Q&A with the passkeys team – Discover
Get ready for a world without passwords.
Passkeys are a replacement for passwords, offering a faster, easier, and more secure sign-in experience for your apps and websites. They’re strong, resistant to phishing, and designed to work across Apple devices and nearby non-Apple devices. Best of all, there’s nothing for people to create, guard, or remember.
To help explain how to implement passkeys, the Apple privacy and security team hosted a Q&A to answer common questions about device support, use cases, account recovery, and more. Here are some highlights from that conversation.
How do passkeys work?
Passkeys are based on public key cryptography, which matches a private key saved on a device with a public key sent to a web server. When someone signs in to an account, their private key is verified by your app or website’s public key. That private key never leaves their device, so apps and websites never have access to it — and can’t lose it or reveal it in a hacking or phishing attempt. There’s nothing secret about the public key; it offers no access to anything until paired with the private key.
Which devices support passkeys?
Passkeys work on devices running a minimum of iOS 16 on iPhone 8; iPadOS 16 on iPad 5th generation, iPad mini 5th generation, iPad Air 3rd generation, all iPad Pro models that offer Touch ID or Face ID; macOS Ventura; and tvOS 16. Passkeys are also supported in Safari 16 on macOS Monterey and Big Sur.
When Touch ID or Face ID can’t be used, people can enter their device passcode or system password to authenticate passkey credentials.
How do I adopt passkeys?
The first step is to adopt WebAuthn on your back-end server and add our platform-specific API to your app. Take a deeper dive into next steps by watching the video below:
What happens if a device is lost or stolen?
Data remains safe. Passkeys are end-to-end encrypted through iCloud Keychain and require biometrics, such as Face ID or Touch ID, or the device passcode to decrypt them. Without these, passkeys remain securely stored on the lost device. For extra peace of mind, you can always remotely wipe your device with Find My.
What does account recovery look like for someone who’s only ever signed in with a passkey?
The recovery method is independent of the authentication mechanism. Apps and websites are welcome to maintain the same recovery methods they use today (such as sending a link in an email to create a new passkey). Recovery will likely be a much less common scenario with passkeys, which are saved by the device. There’s nothing for a human to forget.
Can someone have multiple passkeys for my app; for instance, passkeys generated from multiple devices?
Yes, someone can have one passkey per account per platform. In the special case that someone has more than one account for an app, they’ll have discrete passkeys for each account too.
What’s the difference between passkeys and multifactor authentication?
Multifactor authentication adds additional layers of security on top of an existing password, but generally still leaves the possibility of phishing. Since passkeys eliminate the most pressing problems with passwords and are resistant to phishing, additional user-visible steps aren’t needed.
Is it possible to use an email address as the visible account identifier instead of a username?
Yes, it’s definitely possible. Our videos and documentation use usernames and email addresses as examples. Nothing about account identifiers has to change.
Connecting to a service with passkeys