About the security of passkeys - Apple Support (2024)

Table of Contents
Credential security Synchronization security Protections on accessing Apple ID account Protections on accessing iCloud Keychain Recovery security Learn more FAQs

Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.

Passkeys are a replacement for passwords that are designed to provide websites and apps a passwordless sign-in experience that is both more convenient and more secure. Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, are always strong, and are designed so that there are no shared secrets. They simplify account registration for apps and websites, are easy to use, and work across all of your Apple devices, and even non-Apple devices within physical proximity.

Credential security

Passkeys are built on the WebAuthentication (or "WebAuthn") standard, which uses public key cryptography. During account registration, the operating system creates a unique cryptographic key pair to associate with an account for the app or website. These keys are generated by the device, securely and uniquely, for every account.

One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible.

Synchronization security

Passkeys were designed to be convenient and accessible from all devices used on a regular basis. Passkeys sync across a user's devices using iCloud Keychain.

See Also
Passwords vs Passkeys - ChalklinePasskeys vs. 2FA: Why Passkeys Provide Superior Security | TWiT.TVStoring Passkeys | Bitwarden Help CenterAuthentication: Methods, Protocols, and Strategies | Frontegg

iCloud Keychain is end-to-end encrypted with strong cryptographic keys not known to Apple and rate limited to help prevent brute-force attacks even from a privileged position on the cloud backend, and are recoverable even if the user loses all their devices.

Apple designed iCloud Keychain and keychain recovery so that a user's passkeys and passwords are still protected under the following conditions:

  • A user's Apple ID account used with iCloud is compromised

  • iCloud is compromised by an external attack or an employee

  • A third party accesses user accounts

Protections on accessing Apple ID account

To protect against unauthorized access, any Apple ID using iCloud Keychain requires two-factor authentication. If a user attempts to register a new passkey and does not have two-factor authentication set up, they will be automatically prompted to set up two-factor authentication.

See Also
Bolt | Why passkeys will make traditional passwords obsolete

To sign in for the first time on any new device, two pieces of information are required—the Apple ID password and a six-digit verification code that's displayed on the user's trusted devices or sent to a trusted phone number.

Learn more about two-factor authentication

Protections on accessing iCloud Keychain

An additional layer of protection is in place to protect against a rogue device getting access to a user's iCloud Keychain. When a user enables iCloud Keychain for the first time, the device establishes a circle of trust and creates a syncing identity for itself consisting of a unique key pair stored in the device's keychain.

New devices, as they sign in to iCloud, join the iCloud Keychain syncing circle in one of two ways:

  • By pairing with and being sponsored by an existing iCloud Keychain device; or

  • By using iCloud Keychain recovery.

Recovery security

Passkey synchronization provides convenience and redundancy in case of loss of a single device. However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple.

iCloud Keychain escrows a user's keychain data with Apple without allowing Apple to read the passwords and other data it contains. The user's keychain is encrypted using a strong passcode, and the escrow service provides a copy of the keychain only if a strict set of conditions is met.

To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After they authenticate and respond, the user must enter their device passcode. iOS, iPadOS, and macOS allow only 10 attempts to authenticate. After several failed attempts, the record is locked and the user must call Apple Support to be granted more attempts. After the tenth failed attempt, the escrow record is destroyed.

Optionally, a user can set up an account recovery contact to make sure that they always have access to their account, even if they forget their Apple ID password or device passcode.

Learn how to set up an account recovery contact

Learn more

Learn more about Apple ID security and iCloud Keychain security in the Platform Security Guide

Published Date:

About the security of passkeys - Apple Support (2024)

FAQs

How secure is Apple passkey? ›

You can create and save passkeys to replace the passwords you use to sign in to supported apps and websites on your iPhone. Passkeys are more secure than passwords, because they're uniquely generated for every account by your own device, and are less vulnerable to phishing.

Read On
Does the Apple account support passkeys? ›

On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website.

Discover More Details
How do I turn on Apple passkeys? ›

Set up iCloud Keychain

If you didn't turn on iCloud Keychain when you first set up your iPhone, go to Settings > [your name] > iCloud > Passwords and Keychain, turn on iCloud Keychain, then follow the onscreen instructions.

