About the security of passkeys
Passkeys are a replacement for passwords. They're faster to sign in with, easier to use and much more secure.
Passkeys are a replacement for passwords that are designed to provide a more convenient, more secure, passwordless sign-in experience on websites and apps. Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, always strong and designed so that there are no shared secrets. They simplify account registration for apps and websites, are easy to use and work across all your Apple devices, and even non-Apple devices within close physical proximity.
Credential security
Passkeys are built on the WebAuthentication (or "WebAuthn") standard, which uses public key cryptography. During the account registration process, the operating system creates a unique cryptographic key pair to associate with an account for that app or website. These keys are generated by the device, securely and uniquely, for every account.
One of these keys is public and is stored on the server. This public key is not a secret. The other key is private and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices that support Touch ID or Face ID, these authentication methods can be used to authorise use of the passkey, which then authenticates the user to the app or website. Shared secrets are not transmitted and the server does not need to protect the public key. This makes passkeys very strong, easy-to-use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure passkey implementations are compatible cross-platform and can work on as many devices as possible.
Synchronisation security
Passkeys were designed to be convenient and accessible from all devices used on a regular basis. Passkeys sync across a user's devices using iCloud Keychain.
iCloud Keychain is end-to-end encrypted with strong cryptographic keys not known to Apple and rate limited to help prevent brute-force attacks even from a privileged position on the cloud backend. They're also recoverable even if the user loses all their devices.
Apple designed iCloud Keychain and keychain recovery so that a user's passkeys and passwords will still be protected under the following conditions:
A user‘s Apple Account used with iCloud is compromised
iCloud has been compromised by an external attack or an employee
A third party has accessed user accounts
Protections on accessing Apple Account
To protect against unauthorised access, any Apple Account using iCloud Keychain requires two-factor authentication. If a user attempts to register a new passkey and hasn't set up two-factor authentication, they will be automatically prompted to set up two-factor authentication.
To sign in for the first time on any new device, two pieces of information are required — the Apple Account password and a six-digit verification code that will be displayed on the user’s trusted devices or sent to a trusted phone number.
Find out more about two-factor authentication
Protections on accessing iCloud Keychain
An additional layer of protection is in place to protect against a rogue device getting access to a user's iCloud Keychain. When a user enables iCloud Keychain for the first time, the device will establish a circle of trust and create a syncing identity for itself consisting of a unique key pair stored in the device's keychain.
When new devices sign in to iCloud, they join the iCloud Keychain syncing circle in one of two ways:
By pairing with and being sponsored by an existing iCloud Keychain device; or
By using iCloud Keychain recovery.
Recovery security
Passkey synchronisation provides convenience and redundancy in the event of a single device being lost. However, it's also important that passkeys are recoverable if all associated devices have been lost. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple.
iCloud Keychain escrows a user's keychain data with Apple without allowing Apple to read the passwords and other data it contains. The user's keychain is encrypted using a strong passcode, and the escrow service only provides a copy of the keychain if a strict set of conditions has been met.
To recover a keychain, a user must authenticate themselves using their iCloud account and password and respond to a text message sent to their registered phone number. After they've been authenticated and have responded to the text message, the user will be required to enter their device passcode. iOS, iPadOS and macOS allow a maximum of 10 attempts for a user to authenticate themselves. After several failed attempts, the record will be locked and the user must call Apple Support to be granted more attempts. After the tenth failed attempt, the escrow record will be destroyed.
Optionally, a user can set up an account recovery contact to make sure they always have access to their account, even if they’ve forgotten their Apple Account password or device passcode.
Find out how to set up an account recovery contact