Passkeys build momentum, enabling access to 15 billion online accounts
Passkeys are a biometric security trend to watch in 2025. The FIDO Alliance themed its 11th annual FIDO Tokyo Seminar on how passkey adoption is accelerating, with presentations from Google, Sony Interactive Entertainment, Mastercard, and other organizations joining the journey to password-free living. Microsoft has confirmed its advice on how to make people love passkeys – as it sweeps aside a major vulnerability that exposed 400 million Outlook 365 users.
Major tech brands drive mainstreaming of passkey account log-ins
A press release from FIDO outlines passkey success stories from the past year.
In 2024, Amazon made passkeys available to 100 percent of its users and has seen 175 million passkeys created for sign-in to amazon.com globally. Google says 800 million Google accounts now use passkeys, with more than 2.5 billion passkey sign-ins over the past two years and sign-in success rates improving by 30 percent. Sony adopted passkeys for the global Playstation gaming community and saw a 24 percent reduction in sign-in time on its web applications.
Hyatt, IBM, Target and TikTok are among firms that have added passkeys to their workforce authentication options. More credential management products offering passkey options means more flexibility for consumers.
Japan joins passkey party in private sector, academia
The Japanese market showed a notable turn toward passkeys, with Nikkei, Nulab and Tokyu Corporation among firms embracing passwordless authentication technology. Nikkei will deploy passkeys for Nikkei ID as early as February 2025. Tokyu Corporation says 45 percent of TOKYU ID users have passkeys. And Nulab announced a “dramatic improvement in passkey adoption.”
Academia is helping drive innovation, with teams from Keio University and Waseda University winning acknowledgement for their research and prototypes at a slew of hackathons and workshops.
And FIDO, of course, is there to offer support, now offering its Passkey Central website resource on passkey implementation in Japanese, so that Japanese companies can take better advantage of its introductory materials, implementation strategies, UX and design guidelines and detailed roll-out guides.
The FIDO Japan Working Group, which includes 66 of the FIDO Alliance’s member companies, is now in its 9th year of working to raise passkey awareness in the country.
Established passkey programs show positive results
General awareness of passkeys is improving, with recent FIDO research showing that in the two years since passkeys were made available, consumer awareness has risen by 50 percent. That can be chalked up in part to the efforts by early passkey adopters to showcase how passkey technology has improved their business.
FIDO passkey adoption has meant Japanese telecom operator KDDI has seen a nearly 35 percent drop in calls to its customer support center. E-commerce firm Mercari has 7 million users enrolled in passkeys. Yahoo! JAPAN ID, a property of LY Corporation, now has 27 million active passkeys users, and says 50 percent of user authentication on smartphones is now passkeys.
Use gentle language to apply confident force in passkey deployment
In a reprise of its presentation at Authenticate 2024, Microsoft has published a blog entitled “Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security.”
It begins with one of the now-familiar declarations of passwords’ imminent demise. “There’s no doubt about it,” says Microsoft: “the password era is ending.”
Microsoft frames its insights around strong emotions that many might not instantly associate with authentication solutions. How to get their customers to love passkeys like they do? “Somehow, we had to convince an incredibly large and diverse population to permanently change a familiar behavior – and be excited about it,” the blog says.
Whether or not anyone was actually excited by passkeys, the results speak for themselves: Microsoft says its results show signing in with a passkey is three times faster than using a traditional password and eight times faster than a password and traditional multifactor authentication. Users are three times more successful signing in with passkeys than with passwords (98 percent versus a dismal 32 percent). And 99 of users who start the passkey registration flow complete it.
Microsoft’s strategy boils down to three steps: start small, experiment and “scale like crazy”. Add passkeys sign-in options at key points, and make sure people understand what a passkey does – i.e. what exactly they’re being presented. Microsoft says “while the term ‘passkey’ was sometimes unfamiliar, the phrase ‘face, fingerprint, or PIN’ was generally well understood, so it was important to connect these two concepts in our user experience (UX).”
Neither can live while the other survives: passwords must be killed and buried
In the end, the latter two steps amount to the advice to make passkeys unavoidable. While passive options yielded disappointing results, much better numbers came from setting passkey sign-in as the default and designing strategic “nudges” for those who aren’t already enrolled to create a passkey account. (They still have the option to use another credential; it’s just not preferred.) Again, it’s all about warm feelings: “We want users to get comfortable with the idea that passkeys will be the new normal.”
That said, there’s a bit of friendly coercion behind the good vibes. “Don’t be shy about inviting users to enroll passkeys,” says Microsoft. “Make it as easy as possible to enroll and use passkeys.” And “start planning ahead now to use only phishing-resistant credentials.”
Because, even if millions of new users create passkey accounts in the coming months as Microsoft predicts, there is still the matter of the decaying corpse in the corner of the room. As long as an account is still attached to a password, says Microsoft, it is still phishable. “Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.”
AuthQuake exploits lack of rate limiting to expose 400m Microsoft customers
Part of Microsoft’s urgency around passwords could stem from the nagging feeling that current multi-factor authentication (MFA) methods are collapsing. A note on the Redmond Microsoft blog says cybersecurity firm Oasis Security has uncovered a vulnerability in Microsoft’s two-factor authentication (2FA) that allowed accounts to bypass security measures without triggering alerts.
In its full report, Oasis says the bypass, called AuthQuake, “took around an hour to execute, required no user interaction and did not generate any notification,” and that the vulnerability could affect more than 400 million customers using Microsoft Office 365 including Outlook, OneDrive, Teams and Azure. Lack of rate limiting and extended code validity for expiring one-time passwords (OTPs) were the main culprits, both allowing attackers to increase the number of attacks they can deploy in a given time.
Oasis reported the flaw to Microsoft in June, and the company applied a permanent fix on October 9.
Article Topics
biometric authentication | biometrics | FIDO Alliance | Microsoft | multifactor authentication | passkeys | passwordless authentication
Comments