Passwords are a major security problem and many players in the market are working to find a universal solution so that in the future we can log in to different sites as easily as today but without the inherent security flaws.
Apple is one of these, and in iOS 15 and Mac OS Monterey, the company is beginning an attempt to start introducing what is called “passkeys in Icloud Keychain”. It is a new implementation of the Webauthn standard that is already used to, for example, log in with a hardware key.
Webauthn does not use shared secrets as passwords but uses asymmetric encryption where messages are encrypted with one of two keys and can only be decrypted by the other.
Your device will create a key pair and send one to the server when you create an account (or upgrade the security from password to Webauthn) but keep the other. When you later log in, the server and your device exchange a series of messages that authenticate you securely and also guarantee that the server is genuine and not part of a phishing attempt.
So far, it works just like on hardware keys. The difference is that the private keys are stored encrypted in the Icloud keychain and synced between all your Apple devices. This means that you do not have to worry about losing access to some accounts if a device is stolen, for example, and that the security of the internet is much higher as servers no longer store any secrets but only public keys.
Apple goes through the news in one WWDC session. To begin with, this is a trial version for developers that must be enabled in the settings, but if all goes well, it may be included for everyone in iOS 16 and Mac OS 13 by the end of 2022.