Passkey Adoption is Too Slow

We recently hit a milestone in the world of digital security: 200 companies are now using passkeys instead of traditional password systems. It’s progress, sure, but to me, it’s not exactly fireworks-worthy. Frankly, it feels like we should be much further along.

I’ve heard from many in my audience — a group of smart, tech-savvy folks — and yet, there’s hesitation. People are leery about passkeys. The idea of leaving behind the trusty (if flawed) username and password combo still feels risky to some. That’s understandable; we’re in a strange transitional phase where trust in the new system is still being earned, and the old system isn’t quite dead yet.

Right now, a lot of companies are hedging their bets. They implement passkeys but keep the traditional username and password system alive “just in case.” While that might sound like a good compromise, it actually introduces new risks. Let me explain.

When a site offers both options, it creates a tempting target for bad actors. Imagine this: You try to log in with your shiny new passkey, and a fake prompt tells you it failed. Next thing you know, you’re asked to log in with your password instead. Guess what? You just handed over your credentials to the bad guys.

By maintaining the old system alongside the new one, we’re essentially giving attackers two doors to try. It’s like installing a state-of-the-art security system but leaving the back door unlocked “just in case.”

Then there’s the trend of bypassing passwords entirely in favor of email-based authentication. At first glance, it seems simple and clever: “Just click the link we emailed you.” But email isn’t exactly a fortress of security. If someone compromises your email account, they’ve got the keys to the kingdom.

This trend feels like a half-step solution. It’s better than nothing, but it’s not the robust answer we need in the long term.

Passkeys, when implemented correctly, are a huge leap forward. They’re designed to be more secure and easier to use. They’re phishing-resistant, for one thing. A hacker can’t trick you into handing over a passkey the way they can a password. And they take advantage of the biometric and secure enclave tech built into our devices, which is vastly more secure than anything we’ve relied on before.

We’re in this awkward adolescence of digital security. But getting to the point where passkeys are the norm will take a concerted effort. Companies need to be all-in, not straddling the line. Users need better education about how passkeys work and why they’re safer. And the tech industry as a whole needs to push forward faster.

Right now, everything about passwords and passkeys feels a little brittle. The sooner we can move to a world where passkeys are ubiquitous and properly implemented, the better off we’ll all be. Until then, stay vigilant, stay informed, and don’t forget to lock the back door.

Apple Claps Back

Another Siri?

Mark Gurman’s got another AI/Siri report and it’s a doozy. According to the latest rumors, Apple is cooking up an LLM-powered Siri for iOS 19 and macOS 16.

The idea is that this would be yet another Siri reboot, but this time built on Apple’s own AI models. Think ChatGPT or Google’s Gemini but with that special Apple sauce (and privacy-focused access to your on-device data).

Here’s where I get a bit twitchy, though. Apple has been tight-lipped about the details of its AI strategy, and it’s starting to wear thin. If this massive LLM overhaul is really coming next year, what exactly are we getting with the current “Apple Intelligence” features that are supposed to land this year?

If, after all the WWDC and iPhone release hype, we get through all these betas only to find that Siri is still struggling with basic tasks, and then Apple says, “But wait until next year, we’ve got this whole new system that will finally fix everything!” Well, that will be just a little heartbreaking for me.

Apple’s Image Playground: Safety at the Cost of Utility?

As I’ve spent considerable time with Apple’s Image Playground in the recent iOS 18.2 beta, I’m left with more questions than answers about Apple’s approach to AI image generation. The most striking aspect is how deliberately unrealistic the output appears — every image unmistakably reads as AI-generated, which seems to be exactly what Apple intended.

The guardrails are everywhere. Apple has implemented strict boundaries around generating images of real people, and interestingly, even their own intellectual property is off-limits. When I attempted to generate an image of a Mac mini, the system politely declined.

Drawing a Mac mini is a no-go for Image Playground

This protective stance extends beyond the obvious restrictions: Try anything remotely offensive or controversial, and Image Playground simply won’t engage.

Apple’s cautious approach makes sense. Apple’s customers expect their products to be safe. Moreover, Apple is not aiming to revolutionize AI image generation; rather, they’re working to provide a safe, controlled creative tool for their users. These limitations however can significantly impact practical applications. My simple request to generate an image of a friend holding a Mac mini (a seemingly innocent use case) was rejected outright.

I hope Apple is aware of this tipping point and reconsidering as Image Playground heads toward public launch. At least let it draw your own products, Apple.

Those Terrible Passwords Aren’t Getting Any Better

NordVPN recently released its annual list of commonly used passwords, and (surprise, surprise!) not much has changed. What’s truly baffling is how many folks still rely on this digital equivalent of leaving their front door wide open. The most common password is “123456” but fear not, “password” is still in there at number four.

If you’re reading MacSparky, you probably already use a password manager and strong, unique passwords. But if you know someone who doesn’t, please share this with them. Their accounts are far more vulnerable than they realize.

And there’s no excuse anymore. Apple users don’t even need a third-party solution: The built-in Passwords app starting with macOS 15 (Sequoia) and iOS 18 and newer generates, stores, and auto-fills strong passwords for free. It’s right there in your Applications folder (App Library on iOS), waiting to help.

Remember: If your password is easy for you to remember, it’s probably easy for others to guess.

Beyond HomeKit: Will Apple Make a Smart Home Camera?

According to reports, Apple is developing a smart home camera slated for 2026. Such a device would be a natural extension of Apple’s commitment to privacy and artificial intelligence, potentially offering the seamless user experience we’ve come to expect from Cupertino. If given proper support, an Apple camera could be compelling. This potential move raises an interesting question: Why hasn’t Apple been more aggressive in the home automation accessory market? Apple-branded switches, light bulbs, and locks would likely find an enthusiastic audience, particularly given the current fragmented smart home landscape. The answer may lie in Apple’s exacting standards. Perhaps, until now, they haven’t felt they could deliver these products sufficiently better than the competition to justify the work.

But at this point the concerns with smart cameras — fiddly apps and interfaces and massive privacy concerns — point directly at Apple’s wheelhouse.

If this camera rumor indicates a shift in strategy, it’s a welcome one. The current smart home market is crowded with vendors of varying reputations and security standards. An Apple-branded line of smart home products could bring much-needed clarity and confidence to consumers who want to embrace home automation without compromising their privacy.