2025-08-19 06:04:31
We imagine how Apple would tier list its own products, and discuss what kind of personality might work for a tabletop “robot” from Apple.
2025-08-18 23:15:03
The passkey was introduced with some excitement by Apple and varying degrees of hurrahs from Microsoft and Google a few years ago.1 This humble method of combining strong encryption, avoiding password entry, and adding the best aspects of second-factor authentication seemed like a winner. The excitement died down, even as operating systems, browsers, and websites provided increasingly robust support.
Why haven’t passkeys seemed to match their hype? Or do they “just work” and are being ignored despite their value?
I recently found one of the best arguments for using them, which I’ll share below. I’ve also seen quietly increasing adoption, even by the least-technology-focused sites, like those of home-improvement retailers and shipping suppliers.
I think you know the answer to this, but I’ll spell it out a little. Being text, a password can be copied or stolen, even if it’s generally obscured. Someone might be able to extract your password in a bunch of ways:
The strongest password from a complexity angle still has the weakest links: it can be used anywhere, by anyone, and has to remain accessible to you in plain text. When it’s pasted or filled into a Web page, it may be transmitted through secure https transport, but it’s still in the clear briefly at your end and the other.3
What if there were a way to eliminate these flaws and simplify the process? That’s the goal of the passkey.
A passkey isn’t just an extra-secure password. Rather, it relies on public-key cryptography (PKC), in which your system creates a secret that can be derived into two parts: one public and one private. The public key portion can be freely shared without risk through a variety of methods.4 The private key must be kept secret. It never leaves your device and is never typed in or shared.5
Because there’s no shared, identical (or “symmetrical”) password used between two parties that’s send in the clear (over an encrypted method like https or otherwise), there’s nothing useful that can be intercepted or stolen.
One of the useful aspects of PKC for proving your identity to access an account at a site is that the site only needs your public key to validate who you are. The private key, only you have access to, can encrypt a message that any possessor of the public key can validate could only have come from someone with that private key. Similarly, someone with the public key can encrypt a message that only you, with the private key, can decrypt.
PKC allows passkeys to provide two-way validation along with the primary purpose of a secure login. When you enroll to use a passkey at a site, you use your existing credentials to log in, often including a second-factor code or process. Your device generates a fresh private-public key pair for this login and sends the public key to the site.
The next time you log in, you opt to use a passkey, and the site sends a challenge through the browser that the browser or operating system manages. Using a fingerprint, your face, or a password, you confirm you want to use your locally stored passkey. Your system creates a message signed by the private key, which is sent to the site, which uses the public key to validate it. Easy as pie!
If someone tries to log into your account with a passkey, they would lack the proper keys and be unable to. Likewise, if you’re being phished, your browser won’t offer to log in to that site with a passkey, because the details don’t match. This is true with password managers, too, of course, which match accounts to sites. However, even if someone suborned a domain and a password manager “thought” it was the correct site, there’s no way for the phisher to provide a valid request your passkey system would respond to. Even then, that login information isn’t portable—it couldn’t be reused (or “replayed”) at the legitimate Web site.
PKC also prevents man-in-the-middle attacks, where a third party captures information from one side and silently hands it over to the other, and back to the first as a way to grab data or credentials. Without the private key, there’s no way for a third party to impersonate the logging-in user.
Notice that this process effectively removes the necessity for a second factor because the second factor becomes an integral part of the enrollment process: you have a unique set of information shared between the site and your device (or account ecosystem, like iCloud) that can’t be intercepted. A passkey makes logging in as easy as automatically filling in a password while offering the security advantages of two-factor authentication.
I’m not aware of a widely available website that allows you to disable password-based logins or two-factor authentication exclusively in favor of a passkey. Most sites that have adopted them shifted their login process in a way that you might have noticed a couple of years ago that added some friction: instead of a dialog for your email address or account name and then password, you were first asked for your user name. In a second step, you can enter a password or click or tap a button to use a passkey.
Some sites have pushed a “passkey login” button to their main login page in recent months. The credit-card processor Stripe makes it one of several options, which makes sense given the security needed for its account. However, the company does let you disable SMS-based second-factor codes once you have a passkey or other non-phone authentication method set, which is a significant move.6
Web sites love passkeys more than users, possibly, because it reduces friction: it’s less effort to login, the password doesn’t have to be found or entered, and it likely saves money on customer support from people losing their password and being unable to reset it.
