Join us on November 9 to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers at the Low-Code/No-Code Summit. Register here.
There is a high chance that in a few years Apple’s release of passkeys as part of iOS 16 will be remembered as the beginning of a revolutionary change in how companies implement sign-in for their products. Offering three different ways to sign in using another company? Or rather none at all because of privacy and data ownership concerns? Allowing guest checkout so as to not lose users to atrocious password requirements on the last few yards? These concerns will diminish once consumers become familiar with passkeys.
Passkeys are backed by strong cryptography, are securely stored on the user’s devices and are protected by biometrics. Passkeys are based on open web standards and do not require integration with any third party. Companies can reduce their exposure to data breaches while also preparing themselves for a cookieless future through passkeys that can be adopted today.
The need for accounts — and the challenges to offering them
Having website visitors and app users become account holders is table stakes for many businesses. From offering subscriber-only content, to verifying that a visitor belongs to a certain group, to simply storing personal information with account creation enables more personalized and streamlined experiences.
The majority of businesses address this by inviting consumers to create an account either by setting a password, receiving a message with a link or code, or using an existing account with another company such as Google, Apple or Facebook.
Learn how to build, scale, and govern low-code programs in a straightforward way that creates success for all this November 9. Register for your free pass today.
None of these options is free of concerns. Offering password-based accounts is a very large undertaking in today’s threat landscape. Social engineering, re-use of already compromised credentials and SIM swapping attacks are just a few examples that demand systems and processes be capable of flagging suspicious logins. All this is in addition to warning users about compromised passwords, blocking automated attacks, notifying about account changes, detecting and shutting down counterfeit sign-in portals and protecting a massive stash of passwords. Message-based login mechanisms such as “magic link” share many of these issues as well.
Stakes are high for whoever decides to build authentication from scratch, an undertaking prone to error. For this reason, most small- and medium-sized companies are better off using a third-party identity provider for adding user accounts. With this option, the added challenge is to balance costs — especially when rapidly scaling — not to mention vendor lock-in concerns once reaching a limit with the chosen solution.
Federated login, also broadly referred to as “social” login, is meant to remove the need for managing yet another password — on both the consumer and business sides — while verifying identities. However, in response to events such as the Cambridge Analytica scandal, maintaining these third-party integrations has become increasingly burdensome.
Regular tasks such as Facebook’s Data Use Checkup, Apple’s new requirements for account management and other audit duties are time-consuming. New uncertainty is introduced by data protection laws such as GDPR and CCPA, including topics such as data transfers between regions. Exact security specifications and guarantees are mostly unavailable and cannot be explained to a regulator or cyber-insurance underwriter. Altogether the adoption and acceptance of social logins seem to already be on a decline.
The hope that comes with passkeys
Passkeys have been intentionally designed to overcome commonly known weaknesses of passwords. Phishing has been addressed from the ground up by not only replacing passwords with cryptographic keys, but by strictly limiting in which context (webpage domain, specific app) a passkey can be used. The server using authentication never sees the user’s sensitive private keys — and as such, it is a much less interesting target for hackers. Users also do not have direct access to their private keys, but can only unlock them during authentication using biometrics or device passcodes.
Whether and how these security measures will hold up can only be tested by time, and it would be naïve to assume that passkeys are un-hackable. Yet, it is fair to assume that the multi-year effort of the FIDO Alliance, the W3C and partners such as Apple, Google and Microsoft have led to one of the most secure systems available. Passkeys will make regular browser updates even more important, and the potential to steal large amounts of credentials from websites or cloud-based password managers are eliminated.
Yet, the best part of passkeys might actually be the streamlined experience consumers get when registering or using an account with passkeys. Creating a new account or signing in within seconds is the new normal when using passkeys, but unheard of when passwords are involved. Additional nuisances such as periodic password rotations are no longer a concern when using passkeys.
While it may be too early to know this for sure, passkeys also have the potential to make multi-factor authentication (MFA) obsolete. Passkeys offer the same or an even higher level of security when compared to mechanisms such as a password that is complemented with a text message as the second factor. Companies that implement passkeys may gain significant benefits in meeting compliance and security requirements, which in the case of cyber-insurance premiums directly translates into financial benefits.
Passkeys are available in the real world today
At KAYAK, we started to offer passkeys as the default option for creating a new account with a supported Apple device immediately when iOS 16 was released. Existing users are able to add a passkey to their accounts. In just three weeks, thousands of users have created passkeys on our products. Interestingly, almost 20% are existing users who manually opted into a more secure account. The feedback we received has been overwhelmingly positive (tweets of praise are not common for new login features) with ease of use being a major benefit cited.
Consumers who cannot yet use passkeys will fall back to a “magic link” login, and we expect the share of non-passkey logins to decline over time until passkeys will be the dominant login method by a large margin.
The importance of planning the future of authentication today
With Apple, Google and Microsoft all deeply committed to passkeys, there is no doubt that passkeys will soon be available to millions of users. Supporting passkeys is desirable for every organization that offers accounts.
It is important, though, to first understand how passkeys work correctly when planning a deployment to avoid pitfalls down the line. There will always be a group of users who will not be able to use passkeys because their devices are too old or do not include a compatible security chip or biometric capabilities. Therefore, it is important to offer at least one backup authentication method, likely less secure, that eventually becomes available only to users who cannot use passkeys.
Secondly, it is important to understand that passkeys are only accessible by the domain or mobile app in which they were created. This can cause issues when the webpage address changes at a later date, that is, when changing to another identity provider or when changing domains during a rebranding. Allowing users to continue using their existing passkeys in such a scenario is not impossible, but very challenging.
Thirdly, it must be acknowledged that we are at the very beginning of using passkeys. Not all use cases may be supported yet, we do not know when certain adoption levels will be reached. Also, questions such as matching multi-factor security out-of-the-box will need to be confirmed by regulators and other certification bodies.
Matthias Keller is chief scientist and SVP of technology at KAYAK.