Why passkeys are the new standard for logins

How often did you have to reset your password in the last 90 days? According to a recent study, 78% of the respondents had to reset a password at least once. Do you use a different, strong password for each online service you use?  66% of users reuse the same password on different services. By having a look at these questions, it is obvious that the concept of passwords – which dates back to the 1960s – as the primary method for authentication is outdated. This is a common view, not only from a user perspective, but also from major tech corporations including Apple, Google and Microsoft. That’s why they introduced the concept of passkeys.

‍

What are passkeys?

Passkeys replace passwords and allow users to login with Face ID or fingerprint instead of coming up with and remembering complex passwords. They are a form of passwordless authentication embedded into Android, iOS, macOS and Windows.

‍

How do passkeys work?

Passkeys are based on a cryptographic public-private-key pair which is used in two ceremonies:

‍

1. Registration

During registration the key pair is generated in the background and verified via the user’s biometrics (e.g. Face ID or fingerprint). The public key is sent to the server and linked to the website / app.

‍

2. Login

To login, the server sends a challenge to the user’s device. Biometrics are used to access the private key which is stored inside the user’s device. The challenge is signed with the private key and sent back to server which verifies the authentication request (so neither the private key nor the biometric data ever leaves the device).

‍

Passkeys are a form of “disguised” two-factor authentication, as the device (first factor) and the user’s biometric verification (second factor) is needed.

To be usable in practice, passkeys can be shared between nearby devices (even from different platforms) by scanning a QR code and using Bluetooth between the two devices.

Moreover, passkeys are synced inside an ecosystem via an iCloud, Google or Microsoft account. Therefore, they are available on all devices using the same account which prevents the repeated creation of a passkey for each device.

‍

What are the advantages of passkeys?

Due to its technical concept, passkeys do not have a secret, like a password, that is shared between a user and an online service. Instead, public and private keys are used. Even in the case of a data breach on the server side, the user account stays safe, as the critical component - the private key - is securely stored on the user’s device inside the operating system.

Passkeys are also linked to the service they were registered for which prevents phishing attacks. All other password-based attacks, like credential stuffing or brute force attack are prevented as well.

Due to the portability between devices from different platforms and the synchronization within the same iCloud, Google or Microsoft account, passkeys are extremely handy in practice.

‍

Why are passkeys the new standard for logins?

The technology of passkeys is based on the FIDO2 / WebAuthn standard which allowed a secure and convenient biometric login from one device and has been developed for several years. Now, Apple, Google and Microsoft created a solution for one of the main obstacles for further adoption of this standard: the secure portability between devices and synchronization within an account.

If the three major tech giants, where almost all consumers and business obtain their devices, operating systems and browsers from, agree on a new standard (that does not happen very often), it is quite obvious that this will have a big impact. The development of passkeys started with the foundation of the FIDO alliance back in 2012. Over the course of the past years, the engineers worked collaboratively on this solution to assure compatibility across devices and operating systems, which is another strong indication that passkeys are the new standard.

Currently, they push this feature on their platforms and users start getting used to it. First online services will make their logins passkey-ready and be perceived as digital leaders. Other online services that do not yet offer this functionality need to keep up. It should be in any digital and customer centric company’s mind to offer this new standard for logins. With increased adoption customers will demand this functionality from service providers.

‍

How can I start with passkeys?

Passkeys are just about to be rolled out. With the public release of iOS 16 and macOS Ventura this fall (on September 19, 2022) a large portion of users will be technically able to use passkeys. By then, big apps, like AirBnb or Booking.com, are expected to offer passkey login / migration.

‍

Start now!To prepare you for passkeys, Corbado offers a free passkey tracking tool that analyzes the passkey-readiness of your user base. Click here to use it.

‍

Besides, Corbado provides an API that covers all cross-platform and cross-device aspects for you that are relevant to transition all your existing users smoothly to passkeys and avoid any friction. Do not worry about security updates or supported platforms or devices. We have you covered. We will help you in your gradual migration from passwords to passkeys.

To stay updated about the new devices, browsers and operating systems that provide full support for passkeys, subscribe to our passkeys newsletter.

‍