Most sites have made it a trivial process to add a passkey to your account. The steps usually work like this:
When you’re using a single ecosystem, like Apple’s with Safari, you visit a Web site, click or tap use passkey, and use Touch ID or Face ID to complete the login, with a fallback to entering your passcode or macOS account password.
When you’re using a browser or operating system that doesn’t connect to Passwords, or when you’re using someone else’s Apple device, there is a nifty built-in login workflow:
While this seems a little sus, as the kids say,7 the whole process is well defined in the industry-standard passkey protocol, and is as fully secure as if you were using a passkey through authentication directly on the device.8
Passkeys were a little mistreated in Passwords until the fall 2024 upgrade to Apple’s operating systems. Now the Passwords app has its own category. An entry for a passkey also includes the user name, password, and other information associated with a site, such as the included domains.
Passkeys’ biggest flaw right now is that they aren’t exchangeable across password-management systems. I recommend Apple-centric people use the Passwords app to leverage the Safari and iCloud Keychain infrastructure and end-to-end encryption at the moment. If you regularly use Android or Windows, 1Password can manage passkeys across all its supported platforms, so it’s a better choice for now.
The whole industry touts the portability of passkeys without yet offering such a thing. But it’s inevitable, as there’s no lock-in benefit. Finding a secure way to sync or transfer passkeys without introducing security holes that bypass their value is the key (sorry) issue remaining.
You can use Passwords as one nifty workaround I hinted at in the intro. My wife and I share a login at our auto insurance’s site, but it requires a second-factor SMS code, and it will only allow one phone number. So I have to bother her every time I’m paying a bill on the site for the code sent to her phone. The company recently upgraded to passkey support, which I enrolled in. Using Passwords, I moved the passkey to my spouse and my shared group. Now, either of us can use the same passkey across all our collective devices.
[Got a question for the column? You can email [email protected] or use /glenn in our subscriber-only Discord community.]
2025-08-16 01:00:29
My thanks to Clic for Sonos for sponsoring Six Colors this week. Clic for Sonos is the fastest native Sonos client for iPhone, iPad, Mac, Apple Watch, Apple TV, and visionOS. It’s easy to get set up and get going, whether you’re playing to a single device or grouping multiple speakers together.
Clic for Sonos offers deep integration with native Apple technologies, with support for Widgets, Live Activities, Shortcuts, a Mac Menu Bar app, and support for Control Center. It works with your Sonos library, Apple Music, Spotify, Plex, Tidal, and TuneIn, and supports lossless and Dolby Atmos. And Scenes can now play music, so it’s one tap to group, set volume and play a playlist.
Try it for yourself and you’ll see. Six Colors readers can get one year for just $9.99 (30% off) or lifetime updates for $30 (50% off). Go to clic.dance/sixcolors for all the details.
2025-08-16 00:51:25
One of the most exciting additions in macOS Tahoe is Shortcuts automation, which (among many other things) allows Shortcuts to act when things move or change in the filesystem. More than two decades after Folder Actions brought those features to Mac OS X Jaguar, Apple has built a modern take on the feature that’s been popularized by third-party utilities like Hazel.
Unfortunately, Apple’s implementation of this feature is pretty basic—it’s a trigger that fires off a Shortcut and passes it all the information about what’s changed in the filesystem. The job of parsing, filtering, and acting on that information is entirely in the hands of the shortcut itself. This means that to take advantage of this feature, users will need a grasp of some Shortcuts fundamentals.
That’s what this article is for: to provide a quick guide to building a shortcut that acts on the contents of a folder when items are added to it. In this case, we’ll create a drop folder that moves Markdown files elsewhere when they’re added.
To get started, open Shortcuts and click on the Automation item in the sidebar. Then click the plus button in the top right corner. For this example, we’ll be choosing a Folder automation. In the ensuing dialog box, you’ll pick the folder you want to act on—mine’s called Drop It Here—and then check the box that specifies our shortcut will only run when an item is Added to that folder. I’m also going to click the Run Immediately option and uncheck Notify When Run, because I like my automations to run silently, like a submarine.
