Apple announced at this year’s Worldwide Developers Conference (WWDC) that passwordless login will be available in September for Mac, iPhone, iPad, and Apple TV. Users will no longer use passwords to log in to websites and apps on iOS 16 and MacOS Ventura, instead using Passkeys.
“To make a passkey, just use Touch ID or Face ID to authenticate, and you’re done,’’ and passkeys can’t be phished, said Darin Adler, VP of Internet Technologies at Apple, who made the announcement at the keynote. When you login to this website again, the passkey allows you to authenticate your identity by using your biometrics rather than typing in a password.
This is the first major shift in the real world to eliminate passwords.
So, why is “passwordless login” so important?
The Unreliability of Passwords
Living in the era of the Internet, we are all used to the login form of “account + password”. As Internet applications and services become more and more ubiquitous, we have naturally created more and more accounts and passwords.
Although there is excellent password management software like 1Password on the market, only a small percentage of us use them, and most individuals are still used to remembering their own passwords. Users spend 10.9 hours each year typing and/or resetting passwords, according to a Yubico survey in 2019, costing companies an average of $5.2 million per year.
Another reality is that some people are so careless that they use overly simple passwords or use the same password for many Internet services.
Top 200 most common passwords, source: https://nordpass.com/most-common-passwords-list/
Overly simple passwords allow hackers to take advantage of them, and using the same password for many Internet services makes it possible for a user to login to one hacked service and have their password compromised across a number of applications.
Furthermore, even industrial giants are vulnerable to massive data breaches. Here are a few examples:
- In 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts.
- In 2014, eBay suffered a significant data breach that exposed the personal information of around 145 million users, including usernames, email addresses, home addresses, phone numbers, and birthdays.
- In 2014, Yahoo was attacked and user information of 500 million users, including names, email addresses, telephone numbers, birth dates, encrypted passwords and in some cases, security questions, was stolen.
- In 2016, six databases that were owned by Friend Finder Networks suffered a massive data breach, which exposed more than 412 million accounts.
- In 2021, personal information, including phone numbers and full names, of more than 500 million Facebook users was leaked online by hackers.
Passkey: The More Secure Passwordless Login
Back in 2009, Validity Sensors and PayPal discussed using biometrics for identification of online users instead of passwords at a meeting. The meeting inspired the idea of an industry standard designed around public key cryptography, enabling a passwordless login backed purely by local authentication.
In July 2012, the FIDO Alliance was founded and work on a passwordless authentication protocol began.
In 2019, FIDO Alliance and the World Wide Web Consortium (W3C) announced the Web Authentication (WebAuthn) specification as an official web standard. WebAuthn allows servers to register and authenticate users using public key cryptography instead of a password. From the user’s perspective, with WebAuthn only the following steps are required:
- Enter username (or email address)
- Click “Sign in”
- Touch ID
- Done
Source: https://www.hanko.io/blog/on-passkeys
Going deeper, “WebAuthn allows servers to integrate with the strong authenticators now built into devices, like Apple’s Touch ID. Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user’s device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to authenticate the user’s identity.
The public key is not secret, because it is effectively useless without the corresponding private key. The fact that the server receives no secret has far-reaching implications for the security of users and organizations. Databases are no longer as attractive to hackers, because the public keys aren’t useful to them.” (Learn more at: Guide to Web Authentication)
Therefore, WebAuthn perfectly combines biometrics and cryptography.
In March 2022, the FIDO Alliance published a whitepaper detailing a new concept called “multi-device FIDO credentials, or short “passkeys”, meaning that your secure login information will be available on multiple devices. So,the passkey could also be called “synchronized WebAuthn credentials”.
Your devices will take care of passkey synchronization. Once the technology is released later this year, you will be able to use your passkeys on all devices that use the same iCloud account. It functions as a modern cloud-synced password manager (e.g., iCloud Keychain or 1Password), just without the passwords. If you lose your device, you just power up a new one, and you’re back in. Your passkeys will already be there and allow you to sign in to your services with Touch ID or Face ID straight away.
In short, passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.
Nervos CKB Supports Apple Passkey Feature
One of the reasons why the Internet has rapidly grown to its current size, taking into account both security and convenience, is the widespread use of cryptographic primitives. For example, SubtleCrypto, an algorithm that almost exists in all browsers, can even be used in mini programs; WebAuthn, which became an official web standard in 2019, makes the browser’s encryption as powerful as a hardware wallet while still maintaining a user friendly experience (as users can unlock using Touch ID, Face ID, etc.).
The user barrier for dApps can be considerably decreased if the blockchain can directly utilize the Internet’s cryptographic infrastructure, rather than requiring users to download wallet plug-ins or applications and then go through the process of storing mnemonic phrases.
However, the cryptographic primitives supported by the mainstream blockchains are limited:
The signature algorithms of these blockchains are incompatible with the encryption methods used in the infrastructure powering the Internet, therefore new infrastructure is required.
What makes Nervos CKB stand out is that the CKB-VM is abstract and does not contain any pre-compiled contracts to implement low-level functionality. Even the default cryptographic primitives like the hash function Blake2b and the signature verification algorithm Secp256k1 are just smart contracts running in the virtual machine. In other words, developers can select the cryptographic primitives in smart contracts by themselves and even use the existing Internet infrastructure directly, including the upcoming Passkey.
Therefore, we are proud to say that Nervos CKB may be the only public blockchain at present that supports the passkey feature.
What Will Passkey Bring to Nervos?
Assume we are a few months in the future, and passkeys are fully supported by Apple’s devices. So, what will Passkey bring to Nervos Network?
The answer is probably a lower barrier to entry for new users, a more user-friendly experience, and in turn, more users.
Passkey is a piece of infrastructure, and realizing its full potential requires the involvement of developers. We’ll use the cryptocurrency wallet as an example to show how this infrastructure lowers the barrier to entry for users, improves the user experience, and draws more Internet users into the Nervos ecosystem.
At the moment, non-custodial cryptocurrency wallets are still inextricably linked to mnemonics, public and private keys. So it is quite troublesome for an Internet user who is used to signing in with Touch ID or Face ID to save 12-word or 24-word mnemonics on his own, verify that the mnemonics are in the correct sequence, and he/she cannot capture screenshots or copy the mnemonics and send online.
Furthermore, the mnemonics might be leaked due to improper storage, resulting in the theft of crypto assets. Another situation that often occurs is the loss of mnemonics, which means the wallet cannot be restored and crypto assets in the wallet cannot be withdrawn anymore.
With the support of Passkey, the private key (and mnemonics) can be securely concealed, never being revealed to users. Therefore, users will be able to create a Nervos CKB wallet using Touch ID or Face ID after installing the wallet app. They simply need to authorize with Touch ID or Face ID when creating transactions or interacting with smart contracts, which is highly convenient and safe.
If the user loses his/her smartphone or replaces it with a new one, they can log in to the same iCloud account on the new device, download the wallet app, and then restore the wallet using the Touch ID or Face ID. The lost device cannot be cracked and the private key can never be exported, even if it is owned by a hacker.
Such cryptocurrency wallets have lower thresholds and a better user experience, and all operations are familiar to Internet users.
Wallets are the gateway for users to enter the blockchain world. With such a convenient and secure wallet, new things such as cryptocurrencies, DeFi, GameFi, and NFTs are much easier for billions of Internet users to access.
Of course, the possibilities of what Passkey will bring to Nervos Network and blockchains isn’t limited to this. If you’re a developer who’s passionate about bringing blockchain to every Internet user, we welcome you to join the Build Club program and create more possibilities!