About the security of passkeys

Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.

Passkeys are a replacement for passwords that are designed to provide websites and apps a passwordless sign-in experience that is both more convenient and more secure. Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, are always strong, and are designed so that there are no shared secrets. They simplify account registration for apps and websites, are easy to use, and work across all of your Apple devices, and even non-Apple devices within physical proximity.

Credential security

Passkeys are built on the WebAuthentication (or "WebAuthn") standard, which uses public key cryptography. During account registration, the operating system creates a unique cryptographic key pair to associate with an account for the app or website. These keys are generated by the device, securely and uniquely, for every account.

One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible.

Synchronization security

Passkeys were designed to be convenient and accessible from all devices used on a regular basis. Passkeys sync across a user's devices using iCloud Keychain.

iCloud Keychain is end-to-end encrypted with strong cryptographic keys not known to Apple and rate limited to help prevent brute-force attacks even from a privileged position on the cloud backend, and are recoverable even if the user loses all their devices.

Apple designed iCloud Keychain and keychain recovery so that a user's passkeys and passwords are still protected under the following conditions:

  • A user's Apple ID account used with iCloud is compromised

  • iCloud is compromised by an external attack or an employee

  • A third party accesses user accounts

Protections on accessing Apple ID account

To protect against unauthorized access, any Apple ID using iCloud Keychain requires two-factor authentication. If a user attempts to register a new passkey and does not have two-factor authentication set up, they will be automatically prompted to set up two-factor authentication.

To sign in for the first time on any new device, two pieces of information are required—the Apple ID password and a six-digit verification code that's displayed on the user's trusted devices or sent to a trusted phone number.

Learn more about two-factor authentication

Protections on accessing iCloud Keychain

An additional layer of protection is in place to protect against a rogue device getting access to a user's iCloud Keychain. When a user enables iCloud Keychain for the first time, the device establishes a circle of trust and creates a syncing identity for itself consisting of a unique key pair stored in the device's keychain.

New devices, as they sign in to iCloud, join the iCloud Keychain syncing circle in one of two ways:

  • By pairing with and being sponsored by an existing iCloud Keychain device; or

  • By using iCloud Keychain recovery.

Recovery security

Passkey synchronization provides convenience and redundancy in case of loss of a single device. However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple.

iCloud Keychain escrows a user's keychain data with Apple without allowing Apple to read the passwords and other data it contains. The user's keychain is encrypted using a strong passcode, and the escrow service provides a copy of the keychain only if a strict set of conditions is met.

To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After they authenticate and respond, the user must enter their device passcode. iOS, iPadOS, and macOS allow only 10 attempts to authenticate. After several failed attempts, the record is locked and the user must call Apple Support to be granted more attempts. After the tenth failed attempt, the escrow record is destroyed.

Optionally, a user can set up an account recovery contact to make sure that they always have access to their account, even if they forget their Apple ID password or device passcode.

Learn how to set up an account recovery contact

Learn more

Learn more about Apple ID security and iCloud Keychain security in the Platform Security Guide

Published Date: