Earlier this year, the FIDO alliance announced the launch of passkeys, a much anticipated, passwordless authentication factor many consider the long-awaited death knell of passwords.
In many ways, it is. Already, the tech sector’s biggest players have jumped on board, with Apple, Google and Microsoft all announcing support for passkeys in their latest products. And general corporate enthusiasm for a password alternative has never been higher – over 90% of businesses say they will transition to passwordless authentication at some point in the future.
Yet, the path to a fully passwordless future isn’t as quick or trouble-free as we might like to think. In the way are issues of user experience, interoperability and inconsistent technical implementation – all of which could thwart the frictionless, passwordless dream passkeys promise.
While passkeys can dramatically improve the security and UX of authenticating users to applications, there’s a lot that still rests on the shoulders of developers.
In this article, we’ll go over what differentiates passkeys from prior passwordless authentication methods, the top developer challenges and pitfalls around implementing passkeys and the top three considerations for dev teams when configuring passkeys for their app.
Behind the Hype – a “Drop-In Replacement” for Passwords
In many ways, the technology behind passkeys is not new. By definition, passkeys are still WebAuthn credentials. They combine public key cryptographic pairs with an additional method of identity verification – a public key is stored on an application’s server, while the private key is stored on a local device belonging to the end user, either a USB key or sometimes simply locked behind a biometric factor.
This combination of public key cryptography with either ownership-based or biometric-based identity verification makes WebAuthn virtually unphishable.
But it also means that historically, WebAuthn has also been device-specific – meaning if a user lost their USB key or simply wanted to access an app or service on a device other than the one with their biometric information on it, they were out of luck.
Passkeys drastically uplevel the usability of WebAuthn technology because they’re usable across devices and operating systems. So even if users set up a passkey for an app or service on their iPhone, they can use that passkey to log into the same app or service from their iPad and SurfacePro. And, passkeys are designed to be easily discoverable – if a user visits a site or opens an app for which they have a passkey already, their device and/or app will prompt them, making it easy to autofill.
All of this blends to make passkeys as universally usable as passwords and as secure and unphishable as WebAuthn, at least in theory.
In practice, there are still hurdles developers face in implementation that can have a big effect on user experience and security.
Developer Implementation Challenges
Three big factors affect what kind of passkey experience trickles down to the end user: The end user’s platform, the developer’s technical configuration and the UI implementation of the passkey.
End user’s platform
One of the key aspects that make passkeys usable across devices is that they’re synced to the cloud. But between a user’s operating system, cloud ecosystem, browser and device, this syncing ability is not guaranteed.
For example, a passkey set up on macOS within Safari will sync to iCloud, but will only remain locally available if set up on Chrome. A passkey set up on an Android within Chrome will sync to Google Password Manager, but unlike more stringently protected biometric storage options (like Keychain), Google Password Manager is not nearly as secure.
Another aspect of your end user’s platform that will impact security is the presence (or absence) of a biometric reader. Part of what makes passkeys so secure is that they combine a what-you-have auth factor (your private key) with a who-you-are (e.g. your fingerprint or face ID). But if you allow your users to use their phone’s PIN instead of a biometric factor, that makes your passkey implementation a much more phishable and vulnerable attack vector.
Technical configuration
While you can’t necessarily control which platform your end users choose, you can make proactive decisions in your passkey implementation that affect security and UX.
1. Authenticator type: In the current state, only passkeys created via platform authenticators will allow syncing to the cloud, while passkeys created via cross-platform authenticators can’t be synced to the cloud.
2. Resident key: Resident keys allow for the storing of metadata with the creation of a passkey. If resident keys are not required, it can prevent passkeys from being discoverable client side.
3. User verification method: If you can’t guarantee that your end users have access to a biometric scanner on their device, you may need to open up approved user verification methods to include things like PINs. But again, that currently means you’re forced to trade wide adaptability for stronger security.
UI implementation
The humble autofill function may seem like a modest enhancement, but for users who have ~ 80 apps downloaded on their phone and may access upwards of 10 apps a day, an autofill feature can make or break their productivity and mood.
In order for passkeys to be discoverable, developers must enable conditional mediation – allowing apps to scan a device for saved credentials, as well as the autofill function – as you can guess, allowing the device to autofill credential fields.
Top Three Considerations
Depending on your users and your application, there is no single right way to implement passkeys. Navigating your own implementation requires three very basic considerations.
1. Know your users
It may sound obvious, but for your passkeys implementation to succeed with users, you need to make sure it’s configured for their use case. Consider your users’ device preferences, such as desktop or mobile, and whether they use Apple, Windows, Yubikeys or other authentication methods to tailor your passkeys implementation accordingly.
These preferences will have a big impact on the exact configuration that makes the most sense for your customers.
2. Know your risk tolerance
You also need to understand the risk tolerance for your use case. While security and user experience are not always necessarily in tension, until passkeys enjoy more universal support across devices and ecosystems, you may need to make some very calculated decisions about where your company feels they’re most vulnerable to attacks and where you might be able to offer a more flexible experience for your users.
3. Closely track the terrain
Depending on when you read this, it’s highly possible that one of the major passkeys providers will have updated their ecosystem/browser compatibility or released a new set of devices with biometrics. These developments have a big impact on how your passkeys implementation will work on the ground, and they’re changing rapidly. In general, that change is a good thing – it’s part of what is helping to accelerate passkeys adoption and the passwordless revolution. But it’s also what makes the management of a passkeys implementation challenging for in-house devs.
Get Started Now
While some of these choices may seem daunting, passkeys’ momentum is undeniable – and its potential completely attainable. The best thing developers can do right now is start working on a plan to enable passkeys-based authentication – ensuring their app is primed for the passwordless revolution.