Security news that informs and inspires

Apple Enables Third-Party Management for Passkeys

Apple is adding some new security and privacy features to its major operating systems, including the ability for third-party providers such as password managers to sync and manage passkeys across multiple devices.

In its announcements during the Worldwide Developer Conference Monday, Apple revealed plans for a number of new features and functions designed to upgrade the security of devices and protect the data of users. The changes will roll out gradually in the next few months through updates to macOS, iOS, and the other operating systems. The update that likely will have the biggest effect for enterprises is the change to the way passkeys are handled throughout the Apple ecosystem.

Apple has had support for passkeys in iOS for about nine months now, and passkeys work on macOS, as well. The upcoming change will make it simpler for people in an organization to share passkeys and passwords securely.

“For easier and more secure password and passkey sharing, users can create a group to share a set of passwords, and everyone in the group can add and edit passwords to keep them up to date. Since sharing is through iCloud Keychain, it is end-to-end encrypted. Additionally, one-time verification codes received in Mail will now automatically autofill in Safari, making it easy to securely log in without leaving the browser,” Apple said in its announcement.

Passkeys use the WebAuthn standard for authentication and are generally tied to a specific device and linked to the biometric mechanism the owner uses to unlock the device. So on an iPhone, that would be Face ID, and on a Mac it would be the fingerprint sensor. Each passkey is stored locally on the specific device and users who employ them no longer need to enter passwords for whatever accounts and services the passkey is enabled for. Last month, Google enabled passkeys for account login across its main services, and Microsoft has announced support for the technology, as well.

“Since signing in with passkeys uses AutoFill and Face ID or Touch ID for biometric verification, the transition to passkeys is seamless. This lets people use passkeys alongside passwords, so you don’t need to adjust your sign-in page based on credential type. You’ll use the new Authentication Services API to add passkeys, creating sign-in flows that are familiar to users,” Apple said.

Among the other updates Apple is making is a change to the way that apps handle trackers embedded in URLs. Some Apple apps will now strip tracking information from URLs when users share them in order to prevent cross-site tracking.

“Some websites add extra information to their URLs in order to track users across other websites. Now this information will be removed from the links users share in Messages and Mail, and the links will still work as expected. This information will also be removed from links in Safari Private Browsing,” Apple said.

The new changes will be available in software updates within the next few months.