Apple wants to replace all passwords with biometrics

[Hydrogen]

Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and websites. It’s only the beginning.

YOUR PASSWORDS ARE terrible. Year after year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will actually be the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.

So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don't exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)

Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

In recent months, FIDO has taken a series of important steps to bring the password’s demise closer to reality. In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”

This was followed in May by Apple, Microsoft, and Google declaring their support for the FIDO standards. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said adoption of the standards would keep more people safe online. At the time, the three tech giants said they would start rolling out the technology “over the course of the coming year.” Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.

When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms that Apple is the first company to start rolling out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

Any success for a passwordless future depends on how it works in reality. At the moment, there are unanswered questions about what happens to your Passkeys if you want to ditch Apple’s ecosystem for Android or another platform. (Apple hasn’t yet responded to our request for comment.) And developers still need to implement changes to their apps and websites to work with Passkey. Plus, to gain trust in any system, people need to be educated about how it works. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” ​​Alex Simons, the head of Microsoft’s identity management efforts, said in May. In short: If cross-device systems are clunky or a pain to use, people may shun them in favor of weak but convenient passwords.

While Apple’s Passkey and Google and Microsoft’s equivalents are still some months away (at the very least), that doesn’t mean you should idly keep using your weak or repeated passwords. Every password you use—whether it’s for a one-time account used to buy DIY supplies or your Facebook account—should be strong and unique. Don’t use common phrases, names of friends or pets, or personal information linked to you in your passwords.

Instead, your passwords should be long and strong. The best way to achieve this is by using a password manager, which can help you create and store better passwords. You can find our pick of the best password managers here. And while you’re thinking about your security, turn on multi-factor authentication for as many accounts as possible.


https://www.wired.com/story/apple-passkeys-password-ios16-ventura/

....


Apple wants to replace passwords with facial recognition and fingerprint derived passcodes.

One of bitcoin's biggest selling points was it catering to a claimed 4 billion unbanked demographic around the world.

Apple's shift towards biometric based passcodes trends in the opposite direction. It limits their userbase by hardware support. Fewer end users have facial or fingerprint recognition to support the system.

Over the years there have been many successful attempts to fool fingerprint scanners. Biometrics certainly are not foolproof or hack proof.

Does anyone think this will succeed?

[1714886916]

1714886916

[1714886916]

1714886916

[1714886916]

1714886916

[1714886916]

1714886916

[1714886916]

1714886916

[BitMaxz]

This should succeed in the future since this is the only solution to secure accounts compared to using a password that is vulnerable to any attacks like phishing, brute-force attacks and etc...

Biometrics is already been tested for many years not just on Apple devices but also on Android devices. I have my phone not apple but Samsung the Iris scanner for my pattern or passwords looks the best Biometrics that I have ever experienced.
 
But I hope they don't totally remove the password login because if the owner or a user accidentally has a broken/missing finger or had scars on their face they can't easily access their account and it may become an unrecoverable account.

So owners/users should still have an alternative way to log in like passwords or recovery seed for emergency cases.

[jackg]

I wonder how they plan to make the system secure against malware and similar attacks. I'd assume maybe a separate chip would be the best way to go with this but that might eat into their profits so they'll probably find a way that's less secure but still robust against attackers (eg a space away from where a normal user or app would be able to access).

I'd be surprised if this hasn't already been attempted or already been done with this already, I think this technology could be made more secure if an nfc card was also used to offer an extra key to decrypt the password database (eg the main encryption key as you won't get much with that alone - they can also likely already be made more secure as bank cards have already had to be).

[Hispo]

Despite of biometrics solutions being better than passwords, they are still vulnerable to theft of data, the biometric information can be stolen.
I'd rather an approach where people started to use universal small cryptographic devices which would work in a similar way Trezor T does to login through U2F, maybe even combine both approaches to harden the security of the accounts.

It also worries me the fact that biometric data is far more sensible than passwords. If someone gets a password leaked they will have problems with one account or one of many services, on the other hand, getting one's biometric data leaked means one cant use the same data anymore to access a service (not mentioning that data also has legal implications: passports, ID's, documents, Ect.).

In the end, we can change our passwords but we cannot change our fingerprints, our iris or face so easily...

[Wexnident]

This technically combats methods to crack passwords such as Bruteforcing, Rainbowattacks, and methods similar to it, but I don't think it prevents phishing/malware. From what I read said passkeys would store the biometric data in the devices themselves and not a server, so hackers can technically get said data right? I guess the idea is worth it if it prevents part of the methods that are used to steal the passwords of others but I think new issues are created like others have said which is you can't exactly change your biometrics.

