Nowadays, World Wide Web becoming more and more dangerous because of the new and innovative ways to steal the online data. Only for 2020, it was reported that 16% of all organizations all around the world received on average 100.000 security alerts and threats. During 2021, it was reported that the daily Cybercrime damage costed approximately 19$ billion, which equals 6$ trillion per year. The cybercrime is evolving rapidly and becoming one of the most dangerous threats worldwide, but unfortunately most of the users and organizations are not aware of the potential damages and losses that it can bring and not taking seriously applying the security best practices when creating new passwords or strengthening the protection systems.
According to statistics the most “famous” way to extract the needed information from the target resource is to steal a password and access the data needed. One of the most popular ways to do so is called Phishing. For the 2021, it was reported that 80% of all cybercrimes were committed by using exactly the Phishing and Social Engineering methods. For example, convincing a user that he should send his password for solving a specific issue or just providing him an infected link with the dangerous software that will extract the needed credentials for intruders. The second most popular way to steal passwords is directly attacking the Web Servers and Databases that store users’ passwords and credentials. For example, make an SQL injection to the credentials database and extract a list of usernames and passwords or gain access to the webserver and extract the data from the system by using custom scripts.
Overall, there a lot of ways to steal users’ passwords and Apple promises to significantly decrease the amount of compromised accounts by creating a new more secure and simplified approach. The idea that Apple is planning to implement is called a “passwordless” technology. It will allow users to access websites and applications by using Apple’s Touch ID and Face ID. So, how does it work exactly? The process is pretty simple, whenever the user will register on the website or in a specific application, a specific private encrypted key (passkey) will be stored on the Apple device and a specific public key will be sent to the Web Server, so that it can be matched with the private key when the user will access the application again. After that, if registered user will try to login to the application, the Webserver will send a request to the user’s device to retrieve the private key (passkey) in order to match it with the public one that server possesses, to approve the request user should provide his Touch ID or Face ID. When the request will be approved, user will be able to access the needed application. Such an approach addresses the problems mentioned earlier, for example Phishing will not work anymore because user is not aware about the private key and doesn’t have a direct access to it, as well as the data stored on the webserver or in the database with credentials will be useless for criminals, because it stores only the public key that can be easily rotated and can’t be used to access the application.
Apple also announced an active cooperation with big tech companies such as Microsoft and Google. Apple plans to integrate its “passwordless” solution with the services and applications provided by tech giants. For example, Apple already announced the authentication technology for devices that doesn’t have a Face ID or Touch ID. In such a case, non-apple device will provide user a QR code, which should be scanned by Apple device that has the IDs and then the user will be identified.
Sounds promising and revolutionary! Let me know what do you think in the comments section.
Resources:
- https://support.apple.com/en-us/HT213305
- Tech Crunch Blog
- https://www.macrumors.com/2022/06/08/apple-passkeys-next-generation-passwords/
- https://www.wired.com/story/apple-passkeys-password-ios16-ventura/
- https://www.youtube.com/watch?v=q5D55G7Ejs8
- https://appleinsider.com/articles/22/06/07/apple-passkey-feature-will-be-our-first-taste-of-a-truly-password-less-future
Sounds dope!