Continue Reading
Is Apple passkeys available now? ›

Streamlined sign-in, without passwords

Because passkeys are synced with iCloud Keychain, they're available across Apple devices. You can even use your iPhone to sign in to apps and websites on non-Apple devices.

See Details
What is the downside of passkeys? ›

Many websites haven't adopted passkeys, meaning traditional passwords remain necessary. Additionally, passkey compatibility is limited to modern devices with the latest operating systems. This leaves users of older devices at a disadvantage, as their technology may never be updated to support passkeys.

Find Out More
Can passkey be hacked? ›

If someone gets your device, they can't do anything with your passkey. And if you lose your old device containing your passkey, you can easily create a new passkey on your new device.

Tell Me More
What happens to passkeys when you lose your phone? ›

What happens if a user loses their device? Passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager. That means user's passkeys go with them when they replace their devices.

Show Me More
Will passkeys replace passwords? ›

Notably, the era of traditional passwords is coming to an end and organizations' are increasingly recognizing the need for more secure and user-friendly authentication methods. Passkeys offer a promising alternative to passwords, providing enhanced security and usability for users.

Explore More
Is passkey safer than password? ›

Are Passkeys More Secure Than Passwords? Yes, passkeys are more secure than passwords. This is not only because passkeys are phishing-resistant, but they are also error-proof. When users generate a passkey, they can't make mistakes like they do with passwords.

Continue Reading
Will banks use passkeys? ›

Passkeys can be physical, for example taking the form of a USB devices or smart card. One organisation using this method is Barclays, who provide their banking customers with a card reader that generates a unique passkey each time they try to log in, or to carry out key tasks within their account.

Show Me More

Are Apple passkeys safe? ›

Passkeys—developed by Apple, Google, Microsoft, and others—are an alternative to passwords, and they provide robust protection against phishing attacks and website breaches. The launch of passkeys for Google accounts is the latest step to improving safety on digital accounts and ownership of your personal information.

Read The Full Story
Does Apple ID support passkeys? ›

Each passkey is stored in iCloud Keychain, so they're available on all devices where you're signed in with your Apple ID (iOS 16, iPadOS 16, or macOS 13 required).

See Details
Can passkeys be stolen? ›

Passkeys also can't be stolen in a data breach. Only the public key is stored on an app or website's server, and it's useless without the corresponding private key. Without physical access to your device (and a way to unlock it), no one can log in to your passkey-protected accounts.

Get More Info Here
Are passkeys more secure than 2FA? ›

Yes, passkeys are more secure than traditional 2FA methods because they remove passwords, which are susceptible to password-related attacks, are phishing-resistant and support 2FA by design.

Continue Reading
Are passkeys simple secure so not a password? ›

Passkeys are a safer and easier alternative to passwords. With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords.

View More
How secure is Apple's key chain? ›

The iCloud Keychain is secure from outside attack. It uses advanced encryption to keep your data secure, and Apple is open about how it encrypts your data and when (though the code itself is not open source, as we'll explain below). As for privacy, Apple can't see your Keychain data.

View Details
Top Articles
2024 Dividend Kings List | Updated Daily | All 56 Analyzed
Tips on How to Trade Cryptocurrency in MT4 - MTrading
Qpublic Adel Ga
Costco Oil Change Hours
Spring Cup Pvpoke
Lkq Atlanta Core Ntp Stag
Robocheck Sign Up
Top 5 Best Lookah Seahorse Coils of 2024
Assange: WikiLeaks to speed release of leaked docs
Leaked Footage: Charlotte Parkes Exposed
Echo Dot vs. Echo Pop: Which Amazon device is right for you?
Type Soul Codes July 2024 - IGN
Latest Posts
Where Can You Get a Crypto Loan Without Collateral?
Binance Loans: What You Need To Know?
Article information

Author: Reed Wilderman

Last Updated:

Views: 5785

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Reed Wilderman

Birthday: 1992-06-14

Address: 998 Estell Village, Lake Oscarberg, SD 48713-6877

Phone: +21813267449721

Job: Technology Engineer

Hobby: Swimming, Do it yourself, Beekeeping, Lapidary, Cosplaying, Hiking, Graffiti

Introduction: My name is Reed Wilderman, I am a faithful, bright, lucky, adventurous, lively, rich, vast person who loves writing and wants to share my knowledge and understanding with you.