Apple’s WWDC 21 had a great set of new announcements around security. The most exciting one for us Identity and Access Management (IAM) geeks is the update on Apple’s commitment towards moving beyond passwords.
In this post, I wanted to share some thoughts on this great announcement and what it means for enterprise identity and authentication.
The updates presented by Garrett Davidson from Apple build on Apple’s previous support for FIDO2 and WebAuthn open standards in the Safari browser on both iOS and OS X (now MacOS). Previously, Apple provided support for passwordless authentication in the Safari browser by adding a FIDO2 authenticator to the underlying operating system. This was a step in the right direction and followed Google’s Android passwordless implementation, which has been available for nearly three years.
Apple’s approach to passwordless is not particularly unique since it adheres to the FIDO standard, however their implementation and approach to the credential recovery problem is unique and relevant to enterprises. One refreshing aspect of their messaging and stance on authentication is their dedication to eliminating shared secrets.
Statements such as “Each time that a secret is shared, there is risk,” and “Servers are less valuable targets for hackers because there are no shared secrets to steal” are encouraging to hear and reflect what we’ve been saying at HYPR for years. We put it this way: moving away from shared secrets takes an enterprise from an infrastructure that’s expensive to defend and easy to attack to one that’s expensive to attack and easy to defend.
Here’s what’s new in this announcement:
- Apple now has WebAuthn and FIDO2 support for native mobile apps. This means that users can enroll for passwordless authentication in a mobile app as well as browsers. These credentials, enrolled using the native app APIs, can then be used on mobile browsers as well without having to re-enroll.
- Synchronization via Keychain. Apple’s new feature “Passkeys in iCloud Keychain” — which are what they call the FIDO2 private key credentials — are now synchronized across your Apple devices using end-to-end encryption.
Thoughts on These Updates
- Unsurprisingly, Apple’s keychain synchronization is more focused on consumer authentication than the enterprise. Apple’s Passkeys approach is concerning. A Passkey is a private key, make no mistake about it. The best practice in security and cryptography is to not transfer or duplicate key material. I do believe that Apple’s approach to this is going to be world class, but that doesn’t change the fact that it’s a bad practice that adversaries will likely exploit.
- Enterprises will not want to synchronize their users’ Passkeys in Bring Your Own Device (BYOD) scenarios. Many enterprises allow BYOD. However, the Passkeys are synchronized across a user’s Apple account and devices. That means that if I’m using my personal phone to authenticate to my corporate resources, the credential used to access those resources could be copied over to my iPad that is shared with my entire household. This could hold a significant liability risk because it would be difficult to track user attribution tied to accessing corporate accounts.
I predict enterprises that want to leverage the Passkeys method of authentication will opt out of the synchronization offering from Apple and require more enterprise-friendly methods for credential recovery.
- Developers and IAM vendors will need to leverage the strong association between a native app and website in order to leverage this functionality. This functionality is seldom used in apps today. It will need to be provided as an out-of-the-box capability since oftentimes mobile app teams and web teams manage projects in silos.
Overall the developments from Apple are highly encouraging and have an eye on the future of a passwordless world. Many of their approaches are consumer-centric which is understandable, but for those of us who want to leverage these powerful tools on the enterprise side, there are major security aspects to consider. It will be interesting to see how the MDM technologies in the market address and enforce the Passkeys replication capabilities within Apple’s products. It’s exciting to see future developments from Apple on this topic and we look forward to providing these additional capabilities to HYPR customers soon!