Passkeys 101: What they are and how they will replace passwords
You never want Identity to be a barrier between you and your customers. But Okta’s recent Customer Identity Trends Report found that:
- 33% of respondents indicated feeling frustrated when they have to create a password that meets specific requirements
- 63% of respondents report that at least once a month, they’re unable to log in to an account because they forgot their username or password
Despite all that frustration, passwords remain one of the most common forms of authenticating online, even though they're inconvenient and insecure.
To combat the plague of passwords, passwordless authentication has grown in adoption over the years as a way for businesses to protect their customers while providing greater convenience. The most recent innovation in this domain are passkeys, courtesy of the FIDO Alliance.
In the year since passkeys were first announced, a lot has changed both in their nomenclature and availability. However, one thing that has yet to change is the need for more awareness of what passkeys are, how they work, and their benefits.
This post aims to demystify this new, novel, and nascent technology to help you go from saying "pass-what?" to “passkey.”
What are passkeys
Passkeys replace passwords with what FIDO notes are “faster, easier, and more secure sign-ins to websites and apps across a user’s devices.” Adding that “unlike passwords, passkeys are always strong and phishing-resistant.”
Given passkeys replace passwords, they are considered a form of passwordless authentication.
To be a bit more technical, a passkey is a pair of cryptographic keys — one for your organisation that is public and one for your known user that is private. Importantly, it’s a private key because your organisation never sees it. These key pairs play a critical role in the actual authentication of a user, but we’ll get to that in a second.
Passkeys come in two forms:
- Synced passkeys, which sync between a user’s devices via a cloud service, like an operating system ecosystem or password manager. For customers, the benefit of this is that the same passkey can be used across multiple devices in a given ecosystem.
- Device-bound passkeys, which never leave the device where they are generated.These can be used on FIDO security keys, including those that have achieved security level certification
For synced passkeys, in particular, the experience is seamless and can be accessed in the same way users unlock their mobile devices — using a biometric, PIN, or pattern.
How do passkeys work?
As noted above, passkeys rely on public key cryptography for authentication rather than passwords. This approach is significantly more secure because no shared secret (a password) is transferred to an applications server. Instead, a public and private key pair are used to authenticate into an app. The public key is stored on the app’s server (instead of a password), and the matching private key is stored on a user's device. Importantly, the private key is not shared with the app like a password.
In this model, when a user attempts to sign in, rather than verifying their identity with a password, the server issues a digital challenge which can only be solved by proving possession of the private key. This is done through a familiar device unlock using biometrics, PIN, or a pattern on a phone, laptop, or tablet. Once unlocked, the private key “signs” the challenge and sends it back to the server to be validated by the public key.
Importantly, from a user experience perspective, cryptography's complexities (and security benefits) take place behind the scenes, simplifying their convenience to a simple device unlock.
Benefits of passkeys
Passkeys simultaneously improve convenience and security.
For customers accessing your application, you can improve conversion rates through simple sign-up and sign-in experiences while driving loyalty with the highest levels of account security.
Since they’re based on FIDO standards, passkeys are intentionally designed to be more resistant to attacks like phishing, in which bad actors use written communications (e.g. email, text messages, or fictious websites) to masquerade as a reputable source to steal a person's credentials.
And as noted above, with passkeys, organisations can leverage the existing technology consumers know and use daily. A standardised approach enables consumers who use devices in the Apple, Google, or Microsoft ecosystem to create and access a passkey in the same way they unlock their devices.
Let’s unpack the security and user experience benefits with more detail.
- Phishing-resistant: CNBC reported a 61% increase in phishing attacks in 2022. Passkeys block social engineering attacks because they only work for the website they were created for.
- Safer from data breaches: Databases are a prime target for cybercriminals because they frequently store passwords and other personal data. Since no shared secret (a password) is shared, your organisation’s servers become a less exciting target for bad actors looking to steal customer credentials.
- Strong by default: Unlike passwords, passkeys are always strong, can never be guessed, or seen making them less susceptible to social engineering attacks.
User Experience Benefits
- Passwordless account creation: Passkeys can improve conversion rates by making the journey from “unknown user” to “known customer” passwordless. Data from Google shows that users who authenticate with passkeys are four times more likely to convert.
- Scalable across every device: Consumers have more than one way of interacting with your brand. Passkeys enable seamless access by allowing consumers to use the same passkey across multiple devices in a given ecosystem. Unlike passwords, they create a passkey once and can use it everywhere.
- Less passwords, less reasons to bounce: 83% of customers abandon account creation due to tedious password policies. With passkeys, you can improve user engagement and retention by eliminating the cumbersome (and insecure) need to type out a string of characters.
Passkeys Power Flexibility
- Passkeys are a password replacement from the FIDO Alliance
- They eliminate the need to remember complex passwords
- Allow users to sign in the same way they unlock their mobile devices
- Increase security by being more phishing-resistant
- And, reduce login friction to drive conversion
This is why the security world is so excited about passkeys.
But they aren’t the entire story. While we and many others are excited about passkeys' potential, businesses need to meet their customers where they are. Being able to flexibly cater to a diverse set of needs is critical.
Service providers like Apple and Google have baked flexibility into signing in with their products. With passkeys enabled within a strong CIAM platform, you can offer similar flexibility — across devices and platforms.
Our goal is to continue to support a broader set of requirements that help businesses allow their customers to authenticate in a way that makes sense for them. Out of the box, Okta supports multiple forms of authentication (including passkeys) alongside core values expected of a Customer Identity platform in authorisation, user management, and identity security. Paired with the extensibility of our platform and ease of implementation, the Okta Customer Identity Cloud gives developers and digital teams the tools they need to know, protect, and generate user joy.
Curious to learn more about how your organisation can use CIAM to secure a passwordless future with passkeys? Reach out for more information.
For documents with privacy/legal concepts or privacy/security advice:
These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.