> The problem with iCloud keychain for me is that I don't only use Apple devices
If I ever need to sign into something on a non-Apple OS, I look up the desired iCloud KeyChain-stored password on my iPhone, then manually retype it on the other device.
> Passkeys on iPhone require that you use iCloud Keychain. If you don’t have iCloud Keychain turned on when you try to save a passkey, you’ll be asked to turn it on. Passkeys also require that two-factor authentication is enabled for your Apple ID.
Nope, sorry. Enshittification makes this entire concept, as-presented, a non-starter.
Does there need to be work on webauthn for it? (maybe some wording sugggestions around "resident keys" which I think are meant to be persistent and within a singleTPM or such, but no technical constraints beyond that afaik).
My understanding was passkeys was just Apple Marketing(tm) around their implementation and integrating it with iCloud/keychain?
> to clarify, if my user set up passkey on their iPhone and that's the only method of authentication for my website, they just wouldn't be able to sign in if they lost that iPhone?
That used to be the case. Since iOS 16 they are also synced via the iCloud Keychain: "Passkeys on iPhone require that you use iCloud Keychain. If you don’t have iCloud Keychain turned on when you try to save a passkey, you’ll be asked to turn it on. Passkeys also require that two-factor authentication is enabled for your Apple ID."
Longer answer: iCloud Keychain is end-to-end encrypted credential storage, and its workflow is:
Need password -> Secure system hook to Keychain -> Keychain requests unlock via (face/finger/passphrase as appropriate) -> Password decrypted and auto filled.
There are also third-party options, which can nominally use NFC keys[0] as auth factors, but I’m not currently aware of any that actually do.
Personally, I use 1Password, because I’ve still got a Windows box in my world, and need something cross-platform, and since I’m paying for it, I know it’s the product and not me.
>> Apple has described Passkey as a new kind of credential in the iCloud keychain. The technology is based on the Web Authentication API (WebAuthn), a rapidly emerging standard that uses public key cryptography instead of passwords for authenticating users to websites and applications.
Whatever "based on webauthn" means...Let's hope it's not just a buggy implementation of WebAuthn as they did with OpenID Connect
I will tell my family to use iCloud Keychain the day when it works across all major browsers and OSes. Or at least that they provide an API to sync with other password managers.
iCloud Keychain works great for me. Although, if I could change one thing, it would be to add a dedicated iOS app, instead of having to go to Settings > Safari > Passwords.
I don't know about 1Password, but IIRC the iCloud keychain is laughable security, with easily brute forceable pin-based security that can be performed at Apple HQ without your knowledge.
Apple has keychain linked to an icloud account but it's subpar of a password manager at best. Most mac people who I know that are techy just use lastpass.
Unfortunately, it doesn't directly address the issue of the iCloud keychain requirement.
reply