[Rikafip]

Does anyone think this will succeed?

Yeah it probably will as users will always go for more convenient option, not thinking about the consequences.

One suggestion: no need to copy/paste the whole article, few paragraphs that cover what it is about should be enough and then those who want to read the rest can do it at the source.

This should succeed in the future since this is the only solution to secure accounts compared to using a password that is vulnerable to any attacks like phishing, brute-force attacks and etc...

Biometrics verification also has its own set of the problems and its far from being perfect. For me personally password protection is still the way to go, and if set properly (saomething that many fail at but that's not password problem)it is still superior to biometrics in vast majority of cases.

If someone gets a password leaked they will have problems with one account or one of many services, on the other hand, getting one's biometric data leaked means one cant use the same data anymore to access a service (not mentioning that data also has legal implications: passports, ID's, documents, Ect.).

Yep, that's my main problem when it comes to biometrics as once you get your data leaked you are screwed. And we all know how secure our data is...

[The Sceptical Chymist]

If someone gets a password leaked they will have problems with one account or one of many services, on the other hand, getting one's biometric data leaked means one cant use the same data anymore to access a service (not mentioning that data also has legal implications: passports, ID's, documents, Ect.).

Yep, that's my main problem when it comes to biometrics as once you get your data leaked you are screwed. And we all know how secure out data is...

Not being as tech-savvy as the rest of y'all, that wasn't my main problem with this.  I don't like biometric data being in the hands of big tech companies, because I don't trust who they're going to share that data with.  In fact, I don't trust big tech companies as a general principle (though unfortunately I'm in an abusive relationship with them that I can't seem to get out of).

The article cites the fact that many people are using passwords like "123456" and so forth.  I'm not sure if that's an argument for the implementation of biometric "passwords" as much as it is for educating people on using stronger passwords and just being more mindful of their online security in general.  But I swear, if this becomes the industry standard, you'll be seeing me in 2040 using a smartphone from 2022--and hopefully living in my campaign farm castle in utopia somewhere where the weather is nice and the women abound.  Lol.

[NeuroticFish]

Does anyone think this will succeed?

I don't see any reason why this would not succeed. I completely agree that the security of smartphones is a joke anyway. Also most users are lazy and biometrics fit just fine to their needs.
The only question is if they can make biometrics reliable enough in all the versions they'll make. Since if at some point those won't work, they'll suddenly have a huge lot of angry customers.
What I mean is that it's not uncommon that on cheaper (and somewhat older?) Android phones fingerprint just fails to recognize you 7 of 10 times. Apple will not afford this kind of failures.

[Ahli38]

Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and websites. It’s only the beginning.

YOUR PASSWORDS ARE terrible. Year after year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.

the underlined reason I think it contains a question mark. passwords store our personal data. submitting biometrics is the same as submitting our biometric data / personal data as well.
however i feel this is tantamount to giving kyc all the time.

This is tantamount to handing over our biometric data to the company. because as far as I know these biometrics include things like

1. fingerprint
2. face scanner.
3. retina scanner.
4. iris scanner.
5. Voice Recognition .

I feel like I'll actually have wild thoughts and full of fear when I have to hand over my body data like that. However, I am reminded of the James Bond and Mission Impossible films. where when we get biometric data of important people. then we can make a replica like a face mask that is similar to the original. (sorry I watch too many movies). what's worse is when a leaked fingerprint is used for a crime by someone.

ah... I hope this really doesn't apply.
this is a more severe version of kyc.

The article cites the fact that many people are using passwords like "123456" and so forth.  I'm not sure if that's an argument for the implementation of biometric "passwords" as much as it is for educating people on using stronger passwords and just being more mindful of their online security in general.  But I swear, if this becomes the industry standard, you'll be seeing me in 2040 using a smartphone from 2022--and hopefully living in my campaign farm castle in utopia somewhere where the weather is nice and the women abound.  Lol.

I think I will do the same with you. However, our body data is far more dangerous if it is leaked. while the leaking of the password wasn't too much of a problem. although that's actually a problem. but passwords are just a collection of letters and numbers or symbols. while biometric data is the rough data of our body. So it's important to take care of it.

[mk4]

Despite of biometrics solutions being better than passwords, they are still vulnerable to theft of data, the biometric information can be stolen.

Privacy concerns aside, people would most likely use this feature simply because it's far easier to use and the fact that the typical person doesn't need to remember passwords. This is the main reason why these companies win a lot of users while privacy freaks are very low in population — simply because these companies know how to nail UI/UX.

