Passwords fail miserably in the digital world, with users notoriously relying on easy-to-guess codes that can be hacked in seconds, says Jeannie Warner, director of product marketing at Exabeam.
Apple’s introduction of Passkeys enables a unique credential on each Apple device that requires biometric authentication to access it. However, Technical and security challenges still exist with the nature and execution of Passkeys, and companies may need to navigate the ethical issues that come with collecting user biometric data at scale.
When Apple released iOS 16, the company introduced a new feature called Passkeys. Apple’s Passkeys is a new two-factor authentication method designed to replace user passwords, providing a better user experience and improving device security. Passkeys store a unique user credential on each Apple device that requires biometric authentication, such as a fingerprint or facial image, to access it. iCloud syncs credentials across user Apple devices, making it easy for consumers to log in to apps and digital services, providing a consistent experience across their smartphones, tablets, watches, and more.
Are Passkeys the Solution to Consumer Device Security Ills?
At first glance, Apple Passkeys sound like an intuitive way to enhance device security. After all, passwords are a manual, user-generated solution, failing miserably in a digital world. Users are famous for reusing passwords and creating easy-to-guess codes that can be hacked in seconds flat. Even IT administrators are guilty of this behavior – or even worse, not resetting default device passwords like default and admin. That’s why so many digital services now force the creation of complex passwords and alert users when they’re expiring. As a result, Passkeys seem like an improvement in poor user security practices.Â
In addition, Passkeys streamline users’ ability to access their devices, apps, and websites. There’s no need to remember and log in with clunky passwords, constantly reset them due to failed guesses or create new ones when prompted to do so every 60 to 90 days. Users will relish their streamlined access to devices and improved security with Apple Passkeys.Â
But Apple Passkeys are just one of the solutions the technology industry needs to strengthen device and user security. Technical and security challenges still exist with the nature and execution of Passkeys, and companies may need to navigate the ethical issues that come with collecting user biometric data at scale. Â
Five Challenges of Using Apple’s Biometrics-based PasskeysÂ
First, Apple’s inward approach to innovation means that its services and devices don’t necessarily play well with other operating systems. Thus, users with Apple, Microsoft, Google, and other devices may have challenges using Apple’s passkeys across all these platforms. This challenge could easily be solved with a new passkey subscription service, which is probably already on the Apple launch list for some future date.Â
Next, major marketplaces and website operators will face a dilemma when they receive push notifications from Apple devices. Do they store and cross-reference user biometric data? If so, personal user data will now be widely used and stored by multiple digital services. Or do these companies blindly accept passwordless commands and send private data when requested? Both approaches increase user security risks, and consumers are powerless to protect this deeply personal data from being replicated and stored across services.
Using and storing biometric data for authentication also opens the door to greater cyberattacks and nation-state abuse. Cyber attackers have already demonstrated that they can spoof or clone push notifications from already accepted user devices. And if this happens, users can’t strengthen compromised password logins because their biometric data can’t be changed.Â
State actors can capitalize on Passkeys in two ways. They will use backward-compatible tokens and push commands to force digital services to authenticate them. Attackers will likely target data-rich environments, such as financial services and healthcare, to commit fraud and build rich user profiles that can be exploited differently. Cyber attackers that can penetrate the systems used to store biometric data at major companies can exfiltrate and use unique identifiers on millions or even billions of people. Imagine a massive attack on a big bank or brokerage: It’s within the realm of possibility.Â
Some nation-states May also pressure Apple and other companies to turn over biometric data so that they can surveil the public and track dissidents and troublemakers. In a troubling real-world example of how this can unfold, US and coalition forces collected millions of fingerprintsOpens a new window , iris scans, and face photos of Afghan people to track and identify them, data that the Taliban are exploiting after the American departure from that country.Â
In a bonus scenario – I am a klutz. If I fall and faceplant on the sidewalk and scuff up my fingers, will my Passkey still recognize my face and fingerprint? (The fingerprint issue is already one I have with my phone – and why I always lock my phone to a code while getting on and off airplanes.)
See More: Adopting Biometrics-as-a-Service: Key Questions You Need to Ask
Why Password Managers Are a Better Solution than Passkeys
In sum, Apple’s desire to improve user security is commendable, but Passkeys are the wrong approach at the consumer scale. Biometric data is deeply sensitive and should only be collected on an as-needed basis by government organizations for activities such as applying for top-secret agency jobs or fostering or adopting children.Â
For accessing digital services and devices, password managers are a better approach. They force users to create highly secure passwords or automatically generate them. User credentials are stored in a digital vault, protected by encryption methods like the advanced encryption standard (AES). Those protected with AES-256 benefit from military-grade encryption.Â
So, users, keep your biometric data where it belongs, under your control. Say no to Apple Passkeys. Instead, consider password managers to streamline access to your Apple devices while keeping your credentials secure and under your control.Â
Why do you think companies must navigate the ethical issues of collecting user biometric data at scale? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .