Kayak: \u201cYou just initiate the process\u201d<\/h3>\n

Kayak\u2019s<\/em> Keller isn\u2019t just a longtime digital security evangelist with years of history in the field. He’s also a dad \u2014 and that poses its own host of security challenges.<\/p>\n

\u201cBetween activities and school, I\u2019m constantly creating accounts and passwords, all of which have a variety of stipulations,\u201d Keller says. \u201cSome can\u2019t be longer than 16 characters, some require special symbols, and others won\u2019t even recognize an exclamation point. And I know from experience that companies face similar challenges when it comes to protecting passwords.\u201d<\/p>\n

Keller has been involved with Kayak\u2019s<\/em> various login approaches throughout his 10 years with the company. Prior to passkeys, the app relied largely on \u201cmagic links\u201d sent via email. \u201cBut it was getting more and more complex to ensure the security of magic links, especially when supporting logins across devices,\u201d Keller says.<\/p>\n

When Keller first heard about passkeys, he knew they were right for Kayak<\/em>. \u201cThe moment it clicked for me was when I saw the first prototype and how easy it was to use,\u201d he says. Kayak<\/em> was one of the very first to support passkeys, releasing their update at the same time as the feature\u2019s public release in September 2022. <\/p>\n

The Kayak<\/em> team was able to adopt passkeys so quickly in part because of the underlying framework and documentation supporting the feature. \u201cWorking on the server is my day-to-day, but I\u2019m not afraid of doing a little bit of Swift, too,\u201d he says. \u201cLuckily, integrating passkeys was light on the UI side. We only had to initiate the experience provided by Apple.\u201d<\/p>\n

Feedback was overwhelmingly positive. In the feature\u2019s first three weeks of availability, thousands of people created passkeys on Kayak<\/em>. Almost 20 percent of those were existing users who manually opted into the new technology.<\/p>\n

\u201cThe world before passkeys was broken,\u201d he says. \u201cYou have all these obscure password rules, as well as expiration and compliance issues \u2014 and it can be extremely expensive to offer authentication because you have to buy security products or hire someone to run it for you.\u201d Keller\u2019s work at Kayak<\/em> is part of a larger drive to get more companies around the world to support this new open standard \u2014 one that protects its developers as much as its customers. \u201cYou no longer need to protect millions of passwords. Now we only store public keys, which are pretty useless to hackers.\u201d<\/p>\n

For Keller, passkeys are now a crucial part of Kayak\u2019s<\/em> security strategy. \u201cWe\u2019ve got a long journey until the last password is gone, but it’s exciting to see where we’re headed,\u201d he says. <\/p>\n

Instacart: \u201cIt seemed like a perfect match\u201d<\/h3>\n

Instacart<\/em> senior mobile engineer Josh Schroeder was on paternity leave when passkeys were introduced at WWDC22, but he made a note to dig into the idea upon his return. \u201cBetween the reduced friction and improved security, it seemed like a perfect match,\u201d he says.<\/p>\n

The Instacart<\/em> team signed off on the idea quickly, encouraged by the opportunity to reduce sign-in friction. \u201cThat was the biggest selling point for me,\u201d says Brandon Lawrence, Instacart\u2019s<\/em> senior software engineer. \u201cWell, that and not having to remember another password.\u201d <\/p>\n

For Instacart<\/em>, there was a second benefit as well: the opportunity to pare down duplicate accounts. \u201cWhen they don\u2019t remember their password, a lot of people just create another account,\u201d says Schroeder. Passkeys avoid that unnecessary (and annoying) duplication. Because devices keep track of passkeys, there’s nothing to remember.<\/p>\n

The early implementation process made Lawrence \u2014 who spent part of his pre-tech career as a meteorologist in the Marines \u2014 feel like something of a passkeys pioneer. \u201cFor much of what we build, we can look at the many people who\u2019ve done it before. This time there was a lot more exploration, a little more feeling like we were in uncharted territory. Once we got it into place, it was relatively smooth.\u201d<\/p>\n

Today, passkeys are presented as the default sign-in option when creating an Instacart<\/em> account with an email address (although if someone declines, the app offers the option to create a traditional password). More than half of new Instacart<\/em> customers who created accounts with an email address have adopted the feature, and plans are underway to gradually convert existing accounts as well. \u201cWe believe in passkeys,\u201d says Schroeder, \u201cand we think this will become really common.\u201d<\/p>\n

Resources<\/h3>\n
\n
\n
<\/a> <\/section>\n
<\/p>\n

Meet passkeys<\/h4>\n

It\u2019s time for a security upgrade: Learn how to add support for passkeys to create a quick and easy sign in experience for people, all while offering a radical increase to account security. Passkeys are simple and strong credentials built to eliminate phishing attacks. We\u2019ll share how passkeys…<\/p>\n

<\/a> <\/section>\n<\/section>\n<\/section>\n

\n
\n
<\/a> <\/section>\n
<\/p>\n

Q&A with the passkeys team<\/h4>\n

Get answers from the passkeys team about adoption, account recovery, multiple devices, and more.<\/p>\n

<\/a> <\/section>\n<\/section>\n<\/section>\n

Passkeys overview<\/a><\/p>\n

About the security of passkeys<\/a><\/p>\n

Supporting passkeys<\/a><\/p>\n

Connecting to a service with passkeys<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

If you\u2019ve ever dreamed of creating a more secure and phishing-resistant sign-in experience, we have good news. \u201cThere is a high chance that in a few years, Apple\u2019s release of passkeys as part of iOS 16 will be remembered as the beginning of a revolutionary change in how companies implement sign-in for their products,\u201d wrote […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55],"tags":[],"class_list":["post-133796","post","type-post","status-publish","format-standard","hentry","category-apple-developer-news"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/133796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=133796"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/133796\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=133796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=133796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=133796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}