[bakasabo]

I wonder how they plan to make the system secure against malware and similar attacks.

Isnt their system already secure enough? I havent read any news about Apple biometrics being hacked. I remember there were few cases when Apple added face id in 2017. But that these cases were exceptions and in most cases, people did not figure out till the end how system works and raised panic. Right now, Apple biometrics systems looks like most secure. If a user sets face ID security or a password, even Apple cant crack it.

[Lucius]

People should be given the option to use the classic ways to protect their accounts or choose the biometric option - because if Apple thinks everyone is so naive as to use simple passwords that you can guess, I say there are people who know how to protect themselves well without biometrics.

I had the option to unlock my laptop with face recognition 10+ years ago and it worked quite solidly, although I preferred a strong password. I've never used this option on smartphones, even though I have it, but I use fingerprint unlocking, although in some situations I still prefer PIN lock/unlock.

What I've noticed about fingerprint locking is that the sensor usually doesn't recognize the fingerprint when you wash your hands, or if your hands are dirty - and that you may have facial recognition problems if for some reason you don't look the way the camera recorded you at the time of facial sampling.

In terms of security, there are various tricks to bypass the fingerprint sensor, as well as to fake the fingerprint - but what about twins who are identical and facial recognition - not to mention masks that can be made with today's technology so you can look like anyone in the world.

[Zilon]

Do we think biometrics is safer? Here is the thing for facial recognition and Biometrics it is easier to develop softwares that captures and save this two on devices using Ai. Typed Passwords might not be safe either but to some extent it is more secure and less expensive but for biometrics it is expensive and still open to counter technologies.

There are apple users who can comfortable secure their device for years with typed password and no one can hack into their device. Instead of a complicated technology it is better apple school their users on best security using password manager and authenticators approach and what a typical secured password should look like other than compound the technology and give hackers the opportunity to work on a counter technology for this facial recognition and biometrics

Android Biometrics for example is easy to break through with just a white cellotape  and white transparent masking papers then what guarantee is Apple giving that their will be more secure

[davis196]

Adding biometric verification would mean a total end for online privacy.
I'm no expert in spying technologies, but your smartphone can basically track your location, your browsing history, even your phone calls.
What if your smartphone is spying even more sensitive data like fingerprints, iris, etc? Who is going to guarantee that this data won't be leaked? I don't trust Apple.
Using weak passwords as a excuse to implement biometric verification seems like a weak excuse. Apple could just impose rules for stronger passwords, like minimum amount of characters, numbers, capital letters, special characters. This isn't rocket science.
It seems like the "big tech" wants to spy on us even more.

[lovesmayfamilis]

In addition to the fact that Apple often has errors when unlocking with a fingerprint, now they are coming up with a new feature? In my country, at any temperature drop, the phone simply refuses to recognize my fingerprint at all, and I have to additionally unlock it with a password. But besides this, the phone can simply freeze. And now we will be deprived of the password. But what if someone decides to grow a beard, or, on the contrary, shave off his mustache, or, well, something will change in appearance?

I'm not sure that all innovations are made for the benefit of people. This is another one hundred thousandth attempt to take the whole world under its full control.

Confidentiality becomes a fairy tale, but not a reality.

[BitcoinPanther]

I think that Apple just wanted to ride the trend since verification on some companies are implementing Biometrics.  This is more of a show off than considering the safety of the privacy of their users.  If they care for their customers, they should have educated them about the importance of stronger passwords.  It doesn't harm if they add another piece of documents on their packaging informing their users about the importance of strong password.

Well, they are in a business, implementing this kind of verification can give them a boost in promotion and at the same time they can increase the price of their item.  I don't think they are concern about the security but rather the profit it will add on their stash if this kind of technology is implemented.

I'm not sure that all innovations are made for the benefit of people. This is another one hundred thousandth attempt to take the whole world under its full control.

Innovations are made for the company profit not for users.  It so happen that some of this innovations benefit the users as well.

[Mometaskers]

So basically they want to add a biometric password manager, like sone services already offered today? Having a phone feature manage all your different social media and site accounts, nothing could go wrong there. 

Biometrics can be cheated, if they're going to roll this out I'd rather also have a pin/pattern/password in combination with the biometric login. You're just gonna memorize one password anyway, that shouldn't be hard.

[PrivacyG]

This should succeed in the future since this is the only solution to secure accounts compared to using a password that is vulnerable to any attacks like phishing, brute-force attacks and etc...

