CISO Update #52

A Future Without Passwords

A new password-free option for iPhone users will soon be available, but beware of being an early adopter.

Apple’s new iOS update is attempting to make iPhones the most secure device so far. First announced in June at Apple's Worldwide Developers Conference, ‌‌iOS 16‌‌ launched this month and is making a splash with its passkey solution, which essentially eliminates the need for a memorized password. This is one of several new security features, but it's one I would like to focus on due to its extreme step away from traditional password handling.

What is a passkey and how does it work?
The notion of a memorized password is one of most vulnerable items when it comes to security.  Despite all our best efforts, people still lose them, share them, and reuse them, making them an easy target for hackers. Unfortunately, two-factor authentication is viewed as a pain and users will often skip this step for a false sense of convenience. 

Enter the passkey, which has been around for a while but is only recently being considered a standard by the World Wide Web Consortium. A passkey eliminates the need for a memorized password by generating a pair of keys—one public key and one private key stored on the device. The public key is stored in the cloud (for Apple devices it’s iCloud) and shared between devices that have their own private keys. This also ensures that if a server is compromised, the attacker doesn’t have both keys to gain access to accounts because everything is kept separate. Want to geek out on how this complicated cryptography technology works? Read more here or check out this video here

Currently, few websites support passkey-based authentication, but that is likely to increase over time as developers begin implementing passkeys in their services. Initially, passkeys will be supported on Macs, iPads, and iPhones. Also, now that Apple, Google, and Microsoft have joined forces to bring this authentication method into the mainstream with the unequivocal backing of the FIDO Alliance and the World Wide Web Consortium, we will see passkeys coming to the forefront and the inevitable death of the traditional password. How quickly it will take for hackers to crack the code is another question. For now, your best bet is to enroll in two-factor authentication here at FIT and on your personal accounts and encourage friends and family to do so also. Passkeys may be a future without passwords but we are still a ways away from seeing it everywhere.

Should you update to iOS 16?
As a general rule, the more changes software makes, the more bugs it brings. This is why every new generation of iOS and iPadOS have had glitches in its early days, and iOS 16/iPadOS 16 will be no different. Unless you like to live on the wild side, many tech blogs are recommending you wait to update or at least upgrade to 15.7, which includes the updates that fix some important security vulnerabilities.

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from for the latest from the Cybersafe campaign at FIT. Read past issues here.