Apple OSes will soon transfer passkeys seamlessly and securely across platforms.
Apple this week provided a glimpse into a feature that solves one of the biggest drawbacks of passkeys, the industry-wide standard for website and app authentication that isn't susceptible to credential phishing and other attacks targeting passwords.
The import/export feature, which Apple demonstrated at this week’s Worldwide Developers Conference, will be available in the next major releases of iOS, macOS, iPadOS, and visionOS. It aims to solve one of the biggest shortcomings of passkeys as they have existed to date. Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily enough with other Apple devices connected to the same iCloud account. Transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible.
Growing pains
That limitation has led to criticisms that passkeys are a power play by large companies to lock users into specific product ecosystems. Users have also rightly worried that the lack of transferability increases the risk of getting locked out of important accounts if a device storing passkeys is lost, stolen, or destroyed.
The FIDO Alliance, the consortium of more than 100 platform providers, app makers, and websites developing the authentication standard, has been keenly aware of the drawback and has been working on programming interfaces that will make the passkey syncing more flexible. A recent teardown of the Google password manager by Android Authority shows that developers are actively implementing import/export tools, although the company has yet to provide any timeline for their general availability. (Earlier this year, the Google password manager added functionality to transfer passwords to iOS apps, but the process is clunky.) A recent update from FIDO shows that a large roster of companies are participating in the development, including Dashlane, 1Password, Bitwarden, Devolutions, NordPass, and Okta.
Dans un contexte général où de nombreuses institutions font l’objet d’attaques informatiques, Sorbonne Université a été victime d’une cyberattaque. Son système d’information connaît de fortes perturbations en raison de la détection d’un incident de sécurité qui a endommagé différents outils numériques sans pour autant empêcher la continuité de service. Pour faire face à cette situation, des mesures correctives ont été mises en place pour renforcer les dispositifs de sécurité.
Les derniers résultats des investigations effectuées par les équipes de Sorbonne Université, en lien avec des experts en cybersécurité, ont mis en évidence la compromission de plusieurs catégories de données sensibles. Parmi ces données figurent des adresses e-mail professionnelles, des coordonnées bancaires, des numéros de sécurité sociale et les éléments relatifs à la rémunération des personnels.
Conformément au Règlement général sur la protection des données (RGPD), Sorbonne Université a immédiatement procédé à une déclaration auprès de la Commission nationale de l’informatique et des libertés (CNIL), de l’Agence nationale de la sécurité des systèmes d'information (ANSSI), et a déposé plainte au nom de l’établissement.
Les équipes de Sorbonne Université se mobilisent sans relâche pour gérer cette cyberattaque et rétablir au plus vite l’ensemble des services dans les meilleures conditions possibles. Ainsi, tous les services numériques essentiels au travail des personnels de l’université fonctionnent aux heures ouvrables de travail.
Un numéro vert dédié sera mis à disposition du personnel en début de semaine prochaine ainsi qu’une foire aux questions afin de répondre à leurs interrogations.
Hackers have tried to break into the email accounts of a select number of Washington Post journalists, according to an internal Washington Post memo obtained by CNN.
The Post discovered the “possible targeted” hack of its email system last Thursday, prompting the newspaper to reset login credentials for all its employees on Friday, Washington Post Executive Editor Matt Murray said in a memo Sunday to employees.
“Although our investigation is ongoing, we believe the incident affected a limited number of Post journalists accounts, and we have contacted those whose accounts have been impacted,” Murray said.
“We do not believe this unauthorized intrusion impacted any additional Post systems or has had any impact for our customers,” he added.
It was not immediately clear who was responsible for the hack. Journalists are regular targets for both state-backed spies, who are interested in tracking their reporting before it becomes public, and cybercriminals, who are interested in extorting news organizations.
A spokesperson for The Post declined to comment when asked who might be responsible for the hack.
More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover.
The flaw is tracked as CVE-2025-4123 and impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics.
The vulnerability was discovered by bug bounty hunter Alvaro Balada and was addressed in security updates that Grafana Labs released on May 21.