Biometrics is already been tested for many years not just on Apple devices but also on Android devices. I have my phone not apple but Samsung the Iris scanner for my pattern or passwords looks the best Biometrics that I have ever experienced.
 
But I hope they don't totally remove the password login because if the owner or a user accidentally has a broken/missing finger or had scars on their face they can't easily access their account and it may become an unrecoverable account.

So owners/users should still have an alternative way to log in like passwords or recovery seed for emergency cases.

I respect your opinion but I also can not help but argue.  At first glance, it does seem 'the solution'.  But is it really less vulnerable than a password?  Say you are a journalist owning some crucial information on a phone.  Now should someone retain you, here is how the events may go.

1.  Your phone is encrypted with a password.  They will beat you up, try to enter the password a thousand times, maybe even kill you.  But you will not say ANY part of the password and would rather die with the files forever encrypted instead.
2.  Your phone is encrypted with biometrics.  Now all they need is to cut your finger or just tie you up and use your finger, face or iris against your will to unlock the phone and sweep the crucial data off it.

I would say passwords are MUCH safer than biometrics are.  Sure, it may be so much easier to unlock your phone by just touching it or looking at it, but is it worth trading privacy and personal security for comfort?

Not to mention there are other kind of vulnerabilities when using biometrics such as theft of identity.  I would personally never trust a fingerprint reader on a phone because I have no idea where that information ends up and who could use it against me.  It is just too dangerous for me to even contemplate using it.

-
Regards,
PrivacyG

[Lucius]

Adding biometric verification would mean a total end for online privacy.
I'm no expert in spying technologies, but your smartphone can basically track your location, your browsing history, even your phone calls.

The privacy you are talking about has long been just a story for young children (if they even believe it), because regardless of biometrics in this case, smartphones are spy boxes anyway, especially for those who do not even try to turn off some options which would give them more privacy. For those who haven't heard, big brothers from all over the world have long since found a way to get into any smartphone -> Pegasus

What if your smartphone is spying even more sensitive data like fingerprints, iris, etc? Who is going to guarantee that this data won't be leaked? I don't trust Apple.

Do you trust any other company more? In the end, it all comes down to who is spying on you, because we don't have to delude ourselves that the world is what they want to show us - it's (and much worse) than what the most famous whistleblower in recent history has shown.

[Rikafip]

In fact, I don't trust big tech companies as a general principle (though unfortunately I'm in an abusive relationship with them that I can't seem to get out of).

It's almost impossible to completely get away from them at this day and age, unless you have no issues going completely off the grid and living like Ted Kaczynski.

But I swear, if this becomes the industry standard, you'll be seeing me in 2040 using a smartphone from 2022--and hopefully living in my campaign farm castle in utopia somewhere where the weather is nice and the women abound.  Lol.

This will 100% become industry standard, just the matter of time. Thing is, people (and other companies) usually laugh at Apple's "innovations" and then in a year or two they start doing the same thing.

I think that Apple just wanted to ride the trend since verification on some companies are implementing Biometrics.

On the contrary, Apple starts the trends. It sucks, but that's how it works.

[Rruchi man]

People should be given the option to use the classic ways to protect their accounts or choose the biometric option - because if Apple thinks everyone is so naive as to use simple passwords that you can guess, I say there are people who know how to protect themselves well without biometrics.

The freedom of having options to pick from should not be taken away. The insecurity and vulnerability that they are seeking to eliminate will always exist, users have a special role to play in safety of their device/account.

There are many disadvantages to choosing biometric technology alone, I recently got burnt trying to carry a hot pot from the fire with my bare hands, it caused a nasty injury on my thumb which happens to be the only finger I registered as a biometric pass into my mobile device, because the injury affected my fingerprint pattern temporarily, I experienced some challenges trying to access my phone. If I had not set up ''password access'' as a fail safe, I wonder what I would have done and how I could have accessed my phone.

Biometric access which largely depends on physicality's like your face and fingerprint cannot be depended on alone because they do not account for cases of accidents where a victim may loose access to their device/account because of a lost limb(arm) or a face disfigured by accident. And what of a situation where some individuals need access to your device/account. It will be easier for them to tie you to up and forcefully use your biometric details (face or fingerprint) to access your device without your cooperation than for them to gain access when your password is not just biometrics.

The assumption that apple is building on that people do not have very secure passwords hence trying to make biometrics their best and only option should not be accepted. The freedom to choose should not be taken away.

