How Apple’s passkeys just brought us one step closer to a passwordless internet

Stytch was founded with the mission of eliminating friction on the internet. The first major source of friction we’ve tackled? Password-based authentication.

We’ve consistently highlighted the many ways passwords contribute to database hacks and account breaches — not to mention the friction and frustration they cause for users, who are forced to memorize dozens (if not hundreds) of passwords and often end up abandoning login flows because of forgotten or mistaken credentials.

Now, we’ve picked up a major ally in our push for a passwordless, frictionless internet. Last month, Apple announced their new passkeys feature, a next-gen approach to authentication that’s set to launch with iOS 16 and macOS Ventura this fall. 

Apple’s passkeys log users in via biometric factors like Touch ID and Face ID rather than through conventional passwords, and they’re a major leap forward when it comes to making fully biometrics-based (that is to say, fully passwordless) auth not only familiar but mainstream.

In this post, we explain where passkeys fit in Apple’s wider trajectory of innovation, how they work, and why they’re a big deal for the future of authentication.

A brief history of Apple’s innovations in authentication

Over the past decade or so, Apple has consistently been at the vanguard of passwordless authentication across web and mobile devices. Among other groundbreaking moves:

• In 2013, Apple released the first widely available biometric login with Touch ID, allowing users to authenticate into the iPhone 5 via fingerprint.
• In 2016, Apple expanded biometric auth options from mobile devices to laptops, building Touch ID logins into the MacBook Pro.
• In 2017, Apple introduced Face ID, a biometric auth factor allowing users to scan their facial features to log in to iPhones and iOS applications.

In 2022, it’s all about passkeys, building biometrics like Touch ID and Face ID into every online interaction and across every device.

What’s new?

From the above timeline, it’s clear biometrics have been around for a while — so you may be wondering why they haven’t already become the default for authentication.

The main reason has to do with UX shortcomings of current solutions on the market. Historically, biometric solutions like Touch ID and Face ID have been stored locally on a mobile device or laptop, making it impossible to transfer their login data across platforms.

For example, if a user signed up for an app on their iPhone but then wanted to log in to the same app on a different phone — or on their MacBook — they’d need to undergo a separate verification method (like a username and password or an email magic link) to gain access.

That’s why, even though biometrics are instant, easy, and totally secure, they’ve typically been relegated to serving as a secondary factor in a two-factor authentication flow (2FA).

In an ideal auth world, biometrics would be transferable across devices. A user would be able to sign up for an app on their phone using Face ID, log in on their laptop using Touch ID, and have each system recognize them as the same user. Well, that’s where passkeys come in.

How passkeys work

Passkeys back up the cryptographic key containing a user’s biometric data to their iCloud account, which is already logged in on each connected device. 

It may feel like the biometric readers inspecting a user’s fingerprints or facial features have been magically replicated on their phone, tablet, and computer — but really, their iCloud account is simply syncing the cryptographic keys that power those device-level biometric attestations. Part of the magic of this approach to leveraging synced cryptographic keys is that biometric data is never actually stored in iCloud. So, users can verify their identity and log in without having to worry about who has access to their biometric data.

In short, passkeys make biometrics more practical and portable by rendering them interoperable. 

That is, passkeys still rely on a “something you are” authentication factor — but they recognize that you’re still you no matter where you go or what device you pick up.

Where does Stytch come in?

We’re thrilled Apple is adding an original, sophisticated passwordless auth method to the market, and we’re excited to offer passkeys through our platform as an integral part of our product suite.

Stytch is all about giving developers and end users (great) options and making them quick and easy to integrate. Apple passkeys are a huge step forward for our mission of eliminating friction on the internet — and doing it in a way that’s intuitive, effortless, and secure.

While passkeys will have a significant impact on how users authenticate online — similar to how Apple Pay impacted online payments — they alone won’t solve all of our authentication needs. 

For instance, even though Apple Pay improved the user experience for online payments, businesses still need to provide multiple payment options at checkout to allow users to choose their preferred method. Passkeys’ impact on authentication will be similar — it will improve the authentication experience for most users, but other methods (like email verification, OAuth logins, and passwords) and tooling (like session and user management and 2FA) will persist.

That’s where Stytch comes in. Stytch helps companies support compelling new technologies like passkeys — while also meeting the rest of your users where they are through our full suite of authentication solutions.

Learn more

Stytch’s auth experts are always on hand to walk you through our modern, passwordless solutions and help you embed them seamlessly into your product.

If you’re ready to get up and running, sign up for a free account today to explore our product suite and get in touch with a member of our team. Get started.