Passkeys face growing pains that come with rapid adoption and wide unfamiliarity
The discourse on passkeys has cooled in the first months of 2024, as biometrics and digital ID observers wonder if the hype has overshot what users are actually comfortable with. While last year saw flamboyant goodbyes to passwords and heralded the arrival of passkeys, some are taking a more measured approach to the transition.
That said, the technology is still relatively young, and proponents such as the FIDO Alliance continue to work to make passkeys accessible and trustworthy. In a recent webinar now available on demand, Next-Gen Authentication: Implementing Passkeys for your Digital Services, representatives from FIDO Alliance and Thales sat down to explore why, “with over 8 billion accounts already protected by passkeys, the question for service providers isn’t ‘if’ they should be adopting passkeys, rather ‘when’ and ‘how’.”
“In many ways, 2023 was the year of the passkey,” says Andrew Shikiar, executive director and CMO of FIDO Alliance. “The growth of implementation and the explosion of interest and adoption was truly remarkable.” The code-based public key cryptography used in passkeys eliminates clunky knowledge-based authentication that results in breaches, phishing attacks and customer dropoff, replacing it with stronger biometric options such as facial recognition or fingerprint ID on the device end. The technology and support are there, says Shikiar, and major players are already on board.
And yet, “we’re still living in this password-centric world, where we’re dependent on passwords.” Shikiar says layering is ineffective and any knowledge or secret-based authentication method is still phishable. So why hesitate to switch?
Going frictionless still creates too much friction
A recent article in Wired offers some insight into the answer. “When passkeys work seamlessly, it’s a glimpse of a more secure future for millions, if not billions, of people, and a reinvention of how we sign in to websites and services,” writes author Matt Burgess. “But getting there for every account across the internet is still likely to prove a minefield and take some time.”
As with any engineered technological transition, success is a matter of adaptability, education, convenience, and refinement. User experience has to be smooth enough to avoid snags, and as Shakir tells Burgess, “the technology is mature, the front ends are still nascent.” The language of passkeys will develop and converge with usability, but for now, while Burgess provides a concise and simple definition of what a passkey is, his description of how it works is still too complicated for an average user to follow without effort.
A piece in SC Magazine further pushes the point. “Identity and access management (IAM) technology has gotten far ahead of what ordinary people are comfortable using,” writes Paul Wagenseil. “After all, it’s already hard enough getting your staff, let alone your family members, to use multi-factor authentication (MFA).” Institutions and other organizations running on legacy infrastructure is a major issue. And the solution creates its own problems; with device-bound passkeys, if your device is stolen, so are your passkeys, and the sole remaining safeguard is whatever the user has set to unlock the device.
However, regardless of their reservations, both writers are unequivocal in their agreement that passkeys will eventually become the standard. Provided a sufficiently frictionless experience, the convenience and security will simply be preferable to more people. A good example is the recent introduction of biometric and face-scan authentication for all log-ins to general marketplace Mercari Japan, which has more than 20 million users. A company release points out just how impatient people can be when it comes to access. “Compared to phone number authentication,” it says, “the new method has the advantage of not having to wait for an SMS to arrive.”
Passkeys not only more secure, but can improve bottom line
Andrew Shikiar says that the numbers on passkeys confirm that crossover is just a matter of time. Awareness is growing, KPIs on cost reduction and sign-in success are trending positive, and the question of user experience is now central to what is fundamentally an inevitable transition.
Pedro Martinez of security giant Thales says they have told customers, “this is coming, this is in many ways here even if you don’t see it yet, and this is going to happen – passkeys will end up replacing passwords.” He points to studies that show significant cost reductions related to reductions in incidents related to password resets, and echoes what Shikiar says about the pieces being all lined up. “Pretty much every mobile device, every smartphone, every tablet, every laptop, every PC computer is equipped today with an operating system that supports FIDO, that supports passkeys.” Web services can initiate authentications with FIDO credentials directly in major web browsers.
“With that level of ubiquity,” says Martinez, “it is absolutely certain that passkeys are going to thrive.”
Article Topics
biometrics | consumer adoption | FIDO Alliance | passkeys | passwordless authentication | Thales Digital Identity and Security
Comments