[Zlantann]

This innovation is welcoming because it would indeed improves the security of Apple devices. But I think it should be optional and not a compulsory requirement to own an Apple device. I have experience diverse issues using fingerprints and facial ID that my best security option is using password. Transferring one's personal data to a company is riskier than password. With passwords I have the sole responsibility of protecting my password but with biometrics I have transferred my security to a company. For me, my trustworthy wife knows the passwords to all my devices because of uncertainties. If biometrics is the only option, how would the device be unlocked in case of death, accidents that effects the face or hands or in case of other emergencies?  

[so98nn]

Most of the age groups are familiar with the biometrics these days and also in all android users are way more than apples users. However, Android has smoothly implemented their biometric logins on all the smartphones.

So this feature is further integrated with all the apps on the play store (same goes for iOS App Store) wherever login credentials are required it can be replaced with face or fingerprint recognition.

I think we are already one step closer to what Apple is dreaming. It won’t be big deal for them.

Even banking apps / Unified Payment System apps use this feature.

[doomloop]

Apple's shift towards biometric based passcodes trends in the opposite direction. It limits their userbase by hardware support. Fewer end users have facial or fingerprint recognition to support the system.

Over the years there have been many successful attempts to fool fingerprint scanners. Biometrics certainly are not foolproof or hack proof.

Does anyone think this will succeed?

This wasn't a new thing but we already have these types of security before and I think that many people don't prefer them but they still prefer the old school way of accessing their device and that is the password and the 4 digit pin. The reason why is the device sometimes doesn't unlock in fingerprint and facial recognition because your face looks different sometimes and your fingers are sometimes wet or sweaty.

If fingerprints can be bypassed then there's a chance that facial recognition can be bypassed as well. There is no safe anymore in this world. I think the only thing we can do is don't store all your funds or important data's on your phone. Just in case it'll be accessed by an unauthorized person.

[Johnyz]

I agree that biometrics isn`t perfect decision, there are also problems with it, apple just need to do smth, so they do it, but I am not sure it will be popular among users

We can’t expect a perfect system right away, most probably problems will still occur but the whole idea and concept of using biometrics is amazing, the future is still bright for us and hopefully they can work on this perfectly so we can expect a more secured way of having an accounts. This is a good innovation, many will surely adopt with this once its out in the market.

[goaldigger]

Over the years there have been many successful attempts to fool fingerprint scanners. Biometrics certainly are not foolproof or hack proof.

Does anyone think this will succeed?

There are issues before but maybe this time, it will work better since it will serve different purpose and seriously with the technology that we have right now, we might really end with this kind of system. I’m an apple user and I’m willing to give this a try as apple continues to work with other companies as well, this can be a good security once successful after all. There will be a trial and error, let’s just hope for the best result in the future.

[famososMuertos]

This innovation is welcoming because it would indeed improves the security of Apple devices. But I think it should be optional and not a compulsory requirement to own an Apple device. I have experience diverse issues using fingerprints and facial ID that my best security option is using password. Transferring one's personal data to a company is riskier than password. With passwords I have the sole responsibility of protecting my password but with biometrics I have transferred my security to a company. For me, my trustworthy wife knows the passwords to all my devices because of uncertainties. If biometrics is the only option, how would the device be unlocked in case of death, accidents that effects the face or hands or in case of other emergencies?  

The traditional option is not lost, I think in any case it is a question of the ToS (Apple).

By the way, this is is a really old technological system (it seems recent) but not , it has taken a long time to be of frequent use, but it has more and more "fashion" for its implementation in cell phones, who are really making it more frequent.

Your question in any case seemed interesting to me and although it is not specifically related to Apple I would like to share this link.
^{Will Fingerprint Work After Death?:https://newspatrolling.com/will-fingerprint-work-after-death/}

[Welsh]

Apple has never been known for its security to be fair. More about collecting data, same as Google, actually come to think of it, every company out there. Since, data makes money. Security, doesn't necessarily do so.

Do I think it'll pass? Maybe, not right now. However, it has come quite clear that in modern times we're getting lazy, and therefore we seek out convenience over security. Therefore, biometrics actually appeals to the vast majority of their network. So, yeah I do think biometrics will eventually become the standard.

However, I imagine they'll keep the optional passwords. If not, they'll likely be met with laws that make it compliance to offer the option. EU in particular is quite strict on these sort of things, I believe they recently passed the requirement for all Apple phones to require USB C rather than their own connector.

