Banks like passkeys for security – but messy UX could defeat the purpose

Passkeys are replacing passwords across sectors, with even big banks getting on board with passkey implementation. But are they living up to the promise of secure, usable passwordless authentication?

NAB phasing out passwords in favor of passkeys, biometrics

Australia’s NAB votes yes. A news item from the company says it “expects to phase out passwords for internet banking within the next five years, replacing the security measure with passkeys and biometric recognition technology.”

Ubank, NAB’s digital banking service, already offers select passkey support for new customers. A rollout for existing customers is underway.

Bank representatives say passkeys offer a secure alternative to passwords, which are increasingly vulnerable to data breaches and phishing that can lead to identity theft.

Passkeys linked to biometrics enable security across “the trusted device ecosystem of the customer.” Meaning once a passkey is created, “customers can log into the Ubank app in the same way as they would to unlock their mobile device, using fingerprint or facial recognition, a PIN, or swipe pattern.”

NAB, then, agrees with the FIDO Alliance and other passkey advocates that passkeys offer better security protection than passwords.

But are they good?

Passkeys ‘can’t be considered usable security’: Goodin

At lest one former believer says, not really. For Ars Technica, Senior Security Editor Dan Goodin makes the argument that passkeys are falling victim to the same fate as a lot of technological innovations: great in theory, but executed poorly.

“The FIDO2 specification and the overlapping WebAuthn predecessor that underpin passkeys are nothing short of pure elegance,” Goodin writes. And uptake is on the rise: “passkeys are now supported on hundreds of sites and roughly a dozen operating systems and browsers.”

“Unfortunately, as support has become ubiquitous in browsers, operating systems, password managers, and other third-party offerings, the ease and simplicity envisioned have been undone – so much so that they can’t be considered usable security, a term I define as a security measure that’s as easy, or only incrementally harder, to use as less-secure alternatives.”

To Goodin, passkeys may be better than passwords, particularly so in enterprise use cases. But they aren’t better enough.

Part of that comes down to too many voices finding too many problems, and not working together to fix them. Goodin quotes William Brown, a software engineer specializing in authentication, who says “there are barriers at each turn that guide you through a developer’s idea of how you should use” passkeys.

“None of them are deal-breaking, but they add up.”

The problem points to a fundamental value question with passkeys. Unless they can be one thing to most people – akin to authentication as Chapstick is to lip balm – rather than a bunch of different login experiences gathered under one term, can they ever be what they aim to be?

And given the complexity of the digital ecosystem across browsers, operating systems, apps and platforms, how can secure login ever be harmonized enough to deliver the golden note of friction-free passwordless authentication?

To continue with passkey registration, please log in with your OTP

Goodwin describes an attempt to create a passkey for a LinkedIn account on Firefox, leading to a rabbit’s warren of prompts and “non-intuitive” responses. He also notes the critique that “passkey implementations to date lock users into the platform they created the credential on.”

Cumulatively, the blocks, detours and confusion of digital signage amount to a technical and experiential tangle that is no more appealing to the average person than having to remember a dozen different passwords, and reset forgotten ones as needed.

Conventional design logic says to first identify the problem you are solving. In promising ease of use, designing a technically elegant security tool and then delivering it in a package every bit as frustrating as what it’s meant to replace, the shift to passkeys may be fumbling the basic job of making it easier to log into stuff without worrying about stolen data.

“I still think passkeys provide the greatest promise yet for filling the many security pitfalls of passwords and lowering the difficulty of remembering and storing them,” Goodwin says. “For now, however, the hassles of using passkeys, coupled with their diminished security created by the presence of fallbacks, means no one should feel like a technophobe or laggard for sticking with their passwords.”

“With any luck, passkeys will someday be ready for the masses, but that day is not (yet) here.”

Article Topics

banking  |  biometric authentication  |  biometrics  |  FIDO2  |  multifactor authentication  |  passkeys  |  passwordless authentication  |  passwords