On the security of public key

The passkey is an alternative form of password. The passkey is faster to log in, simpler to use, and greatly improved in security.

The passkey is an alternative form of password, which aims to provide a more secure and fast password free login experience for various websites and apps. Unlike passwords, public key is a standards based technology. It can resist phishing, has excellent security all the time, and avoids confidential sharing from the design. It simplifies the account registration process of various apps and websites, is easy to use, and is applicable to all Apple devices, even non Apple devices within a close range.

Credential security

The passkey is constructed based on the WebAuthentication (or "WebAuthn") standard, which uses the public key encryption algorithm. During account registration, the operating system will create a unique encryption key pair to associate with the account of the App or website. These keys are generated separately by the device for each account, and are secure and unique.

One of the keys is the public key, which is stored on the server. This public key is not confidential. The other key is a private key, which needs to be used during actual login. The server never explores what the private key is. On Apple devices equipped with touch ID or face ID, users can authorize the use of the passkey through touch ID or face ID, and then the passkey will be used to authenticate to the app or website. This process does not transmit shared secrets, and the server does not need to protect the public key. This makes the public key a very powerful, easy to use certificate that can effectively resist phishing. In addition, all platform suppliers who join the FIDO alliance work together to ensure that the implementation scheme of the passkey is compatible with all platforms and can be used on as many devices as possible.

Security in synchronization

The passkey is designed with the convenience of use in mind, and can be accessed through all devices in daily use. The passkey uses iCloud keychain to synchronize user devices.

The iCloud keychain uses a high security encryption key that even Apple does not know for end-to-end encryption. At the same time, it sets a speed limit to help defend against violent attacks, even if these attacks come from privileged locations on the back end of the cloud. In addition, even if the user loses all devices, the key can be recovered.

Apple has specially designed iCloud keychain and keychain recovery functions, and users' access keys and passwords will still be protected even under the following circumstances:

  • The user's Apple ID account used with iCloud is stolen

  • ICloud is attacked externally or invaded by Apple employees

  • Third party access to user accounts

Access protection for Apple ID accounts

In order to prevent unauthorized access, any Apple ID using iCloud keychain needs to enable dual authentication. If the user attempts to register a new passkey but does not set dual authentication, the system will automatically prompt the user to set dual authentication.

When logging in to any new device for the first time, the user needs to provide two pieces of information: Apple ID password and six digit verification code. The verification code is displayed on the user's trusted device or the trusted phone number sent to the user.

Learn more about dual certification

Access protection to iCloud keychain

We have added an additional layer of protection to prevent illegal devices from accessing users' iCloud keychains. When users enable iCloud keychain for the first time, the device will establish a trust circle and create a synchronization ID for itself. This identification consists of a unique key pair stored in the device key chain.

When a new device logs in to iCloud, it can join the iCloud keychain synchronization ring in one of the following two ways:

  • Pair with an existing iCloud keychain device and send a request through this device; perhaps

  • Use iCloud keychain recovery function.

Security for recovery

In case of loss of a certain device, as an alternative, it can be easily recovered through public key synchronization. However, even if all associated devices are lost, the passkey can be recovered, which is also very important. The passkey can be passed through ICloud Keychain Hosting Was restored. This way can also defend against violent attacks, even if such attacks come from Apple.

ICloud keychain stores the user's keychain data in Apple, but does not allow Apple to read the passwords and other data contained therein. The user's key string is encrypted with a strong password. The escrow service will only provide a copy of the key chain if a series of strict conditions are met.

To restore the keychain, users must use their iCloud account and password to authenticate their identity and reply to the SMS sent to their registered phone number. After completing the authentication and replying to the SMS, the user must enter the device lock screen password. IOS, iPadOS and macOS only allow 10 identity authentication attempts. After several failed attempts, the record will be locked, and users must call Apple support to get more attempts. After the tenth attempt fails, the hosting record will be destroyed.

Users can choose to set account recovery contacts to ensure that they can always access their own accounts, even if they forget their Apple ID password or device lock screen password.

Learn how to set up account recovery contacts

Learn more

Learn more about Apple ID security and iCloud keychain security in the platform security guide

Date of issue: