Use passkeys in iPhone and iPad
iPhone and iPad users can securely manage their digital credentials using the Passwords app. Users can save passwords associated with various accounts, and Autofill gives users the ability to quickly sign in to apps and websites without manually entering credentials. Additionally, the Passwords app supports the storage of passkeys—an advanced digital key that enhances security by using public-key cryptography, making them more secure and convenient than traditional passwords. For added security, iCloud Keychain helps protect all credentials stored within the app, ensuring that the data is encrypted and synchronized across the user’s Apple devices. With biometric authentication such as Face ID or Touch ID, users can be assured that their sensitive information remains protected, while also enjoying a hassle-free sign-in experience.
For more information, see About the security of passkeys.
About the security of passkeys
Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.
Passkeys are a replacement for passwords that are designed to provide websites and apps a passwordless sign-in experience that is both more convenient and more secure. Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, are always strong, and are designed so that there are no shared secrets. They simplify account registration for apps and websites, are easy to use, and work across all of your Apple devices, and even non-Apple devices within physical proximity.
Credential security
Passkeys are built on the WebAuthentication (or “WebAuthn”) standard, which uses public key cryptography. During account registration, the operating system creates a unique cryptographic key pair to associate with an account for the app or website. These keys are generated by the device, securely and uniquely, for every account.
One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Face ID or Touch ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance (Fast IDentity Online) to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible.
Synchronization security
Passkeys were designed to be convenient and accessible from all devices used on a regular basis. Passkeys sync across a user’s devices using iCloud Keychain.
iCloud Keychain is end-to-end encrypted with strong cryptographic keys not known to Apple and rate limited to help prevent brute-force attacks even from a privileged position on the cloud backend, and are recoverable even if the user loses all their devices.
Apple designed iCloud Keychain and keychain recovery so that a user’s passkeys and passwords are still protected under the following conditions:
A user’s Apple Account used with iCloud is compromised.
iCloud is compromised by an external attack or an employee.
A third party accesses user accounts.
Protections on accessing Apple Account
To protect against unauthorized access, any Apple Account using iCloud Keychain requires two-factor authentication. If a user attempts to register a new passkey and does not have two-factor authentication set up, they will be automatically prompted to set up two-factor authentication.
To sign in for the first time on any new device, two pieces of information are required—the Apple Account password and a six-digit verification code that’s displayed on the user’s trusted devices or sent to a trusted phone number.
For more information, see the Apple Support article Two-factor authentication for Apple Account.
Protections on accessing iCloud Keychain
An additional layer of protection is in place to protect against a rogue device getting access to a user’s iCloud Keychain. When a user enables iCloud Keychain for the first time, the device establishes a circle of trust and creates a syncing identity for itself consisting of a unique key pair stored in the device’s keychain.
New devices, as they sign in to iCloud, join the iCloud Keychain syncing circle in one of two ways:
By pairing with and being sponsored by an existing device that uses iCloud Keychain.
By using iCloud Keychain recovery.
Recovery security
Passkey synchronization provides convenience and redundancy in case of loss of a single device. However, it’s also important that passkeys be recoverable even in the event that all associated devices are lost. Passkeys can be recovered through iCloud Keychain escrow, which is also protected against brute-force attacks, even by Apple.
iCloud Keychain escrows a user’s keychain data with Apple without allowing Apple to read the passwords and other data it contains. The user’s keychain is encrypted using a strong passcode, and the escrow service provides a copy of the keychain only if a strict set of conditions is met.
To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After they authenticate and respond, the user must enter their device passcode. iOS, iPadOS, and macOS allow only 10 attempts to authenticate. After several failed attempts, the record is locked and the user must call Apple Support to be granted more attempts. After the tenth failed attempt, the escrow record is destroyed.
Optionally, a user can set up an account recovery contact to make sure that they always have access to their account, even if they forget their Apple Account password or device passcode. For more information, see the Apple Support article Set up an account recovery contact.
Create and save a passkey using iPhone or iPad
Users can create and save passkeys for websites and apps that support them.
Note: The instructions for creating and saving a passkey can vary depending on the app, website, or browser, but they typically consist of steps similar to the ones below.
Users can go to the sign-in screen for a supported website or app on their device, and do one of the following:
If they’re setting up a new account: Tap the button or link for setting up new accounts, then follow the onscreen instructions.
If they already have an existing account: Sign in with the account name and password, then go to the account settings or management screen.
When they see the option to save a passkey for the account, tap Continue.
The passkey is saved.
Note: If users don’t see a passkey option, it means the website or app doesn’t currently support passkeys.
The passkeys users create are stored on their device in the Passwords app.
Users can have a passkey and password for the same website or app, and find them both under the same account in the Passwords app.
Users can also save a passkey to a hardware security key. Tap “Other options,” “Save on another device,” or similar (if available), then follow the onscreen instructions for saving a passkey. For more information, see Use security keys to sign in to your Apple Account on iPhone.