[bitzizzix]

Biometrics are just as effective as passwords, but for security there are special features like those found in Apple's biometric sensors. That is, it will not work if the subject dies.
and the mechanism can be said to be difficult, there is a weak current sensor that distinguishes living and dead body tissues. What is clear, surely the price of research and production is expensive.
If commonly used biometrics are relied on as privacy protections, then the vulnerability of crime increases, perpetrators could cut a finger or kill to forcibly unlock on condition that the account holder refuses to log in although it is unlikely, but reasonable if possible. something.
and on the other hand it is very dangerous in terms of cybersecurity, because if our data is hacked then hackers can ensure the validity of our data very accurately because biometric login and lock out activities can only be carried out by the subject recognized by the device.
There will be good and bad sides depending on who uses it whether it is important or not and whether we have to keep something valuable in it.

[Paul Pogba]

Security issues are increasing because more and more data theft, this has become the most important thing for many companies so that various ways are done to ensure data security, what Apple is actually doing is not the first idea, because I've heard many companies have ideas for security, namely by biometrics for PIN or password.

[South Park]

This should succeed in the future since this is the only solution to secure accounts compared to using a password that is vulnerable to any attacks like phishing, brute-force attacks and etc...

Biometrics is already been tested for many years not just on Apple devices but also on Android devices. I have my phone not apple but Samsung the Iris scanner for my pattern or passwords looks the best Biometrics that I have ever experienced.
 
But I hope they don't totally remove the password login because if the owner or a user accidentally has a broken/missing finger or had scars on their face they can't easily access their account and it may become an unrecoverable account.

So owners/users should still have an alternative way to log in like passwords or recovery seed for emergency cases.

Without a doubt those which have no problems with a private company having all their biometric information or that are not worried about such information getting leaked are free to use a service like that, however the issue is that now it seems passwords are not going to be an option in the future, when passwords have many advantages, not only they can be incredibly secure you can use a lot of them which means that if one account is compromised you only lose whatever was in that account and not everything as it will be the case with biometrics.

[Pomogator]

Despite of biometrics solutions being better than passwords, they are still vulnerable to theft of data, the biometric information can be stolen.
I'd rather an approach where people started to use universal small cryptographic devices which would work in a similar way Trezor T does to login through U2F, maybe even combine both approaches to harden the security of the accounts.

In the end, we can change our passwords but we cannot change our fingerprints, our iris or face so easily...

Indeed, it is enough that once your biometric data falls into the hands of scammers, and this is where your privacy will end. I'd rather change my password than give my biometrics to some scammer. And I'm not one of those people who put passwords like 12345 and so on. Crazy people. 

[mbe48]

I think it's Simple and secure by describing the Password Lock technology. A passkey increases your security by eliminating the need to store and use passwords. That's a good thing because passwords are notoriously insecure. Many people use phrases that are easy to remember and can be guessed easily. So what Apple has done is an incremental act of upgrading, then hackers will be harder to break into

[jackg]

I wonder how they plan to make the system secure against malware and similar attacks.

Isnt their system already secure enough? I havent read any news about Apple biometrics being hacked. I remember there were few cases when Apple added face id in 2017. But that these cases were exceptions and in most cases, people did not figure out till the end how system works and raised panic. Right now, Apple biometrics systems looks like most secure. If a user sets face ID security or a password, even Apple cant crack it.

I think there's less of an incentive to hack the current biometrics used though (unless you mean by bypassing them - and I think there are still vulnerabilities that are found in their login process, a 6 digit pin in fairly easy to crack though if you've got another device to host the bruteforce attack - I don't think it's possible to use biometrics as soon as you turn on most devices for example and with apple, you can't use biometrics if you've held down the power button for a long enough time to end up on the confirm shutdown screen).

Being able to get access to every account somenoe has is a lot more useful to an attacker than gaining biometric info.

[CryptocurencyKing]

What is wrong with these guys @Apple, that a user chooses what is secure for him or her and it happens to be 12344 or 123456789, what then is there concerns about it. Should they go "*÷€÷&fsjvcak÷*÷^:÷fdgebrova&"$×( only to forget it Immediately after they've created it? They ought to live users to decide what is convenient for them. Bes the know, they are offering the service and users makes use of it the way that suits best with them.

Biometrics isn't a 100% as there could be fowl play and some smarty pants will surely come up with ways to cheat the system which I think, would be all too easy compared to password combinations. Apple uses mainly passcode in place of password, they should ensure proper passwords that are supposed to be Alphanumeric.

