Apple Passkeys: No Panacea for User Device Security
Passwords fail in the digital world, with users notoriously reliant on easy-to-guess codes that can be hacked in seconds, says Jeannie Warner, director of product marketing at Exabeam.
Apple’s introduction of Passkeys enables a unique credential on every Apple device that requires biometric authentication to access it. However, technical and security challenges still exist with the nature and execution of passwords, and companies may need to navigate the ethical issues that come with collecting user biometric data at scale.
When Apple released iOS 16, the company introduced a new feature called Passkeys. Apple’s Passkeys is a new two-factor authentication method designed to replace user passwords, providing a better user experience and improving device security. Passkeys store a unique user credential on each Apple device that requires biometric authentication, such as a fingerprint or facial image, to access it. iCloud syncs credentials across Apple users, making it easy for consumers to sign in to apps and digital services, and providing a consistent experience across smartphones, tablets, watches and more.
Are passkeys the solution to consumer device security problems?
At first glance, Apple Passkeys sounds like an intuitive way to improve your device’s security. After all, passwords are a manual, user-generated solution that fails in a digital world. Users are known to reuse passwords and create easy-to-guess codes that can be hacked in seconds. Even IT admins are guilty of this behavior – or worse, not resetting default device passwords like default and admin. That’s why so many digital services now force the creation of complex passwords and notify users when they expire. As a result, passwords seem like an improvement on poor user security practices.
In addition, passkeys streamline users’ ability to access their devices, apps, and websites. There’s no need to remember and log in with clumsy passwords, constantly reset them due to wrong guesses, or create new ones when prompted every 60 to 90 days. Users will enjoy their streamlined access to devices and enhanced security with Apple Passkeys.
But Apple Passkeys is just one of the solutions the technology industry needs to strengthen device and user security. Technical and security challenges still exist with the content and execution of access keys, and companies may need to navigate the ethical issues that come with collecting user biometric data at scale.
Five challenges of using Apple’s biometric-based access keys
First, Apple’s in-house approach to innovation means its services and devices don’t necessarily play well with other operating systems. Thus, users with Apple, Microsoft, Google and other devices may have challenges using Apple passwords on all these platforms. This challenge could easily be solved with a new subscription service with passwords, which is probably already on Apple’s launch list for a future date.
Next, large marketplaces and website operators will face a dilemma when receiving push notifications from Apple devices. Do they store and cross-reference user biometric data? In that case, personal user data will now be widely used and stored by several digital services. Or do these companies blindly accept passwordless commands and send private data when asked? Both approaches increase user security risks, and consumers are powerless to protect this deeply personal data from being replicated and stored across services.
The use and storage of biometric data for authentication also opens the door to larger cyberattacks and abuses by nation-states. Cyber attackers have already demonstrated that they can spoof or clone push notifications from already accepted user devices. And if this happens, users can’t strengthen compromised password logins because their biometric data can’t be changed.
Government actors can utilize Passkeys in two ways. They will use backwards compatible tokens and push commands to force digital services to authenticate them. Attackers are likely to target data-rich environments, such as financial services and healthcare, to commit fraud and build rich user profiles that can be exploited differently. Cyber attackers who can penetrate the systems used to store biometric data at large companies can exfiltrate and use the unique identifiers of millions or even billions of people. Imagine a massive attack on a large bank or brokerage house: It is within the realm of possibility.
Some nation-states may also pressure Apple and other companies to provide biometric data so they can monitor the public and track dissidents and troublemakers. In a disturbing real-world example of how this could play out, US and coalition forces gathered millions of fingerprintsiris scans and facial images of Afghan people to track and identify them, data that the Taliban is exploiting after the American departure from that country.
In a bonus scenario – I’m a klutz. If I fall and plant on the pavement and scratch my fingers, will the passkey still recognize my face and fingerprint? (The fingerprint problem is already one I have with my phone – and why I always lock my phone to a passcode when I get on and off planes.)
See more: Adopting Biometrics-as-a-Service: Key Questions to Ask
Why password managers are a better solution than passwords
In sum, Apple’s desire to improve user security is commendable, but passkeys are the wrong approach at the consumer scale. Biometric data is deeply sensitive and should only be collected as needed by government organizations for activities such as applying for top-secret agency jobs or fostering or adopting children.
To access digital services and devices, password managers are a better approach. They force users to create highly secure passwords or generate them automatically. User credentials are stored in a digital vault, protected by encryption methods such as the Advanced Encryption Standard (AES). Those protected with AES-256 benefit from military-grade encryption.
So users, keep biometric data where it belongs, under your control. Say no to Apple Passkeys. Instead, consider password managers to streamline access to your Apple devices while keeping your credentials secure and under your control.
Why do you think companies must navigate the ethical issues of collecting user biometric data on a large scale? Lsomething we know about Facebook, Twitterand LinkedIn.