How to get passkeys working for a billion Microsoft users and beyond

The FIDO Alliance has kicked off the Authenticate 2024 conference with a campaign urging people to “free yourself with passkeys,” in tandem with the launch of their Passkey Central resource on passkey deployment for consumer service providers. But while major tech players are trending toward passkeys, a segment of their users still needs convincing if FIDO is to usher in what its CEO Andrew Shikiar calls “a passwordless utopia.”

In a keynote featuring Sangeeta Ranjit and Scott Bingham of Microsoft, the company poses the big question: “We love passkeys, but how can we convince a billion users?” Ranjit opens with a jarring number: “in the last year alone, we saw password attacks almost double at Microsoft – over 7,000 per second. This includes a 58 percent increase in phishing attempts.” By 2027, she says, the global cost of cybercrime is estimated to hit $24 trillion.

Calling passkeys an “amazing advancement in authentication,” Ranjit says Microsoft sees passkeys as central to the future of their business. But how to get users to love passkeys as much, when the variety of users and devices, in different locations and with different levels of technical savvy, makes it a seemingly Herculean task?

Laid-back approach to passkey deployment less effective than well-timed nudges

Bingham offers a few learnings from Microsoft’s announcement of consumer passkey support earlier in 2024. At first the company opted not to push too hard for adoption, instead offering “a very simple option on the account setting page, and a very simple option on the sign-in page to sign in with your passkey.” With technical support in place, enrollment by thousands of early adopters fed into refinements for scaling to the next level of passkey deployment.

Another key question the company had to answer was when and where it should approach users to enroll a passkey. “We were very worried about bothering our users,” Bingham says. But the company found users “responded very positively to the invitation to enroll a passkey.” Turns out, the passive approach was not working as well as proactive efforts to get users enrolled.

After why, where and when, of course, comes how. “We needed to understand what would motivate our users to change decades-old behavior,” Bingham says. In asking what was most important to their users, Microsoft found that speed and security resonated with users much more strongly than ease-of-use as a motivating factor.

The company continues testing where in the customer journey to put which nudges, and how to accommodate users who take more time to shepherd into a future in which passkeys will be the expectation for signing in. A great sign-in experience, it says, should prioritize security, have “low cognitive load” for users, and should automatically use the best available digital credential while evolving to integrate better credentials as they become available.

In general, Microsoft has figured out a lot in its transition to passkeys, and while learning continues, it seems clear that users who are given the right pitch at the right time will embrace passkey enrollment. Of users who start the passkey registration process, says Ranjit, 99 percent complete it. Passkeys are faster, which means users get to content quickly, eliminating the frustrations that come with multi-factor authentication options like one-time verification codes.

Microsoft to stop support for passwords eventually

Ranjit says Microsoft knows enough to start setting passkey defaults and “start launching passkeys at a global scale,” driving growth with carefully crafted nudges.

“We are forecasting that hundreds of millions of users will enroll and use passkeys in the next twelve months,” she says. Among the final hurdles to full acceptance is the stubborn resilience of passwords. If passkeys are to thrive, says Ranjit, passwords cannot continue. Microsoft’s next move is to stop allowing new users to create passwords when they register accounts, and to eventually stop supporting passwords altogether.

So, how to convince a billion users to adopt passkeys? Primarily, don’t be shy about asking; chances are good that users are ready to turn away from passwords.

Using passkeys to solve critical use cases can drive workforce buy-in: panel

In a day one panel, professionals from the FIDO Alliance, Thales, Axiad and HID Global discuss further trends in passkey adoption in workforce applications. Organizations are wondering where to start with passkeys, how to understand the differences between synced passkeys and device-bound passkeys, and other questions about how transitioning to passkeys will affect a business.

“The most difficult thing for any organization is to make a change, especially with authentication,” says Sean Dyan of HID Global. Both Dyan and Michael Thelander of Axiad compare the takeup of passkeys to a journey, and say most businesses start with device-bound passkeys, through which they can accrue solid metrics to back a larger portfolio of use cases.

Sarah Lefavrais of Thales says change management is an important part of the equation. Enterprises need to take time to identify the full array of users and users concerns in order to ease transition, and be ready with supporting technology that will enable a smooth user journey from start to finish. Find the use case that has the most friction, the most immediate and pressing problem, and solve that to help demonstrate how passkeys can be an effective enterprise tool.

In other words, the proof of passkeys is in the passkey pudding. “Lead with why, not with what,” Dyan says: allow users to see how it will affect them positively, and they will be more open to adoption, or at least to the “what” part of the conversation.

“The engagement piece is absolutely critical,” he says. You want to build up a reputation around passkeys that frame them as a net benefit. People want in on a good thing, and if passkeys can be shown to be just that, more users will be on board.

Article Topics

Authenticate Conference  |  Axiad  |  FIDO Alliance  |  HID Global  |  Microsoft  |  passkeys  |  passwordless authentication  |  passwords  |  Thales Digital Identity and Security