Since Apple didn't actually define it, this left a void for our thought leaders to answer that question for users hungry to know "what indeed is a passkey?".
I have always understood that Apple defined a Passkey to be a key pair that is synced through iCloud Keychain. Even their WWDC 2021 presentation distinguishes passkeys to be different than security keys because they are "always with you" (the device sync aspect) and "recoverable". I think the definition was later extended to other cloud sync methods.
I also think the article makes the wrong trade-offs. Security keys are not important [1]. They are only used by a negligible number of technical users and a small number of companies that really care about security. Getting people off passwords is necessary for improving web safety and 99% of the population is never going to use security keys unless they are forced to. Passkeys do have a good chance of getting people off passwords, especially with deep OS integration. We shouldn't optimize authentication for that 1% or less because they'd be running out of resident key slots.
[1] I am the owner of 3 Yubikeys, 3 Yubico security keys and a SoloKey.
> I have always understood that Apple defined a Passkey to be a key pair that is synced through iCloud Keychain. Even their WWDC 2021 presentation distinguishes passkeys to be different than security keys because they are "always with you" (the device sync aspect) and "recoverable". I think the definition was later extended to other cloud sync methods.
Their goal was an industry initiative, not an Apple Passkey product. By the time they were released in 2022, the definition loosened to be an experience, e.g. discoverable and providing the option for user verification.
The user can choose whether or not to use a passkey provider that is backed up/recoverable, and the relying party gets a signal to this effect. They might use this signal to determine whether to prompt to remove the password login option.
Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.
> "The cryptographic keys are used from end-user devices (computers, phones, or security keys) that are used for secure user authentication."
"The cyptopgraphic keys" is casually mentioned here with an implied reference to being passkeys. It never explicitly states passkeys are, in fact, "cyptopgraphic keys".
I am a pretty technical user, and I would rather become a farmer than move to whatever "passkeys" are. Yubikeys or phones or whatever, I've had too many of these things go bzzzt, go missing, get wet, get broken, etc.
If a "passkey" is as reliable as my house key or car key, i.e. I can accidentally put it through a wash/dry cycle, then maybe. Maybe.
The nice thing about a username/password combo is I can remember them and use them everywhere. It's really straightforward. Whatever gimcrack method people use to implement "passkeys," does it work everywhere? Guaranteed?
I get it that there are some use cases where you need to have a hardware device, a passcode, a PIN and the blood of a left-handed virgin before you can access something, but those are edge cases. I almost never say this, but seriously, it would be easier and less troublesome to "educate users on the utility of passphrases instead of short passwords" than to make passkeys a thing.
> The nice thing about a username/password combo is I can remember them and use them everywhere.
The "use them everywhere" part, combined with not needing special software or hardware to use them, are the things that will keep passwords central to my authentication world for a very, very long time.
I have always understood that Apple defined a Passkey to be a key pair that is synced through iCloud Keychain. Even their WWDC 2021 presentation distinguishes passkeys to be different than security keys because they are "always with you" (the device sync aspect) and "recoverable". I think the definition was later extended to other cloud sync methods.
I also think the article makes the wrong trade-offs. Security keys are not important [1]. They are only used by a negligible number of technical users and a small number of companies that really care about security. Getting people off passwords is necessary for improving web safety and 99% of the population is never going to use security keys unless they are forced to. Passkeys do have a good chance of getting people off passwords, especially with deep OS integration. We shouldn't optimize authentication for that 1% or less because they'd be running out of resident key slots.
[1] I am the owner of 3 Yubikeys, 3 Yubico security keys and a SoloKey.