[Hispo]

-snip-

-snip-

-snip-

Btw
Would you be okey using biometrics to lock-unlock your personal devices if your data were localy stored instead in custody of a big tech company?

_______________________________________________________________________________ _

-snip-

Privacy concerns aside, people would most likely use this feature simply because it's far easier to use and the fact that the typical person doesn't need to remember passwords. This is the main reason why these companies win a lot of users while privacy freaks are very low in population — simply because these companies know how to nail UI/UX.

That is part of the essence of human advance through history, after all: seeking comfort and ease. I'd dare to say that in the end, science and engineering ultimate goal is to put laws of the universe at the service of humanity to make our short lifespan as comfortable as possible, of course this is the ideal point of view, we know there are hidden interests and wishes for massive profits.

What i am trying to say is that Apple knows that anything that makes users lifes at least a lil bit easier has a high chance to succeed, even though, people ignore they are giving up part of their identity in exchange of saving a few seconds to type a password/use two factor authentication.

[jrrsparkles]

Biometric security actually sucks, recently I watched a video in the YouTube not sure about the device they used but it is recently launched and successful so probably Samsung if I am not wrong. While scanning the finger print in the first place we need to scan multiple times atleast 5 before setting up the finger print so they decided to scan five people's thumb for the one finger print but the result is five people managed to unlock the device with only one finger print setup.

So its less secure than passwords so don't go for it and I don't think they will enforce it completely to go with only biometric security system for their devices.

[NotATether]

...So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apples vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. To create a Passkey, just use Touch ID or Face ID to authenticate, and youre done, Adler said...

One word is enough to summarize this proposal: HA!

Attempting to replace passwords with fingerprints && facial recognition is never going to succeed, no matter who tries. There will always be a voiceforous population using the devices that will never consent to using these methods of authentication for privacy or usability reasons (e.g. what happens when you're wearing gloves during winter, or sunglasses), and since Apple is the one implementing this, it's guarranteed to fail because they never look beyond their own product ecosystem.

Maybe they get a few million people to use it, but nobody is going to be able to not only force websites to implement such an authentication BUT SIMULTANEOUSLY force users to change their passwords at the same time.

Talk about a fighter jet that's blown up before it even takes off...



You want true alternatives to passwords, at least for desktop logins? Then use an adapation of SSH, a proven method of authentication (no-one has ever been able to crack a 4096-bit RSA key yet). Adapt it by putting them on USB sticks, memory cards, and other portable media with a special filesystem. Then when the device is inserted into the computer, the OS automatically sees the private key, and mashes it against the public key and authenticates you.

For added security, use modifications of seed phrases or diceware as a secondary login method, where the user can input 8-12 words words from a fixed bank of 10,000 or so words that users are advised to write down and store in a safe place like a wallet (yes this will make this login method vulnerable to theft, but it makes the most prevalent method of break-ins - remote brute-forcing - impossible! )


Last method can be ported to mobile devices, and so can the first one if such a standard is adapted to authenticate using a Bluetooth private key authentication device as well! (Just hold the device anywhere near the lock screen while pressing a certain "Authenticate" button on the key device.)

[monineklutak]

I think it's Simple and secure by describing the Password Lock technology. A passkey increases your security by eliminating the need to store and use passwords. That's a good thing because passwords are notoriously insecure. Many people use phrases that are easy to remember and can be guessed easily. So what Apple has done is an incremental act of upgrading, then hackers will be harder to break into

What Apple has done we need to appreciate and indeed there have been many cases of security using compromised passwords,
sometimes when we use phrases that are difficult to guess, things like that still happen because hackers are also very skilled at doing that

[noorman0]

What makes Apple customers confident that they can even protect themselves? especially when they are carrying their device in a semi-conscious state due to the influence of drugs and alcohol at a party, biometrics are even easier to hack imo. Instead of learning hacking techniques, you just need to learn basic pharmacy science to anesthetize Apple users.

Now with AI technology can replicate a person's face that is close to the original.

[kryptqnick]

I don't like and don't use Apple, but I think decisions like this should be based on the desires of users. Do the majority of users support the switch to biometrics?
I personally tend to use passwords and find it a bit unsettling when my own body is used to open things, apps and stuff like that. Also, from fingerprint lock on the phone, I know that it often doesn't read well, and it can be annoying when you need access to something but the fingerprint is read incorrectly many times. Not to mention that yes, there's plenty of hardware that doesn't have fingerprint support, so it's very elitist, like Apple always is.