When that’s all done, you’re given the option to pick an existing shortcut, but I recommend choosing to make a new one that’s explicitly tied to this action. (It just keeps it tidier. And if you have a routine that you want to call from within the action, you can always use the Run Shortcut block!) With that, a new window will open containing a blank shortcut other than the first step, which is Receive Folder Change Summary As Input. That’s the step where the system will pass a Folder Change Summary item to your shortcut. The rest is up to you!
The simplest way to deal with this input is to add a Repeat With Each block, so the shortcut can loop one by one through all the added files and process them individually. Instead of acting on the raw shortcut input, click on the Shortcut Input field that’s automatically filled into the Repeat With Each block and, from the parameters offered by the Folder Change Summary variable, choose Added Files.
If your goal is to take every single item dropped in the folder and then act on it in some way, we’re done. You can delete them or copy them or zip them or move them, all within the repeat loop, and it will happen.
In this example, I want to take it a step further by applying a set of rules so that only certain files are acted upon. This being shortcuts, there are numerous ways to filter the list of added files to include only the ones we want. For very simple sets of rules, the easiest way to do it is probably to use the Filter Files action to act upon the Shortcut Input, and then set the Repeat With Each action to act on the filtered files.
Another approach is to use an If statement within the repeat block, and use that statement to test for the same attributes you’d use in the Filter Files action—in this case, I’m filtering on the File Extension being md for Markdown. Filtering files at the start is probably more efficient, but it doesn’t allow for some complex situations that I’ll address later.
You can also mix and match these approaches, doing basic filtering up front and then performing more specific tests down below. The goal is to, ultimately, have your shortcut only process the right kinds of files, as defined by you.
Now here’s where it gets tricky. Apple’s automation doesn’t offer any choices regarding processing subfolders within your folder—any changes, any level deep in a subfolder hierarchy, will trigger the automation. Dan Moren and I spent some time working on this problem, and while the right solution is for Apple to offer a checkbox so users can decide if these automations should include subfolders, there are a few other ways to approach the situation. (Another alternative would be for Apple to supply the path of the folder the automation is acting on as a variable so that we could test against it.)
Dan’s approach is to strip the filename off of the incoming path using a regular expression and then strictly filter against the exact path of the top-level folder:
Mine takes more steps but is a bit more Shortcuts-y. I split the path of the incoming file by the slash character, creating a list containing all items in the file’s path. The last item will be the file’s name, but the next-to-last item will be its enclosing folder. (C’mon, Apple, why is enclosing folder not a variable available to me?!) Unfortunately, you can’t tell Shortcuts to get item -2 from a list like you can in Python, so instead I count the items in the list, subtract one from that number, and then get that item:
Once that’s all done, I can use the If statement to compare that enclosing folder to the name of the top-level folder I’m filtering, and only proceed if the file is in the top-level folder.
Automations for Shortcuts in macOS Tahoe really open up a lot of possibilities. I’ve built a half-dozen of them already. Yes, Apple should really make it easier, but once you get the hang of processing the folder change summary, you can really do amazing things. Here are some of the actions I’ve already built:
Once you get used to building filters and using Repeat With Each Item blocks, this is a feature that can save you a whole lot of drudgery. And isn’t that exactly what user automation is supposed to do?
2025-08-14 22:15:35
Apple will introduce a redesigned Blood Oxygen feature for some Apple Watch Series 9, Series 10, and Apple Watch Ultra 2 users through an iPhone and Apple Watch software update coming later today.
Users with these models in the U.S. who currently do not have the Blood Oxygen feature will have access to the redesigned Blood Oxygen feature by updating their paired iPhone to iOS 18.6.1 and their Apple Watch to watchOS 11.6.1. Following this update, sensor data from the Blood Oxygen app on Apple Watch will be measured and calculated on the paired iPhone, and results can be viewed in the Respiratory section of the Health app. This update was enabled by a recent U.S. Customs ruling.
This seems like a workaround to let Apple Watches released after Masimo successfully brought a patent case against Apple and forced the company to deactivate the blood oxygen sensor on new U.S. Apple Watch models. The main difference seems to be that data will be recorded on the watch, but only displayed on the iPhone.
I’m still surprised that it’s gone this long and this far, but Apple seems to be a company that will leave no legal stone unturned and will fight to the end when it feels it’s in the right.
2025-08-14 05:14:06
Our display setup and window management; which legacy online component should be sunset after AOL dial-up; whether new Shortcuts and Apple Intelligence automation appeals; and views on YouTube’s AI age verification and the best and worst ways to do it.
