New Apple iPhone app proves how hard it is to kill the online password

Apple Intelligence was unveiled during Apple’s Worldwide Developers Conference in Cupertino, California, on June 10, 2024.

Source: Apple Inc.

For years, cybersecurity experts have been predicting the death of the online password as more advanced log-in features, from facial recognition to multi-factor authentication, become more common. But it seems like Apple has accepted that the password isn’t going away anytime soon. Its new Passwords app, introduced at Apple’s WWDC 2024 earlier this week, is one more solution to help protect online accounts and manage multiple logins. It doesn’t change the fact that putting all your logins in one place continues to come with risks.

“Passwords are really hard to kind of get rid of,” said Andras Cser, Forrester vice president, principal analyst.

The new Passwords app for iPhone, iPad, Vision Pro, Mac and Windows, lets users store all of their passwords, including verification codes, app passwords, Wi-Fi passwords, Passkeys and more. The offering is similar to other password managers on the market, including 1Password and LastPass.

“You can’t underestimate the power of having a default solution like this and having password security built in,” said Gadjo Sevilla, eMarketer senior analyst .”That’s probably going to entice the majority of of Apple customers to use the feature. It’s convenient. It’s there. It’s free.”

Passwords are a risky online security method

But that doesn’t change the basic concern about users relying on passwords as a default online security method.

“That’s the move: Obliterate the need for any password manager and just move to one-time passwords based on push notification-based authentication, biometrics or passkeys,” Cser said. “Moving away from passwords is probably the right message, not using free or upgraded password managers.”

Password hacking is on the rise, with IBM reporting a 71% increase in the number of attacks using valid passwords in 2023 compared to 2022. Apple, Google, and Microsoft have made moves to migrate more users to passkeys, which requires another device owned by the user to verify the login through face scans, fingerprints or other codes. This helps get rid of the biggest cybersecurity risk: people tend to have very poor password hygiene, including using the same password across accounts, which means if that password is stolen the hacker would have access to all of them.

Apple’s passkey system, Keychain, is only for products under its iOS operating system. This new Passwords app includes more systems compatibility, including Windows and different types of login verifications. The company did not say it will include any Google or Android passwords, which encompass a lot of accounts. 

Apple WWDC: Privacy updates lock down on facial recognition

Password managers, like the Apple Password app, log different passwords, passcodes and logins securely under a safe account. And they do offer an added layer of protection: research from Security.org found those without password managers are three times more likely to be victims of identity theft. But whether free or paid versions of managers, none completely eliminates risk.

“They are a band-aid or wraparound,” Cser said. “Passwords are very vulnerable, and very much have run their course in protecting any kind of apps or resources and data. So then, it just puts all your eggs in one basket, regardless of who’s tool you pick, right?” 

Apple did not respond to a request for comment by press time.

There are some concerns that if Apple holds all the digital keys to everyone’s password, then it could make people more vulnerable if the company is hacked. It’s not outside the realm of possibility: Apple’s iCloud was hacked back in 2014, leading to many leaks of private celebrity photos. LastPass was hacked in 2022, though customer data was not stolen.

“The one security issue ever is that anyone who gets your Apple ID and your password would get access to your iCloud Keychain or your Password app, because that is really the key authentication needed to safely access those stored passwords,” Sevilla said.

Apple, personal data, and privacy

Still, protecting large amounts of personal data is nothing new for Apple, and it has developed a relatively good track record of building its brand around privacy. It also has a hardline stance against sharing information with unauthorized third-party apps. Earlier changes starting with iOS 14.5 have asked users to opt into data sharing and blocked tracking applications, to the detriment of digital advertising companies reliant on that information for ad targeting like Facebook.

“Apple is a services company,” Sevilla said. “They have billions of credit card numbers. You can’t underestimate the amount of effort they will put into making sure that is locked down, and those are all tied into Apple IDs, Apple passwords. So I guess if you follow that example, they could probably be seen as far more secure than the standalone apps.”

Broader data sharing issues were raised at WWDC about Apple’s partnership with OpenAI, which it is using to allow Siri to access ChatGPT. Some, including Elon Musk, have raised concern that allowing OpenAI access to Apple user data could be a potential security violation. OpenAI uses user data and behavior to train its AI models.

While it may be highly unlikely, with users sharing their passwords with Apple, and Apple sharing data with OpenAI, cybersecurity experts say it presents at least the theoretical risk that OpenAI could use logins to look at personal data for its learning purposes.

Apple reiterated its commitment to data privacy at WWDC 24. Apple Intelligence, its entry into AI, will leverage cloud-based models on special servers using Apple Silicon to ensure that user data is private and secure. If a request needs to go to a cloud server, Apple says it will only send a limited selection of data in a “cryptographically” secure way.

“We’re not going to take that data and go send it to some cloud somewhere,” Apple senior vice president of Machine Learning and AI Strategy John Giannandrea said at the event. “Because we want everything to be very private, whether it’s running locally or on a cloud computing service, and that’s the way we want it so we can use your most personal data.”

Elon Musk isn't wrong about Apple AI privacy concerns, says Binary Defense's David Kennedy