Passkey Adoption is Too Slow

We recently hit a milestone in the world of digital security: 200 companies are now using passkeys instead of traditional password systems. It’s progress, sure, but to me, it’s not exactly fireworks-worthy. Frankly, it feels like we should be much further along.

I’ve heard from many in my audience — a group of smart, tech-savvy folks — and yet, there’s hesitation. People are leery about passkeys. The idea of leaving behind the trusty (if flawed) username and password combo still feels risky to some. That’s understandable; we’re in a strange transitional phase where trust in the new system is still being earned, and the old system isn’t quite dead yet.

Right now, a lot of companies are hedging their bets. They implement passkeys but keep the traditional username and password system alive “just in case.” While that might sound like a good compromise, it actually introduces new risks. Let me explain.

When a site offers both options, it creates a tempting target for bad actors. Imagine this: You try to log in with your shiny new passkey, and a fake prompt tells you it failed. Next thing you know, you’re asked to log in with your password instead. Guess what? You just handed over your credentials to the bad guys.

By maintaining the old system alongside the new one, we’re essentially giving attackers two doors to try. It’s like installing a state-of-the-art security system but leaving the back door unlocked “just in case.”

Then there’s the trend of bypassing passwords entirely in favor of email-based authentication. At first glance, it seems simple and clever: “Just click the link we emailed you.” But email isn’t exactly a fortress of security. If someone compromises your email account, they’ve got the keys to the kingdom.

This trend feels like a half-step solution. It’s better than nothing, but it’s not the robust answer we need in the long term.

Passkeys, when implemented correctly, are a huge leap forward. They’re designed to be more secure and easier to use. They’re phishing-resistant, for one thing. A hacker can’t trick you into handing over a passkey the way they can a password. And they take advantage of the biometric and secure enclave tech built into our devices, which is vastly more secure than anything we’ve relied on before.

We’re in this awkward adolescence of digital security. But getting to the point where passkeys are the norm will take a concerted effort. Companies need to be all-in, not straddling the line. Users need better education about how passkeys work and why they’re safer. And the tech industry as a whole needs to push forward faster.

Right now, everything about passwords and passkeys feels a little brittle. The sooner we can move to a world where passkeys are ubiquitous and properly implemented, the better off we’ll all be. Until then, stay vigilant, stay informed, and don’t forget to lock the back door.

Apple Claps Back

Those Terrible Passwords Aren’t Getting Any Better

NordVPN recently released its annual list of commonly used passwords, and (surprise, surprise!) not much has changed. What’s truly baffling is how many folks still rely on this digital equivalent of leaving their front door wide open. The most common password is “123456” but fear not, “password” is still in there at number four.

If you’re reading MacSparky, you probably already use a password manager and strong, unique passwords. But if you know someone who doesn’t, please share this with them. Their accounts are far more vulnerable than they realize.

And there’s no excuse anymore. Apple users don’t even need a third-party solution: The built-in Passwords app starting with macOS 15 (Sequoia) and iOS 18 and newer generates, stores, and auto-fills strong passwords for free. It’s right there in your Applications folder (App Library on iOS), waiting to help.

Remember: If your password is easy for you to remember, it’s probably easy for others to guess.

Who’s Responsible For Age Verification?

There seems to be a lot of finger-pointing going on about age verification between software and hardware developers. Facebook (and now Tinder) argue that it’s up to the hardware seller to verify a user’s age. (Ben Lovejoy covers this over at 9to5Mac.) In a lot of ways, that makes sense. When you register your iPhone, it should know how old you are. That could give Apple the ability to prevent underage children from downloading dangerous social media apps. Of course, it’s not illegal to have these apps for underage children in every jurisdiction.

Likewise, the seller of these dangerous apps that can harm children should take more responsibility than just finger-pointing at the device manufacturer. There are plenty of ways for Tinder and Facebook to know when they have an underage user. And they, too, should be taking steps to protect these children.

And of course, don’t forget the parents. Some parents will want to grant their children access, and others will want to lock the devices down. In my opinion, the only way we’re going to really solve this problem is if the parents, the hardware and the software people all get together on this. I absolutely would like to see Apple take a more active role in this, but I don’t think it’s solely responsible for the solution.

Stolen Device Protection

There’s a new feature heading to iOS 17.3 after the New Year that will make it harder for someone to shoulder-surf your passcode and change your Apple ID on you. This is directly aimed at the vulnerability Joanna Stern wrote about in the Wall Street Journal. The new feature will require Face ID to get to saved passwords, and changing your Apple ID password will be subject to a security delay unless you do it from a familiar location, like home or work.

You’ll need to turn it on when it ships, but my initial take is that it seems like the right balance of security and convenience. I doubt we’ll see 17.3 before February.

Malicious Email is Getting Smarter

Malicious email is not comically dumb any more. One malicious strain, called Emotet, appears to come from a known contact and looks as if it is replying to an existing thread. If you click on the links or attachments, you are done for. Dan Goodin at Ars Technica breaks it down.

For me, if it has an embedded link or an attachment, I assume it is malicious until proven otherwise. This is particularly true from financial institution-related or account-related email. I’ve managed to avoid trouble because of constant vigilance. I wonder how many people out there have been compromised and don’t even realize it.

iCloud Gets a Security Upgrade

Today Apple announced some nice updates to the iCloud security features. The following features now have end-to-end encryption on iCloud:

  • Device Backups
  • Messages Backups
  • iCloud Drive
  • Notes
  • Photos
  • Reminders
  • Safari Bookmarks
  • Siri Shortcuts
  • Voice Memos
  • Wallet Passes

End-to-end encryption means your data can’t be viewed on the server in these categories (if you opt in). Put simply, Apple will no longer be able to see the above categories of data. If Apple gets hacked in the future, the bad guys can’t see your data either.

Apple has very publicly stated an interest in protecting user privacy. I believe them. What is impressive about this is how they’ve added the encryption at Apple’s user-base scale. That can’t be easy.

At this point, it’s opt-in. You must go into the iCloud settings and click on Advance Data Protection. I will be opting in. Advanced Data Protection is in the latest iOS 16.2 beta. It will be available to all U.S. customers by the end of the year and rolling out to the world in early 2023.

One note of caution, however, is that this means if you ever lose passwords, the data is gone. Apple can’t help you. So get your password security sorted out before you push the button.

Craig Federighi did an interview with Joanna Stern on these updates. She did a great job explaining end-to-end encryption in the process.

Where are the Passkeys?

With Apple’s latest round of updates, we’ve got a new password feature that lets your computer manage passwords for you in the background. There are a lot of advantages to this new “Passkey” system. (Here’s Apple’s explainer.) It isn’t dependent on user-generated passwords. It’ll guarantee people use different passwords for different sites. It will also help you avoid phishing attacks because it won’t work on spoofed websites. This comes at the cost of some loss of control, but third parties are already working on that (like 1Password in this video). 

I’m curious, however, as to when Passkey websites will start showing up. So far, I’ve seen none. For this to work, websites must adopt some new backend technologies, and everyone is now waiting for that to happen. Are website developers untrusting of the new technology? Do they want to see others figure it out first? Do they need the budget for these changes? I expect it is all of the above. I’ve been asking about it for MacSparky.com with some of my platform providers, and I’m told to cool my jets. I sure hope this all gets sorted out. It will help web security for a lot of people once it gets rolling.