[Rikafip]

Attempting to replace passwords with fingerprints && facial recognition is never going to succeed, no matter who tries. There will always be a voiceforous population using the devices that will never consent to using these methods of authentication for privacy or usability reasons (e.g. what happens when you're wearing gloves during winter, or sunglasses), and since Apple is the one implementing this, it's guarranteed to fail because they never look beyond their own product ecosystem.

Hah, I wish I share your optimism. The one thing I know about people is that majority will always choose convenience over safety and I already see people all around me using fingerprint scanner instead passwords whenever they can, and the only reason why it hasn't spread more is because its mostly reserved to more expensive mobile phones&laptops  and other tech but soon enough it will spread to lower end and then everyone will use it.

Maybe they get a few million people to use it, but nobody is going to be able to not only force websites to implement such an authentication BUT SIMULTANEOUSLY force users to change their passwords at the same time.

These things don't happen overnight, they are playing the long game.

[Marvell1]

I don't like and don't use Apple, but I think decisions like this should be based on the desires of users. Do the majority of users support the switch to biometrics?
I personally tend to use passwords and find it a bit unsettling when my own body is used to open things, apps and stuff like that. Also, from fingerprint lock on the phone, I know that it often doesn't read well, and it can be annoying when you need access to something but the fingerprint is read incorrectly many times. Not to mention that yes, there's plenty of hardware that doesn't have fingerprint support, so it's very elitist, like Apple always is.

I am using some apple products, it really gives a better experience than others. But I agree with the tendency to use passwords like you do, using fingerprint lock or face recognition is really convenient and fast for users. But I feel there is too much risk when someone attacks and hijacks our phones, they don't need to ask for a password, just a few simple steps of putting the phone on our face, they have can be unlocked easily. I am using an old iphone with fingerprint lock function but for the most part I prefer to use passwords for my important apps.

[teosanru]

With improving technology each day I am sure they will improve and will be in a state where they give zero errors. However I feel there is a bigger threat with biometrics kicking in which is sensitivity of our data. This is giving our facial metrics info and fingerprint scans to a private body, who we don't know what will do with this data point? Today it's not that difficult to fabricate a false fingerprint On a crime scene but I am pretty sure same won't be the case 10 years from now.

[Gyfts]

Governments can get a warrant through the judicial system and physically force you to give up your thumb print to unlock a device. Face ID would work the same way. They're not safe for the user.

I wonder how they plan to make the system secure against malware and similar attacks. I'd assume maybe a separate chip would be the best way to go with this but that might eat into their profits so they'll probably find a way that's less secure but still robust against attackers (eg a space away from where a normal user or app would be able to access).

I'd be surprised if this hasn't already been attempted or already been done with this already, I think this technology could be made more secure if an nfc card was also used to offer an extra key to decrypt the password database (eg the main encryption key as you won't get much with that alone - they can also likely already be made more secure as bank cards have already had to be).

Apple invests a ton into cybersecurity R&D but no system is impenetrable. Biometrics being stored locally isn't enough if someone were to get hold of the device (ie law enforcement) and bypass any security measures. I wouldn't be concerned about the ordinary person who doesn't have the resources to bypass Apple's own security measures -- law enforcement could probably seek legal avenues to have biometrics scrapped from the device, forcing Apple to cooperate.

[Cryptock]

Apple invests a ton into cybersecurity R&D but no system is impenetrable. Biometrics being stored locally isn't enough if someone were to get hold of the device (ie law enforcement) and bypass any security measures. I wouldn't be concerned about the ordinary person who doesn't have the resources to bypass Apple's own security measures -- law enforcement could probably seek legal avenues to have biometrics scrapped from the device, forcing Apple to cooperate.

These technical inventions are good but than to implement them globally is not an easy task. My office started a project of an app - that was huge problem implementing it in other country because of the change in the systems. Maybe in near future this issue will get resolved but not in the near future.

[paxmao]

So, if I want to share my password with someone I would need to cut my head or fingers and pass it over? 

Biometrics is considered as of now slightly less secure than other methods of protection, I would not like to loose my user / pass access, old style, that, until now, has given me zero problems other than an occasional need to reset the passwords and the like.

[mm2543363580]

So, if I want to share my password with someone I would need to cut my head or fingers and pass it over? 

Biometrics is considered as of now slightly less secure than other methods of protection, I would not like to loose my user / pass access, old style, that, until now, has given me zero problems other than an occasional need to reset the passwords and the like.

If apple makes it a rule - than obviously people will do it.
But I am not sure why would they want to go to biometric since that might not be possible for the other regions. However may be in coming future they manage to do it.