Adding passkeys to your apps with Okta CIC powered by Auth0

Passkeys are a replacement for passwords, and they are now supported on most platforms and operating systems. They’re also a feature of Okta Customer Identity Cloud powered by Auth0, which means your users can enjoy the convenience and security passkeys provide.

In this article, you’ll learn:

• Why passwords are no longer adequate
• How passkeys improve on passwords
• What the passkey user experience is like
• How passkeys work

Passwords: A 1960s solution to a 1960s problem

An IBM 7094 mainframe, the home of the original username/password system.
(Creative Commons photo by Arnold Reinhold)
 

In 1961, MIT computer scientist Dr. Fernando Corbató changed the way computers worked by developing an operating system that supported several simultaneous users. For it to work, each user had to be given their own disk space, so he assigned each user an account that they would access using a unique name and secret — a password.

Corbató probably never thought that his username/password system would be used daily by billions of people on a global scale. “Unfortunately, it's become kind of a nightmare with the World Wide Web,” he said in a 2014 Wall Street Journal interview. “I don't think anybody can possibly remember all the passwords that are issued or set up.”

Today, the average person has 70 to 80 passwords, which is well beyond most people’s ability to memorise. It’s no surprise that people use simple passwords, reuse them, and write them down in easy-to-find places. Even Corbató has admitted that he managed his passwords in an incredibly insecure way: “I have to confess, I used to use a crib sheet.”

Present-day password problems

Even if everyone came up with unique, strong passwords for each of their accounts and were able to memorise them, there would be other ways to steal them: 

• Social engineering attacks, like some types of phishing, where someone pretending to be a trusted person like a boss, friend, or family member tries to get you to voluntarily give them your personal information. They often try to lead their victims to lookalike sites that appear to be genuine but actually exist to trick users into providing their login credentials.

• Various forms of “eavesdropping” would still be around. A password sent over an insecure connection could be intercepted, “shoulder surfing” remains a favourite method, keylogging malware, and even literal “listening in” can work since there’s now an AI that can determine what you’re typing based on your computer’s keyboard sounds with astonishing accuracy.
• Malicious parties that breach the server would gain access to a list of all the users’ passwords if the server was poorly designed, or hashed (and ideally, salted) versions of the passwords if the server’s developers followed best practices. While difficult, it is possible to deduce a password from its hash.

Passkeys: A 21st century solution to a 21st century problem

To overcome the limitations of passwords, technology companies such as Apple, Google, and Microsoft have built on standards developed by the World Wide Web Consortium (W3C) and FIDO Alliance to create a new way to log in: passkeys. They are a replacement for the six-decade-old username/password combination.

Passkeys are based on FIDO2, a standard created by the FIDO Alliance, an open industry association whose goal is to “help reduce the world’s over-reliance on passwords.” FIDO2 is a secure, phishing-resistant, passwordless authentication protocol built on the following:

• WebAuthn, the new global standard for web authentication. It’s a browser-based API that simplifies and secures user login by using public-key cryptography to enable registered devices such as phones, tablets, and laptops to be used as authentication factors. 
• CTAP2, the second version of the Client to Authenticator Protocol, which describes how an application and operating system communicate with an authentication device via USB, NFC, or BLE.

We are building on the FIDO2 standard and Okta is actively contributing to its future development and improvement.

Technically speaking, passkeys are FIDO2 credentials that are discoverable by browsers or housed within native applications for passwordless authentication. They replace passwords with cryptographic key pairs, which makes them significantly more resistant to attacks like phishing.

Using a passkey is as easy as unlocking your phone or computer. As discoverable credentials, passkeys simplify login by making it possible for the website or application to get your username or email address and autofill that field when logging in.

There are two types of passkeys: synced and device-bound.

• Synced passkeys can be synced across user devices to be used and restored from a keychain cloud-based service — a sync fabric — like Apple’s iCloud and Google Password Manager. A passkey for a website or application is available on all of a user’s devices that use the same sync provider. They’re meant primarily for “consumer” use and will be the focus of this article.
• Device-bound passkeys are stored securely on a single hardware device like a security key or your laptop. This limitation is for websites or applications that require a higher level of security assurance, such as financial enterprise environments. 

They’re an authentication method for an era where about 85% of the world’s population has a smartphone, the internet is everywhere, and people log into dozens, if not hundreds, of accounts daily. They solve the biggest security and usability problems that come with usernames and passwords, and we believe that they’re the future of login.

The Customer Identity Cloud passkey user experience

When logging into a passkey-enabled website or application secured using Customer Identity Cloud, users will see passkey as an authentication method in our Universal Login box:

Users with passkeys can choose to log in either via the Continue with a passkey button at the bottom of the screen or by clicking on the Email address text field, which reveals this autofill menu:

The Sign up link still leads to a screen for signing up for a new account, but users can now create a new account that uses passkeys and skip the process of creating a password.

Users who signed up with an email address and password credentials can still log in using those credentials and choose to add a passkey to their account later. This way, they have the flexibility to migrate to passkeys at their own convenience.

The desktop/laptop experience

Let’s take a look at what the passkey login experience looks like on a computer. In this case, we’ll look at the experience of a user running Chrome on a MacBook with a fingerprint reader.

The user either selects their passkey-enabled account from the Email address field’s autofill menu, as shown below…

…or they click the Continue with a passkey button, which takes them to this screen:

The user selects the identity that they want to use, after which they’ll see this:

The user scans their fingerprint, the computer checks their identity, and when confirmed, the user is logged in. No password had to be memorised, no typing had to be done, and for reasons we’ll explain shortly, the login process was even more secure than when done with an email and password.

If the computer doesn't have a fingerprint scanner, that’s okay. Passkeys can be accessed in the same way you unlock your device which means you can use a biometric, device pin, or pattern.
 

Using a USB security key

Another option for logging in with passkeys on a computer is to use a USB security key, such as a YubiKey. These are USB, NFC, and BLE devices that hold authentication keys and work hand-in-hand with authentication systems like passkeys.

When logging in with passkeys and a USB security key, the user can click on the Email address text field and select the Use a Passkey on a Different Device option…

…or they can click the Continue with a passkey button, which takes them to this screen, where they click the Use a different device button:

Either option leads to this screen:

If the user chooses the USB security key option, they’ll see this pop-up on their computer:

The user would then insert the USB security key and touch it, authorising the use of the user’s passkey stored on the key. Once the user’s identity is confirmed, the user is logged in. The combination of a secure storage device and biometrics makes this passkey method suitable for work that needs an extra level of security.

The mobile experience

In this example, we'll show the passkey experience for an iPhone user. Like our example above, it starts with the Universal Login:

The user either taps the E-mail address text field or presses the Continue with a passkey button to select an identity. After that, they see this pop-up:

The user presses the Continue button and presents their face to the front-facing camera, just as they do when unlocking their phone. Once the user’s identity is confirmed, they are logged in!

In the example above, the user used facial recognition to use their passkey. If the phone had a fingerprint sensor, they could have used that instead. 

A quick note about signing in with biometrics

In the examples above, the user used facial and fingerprint recognition as part of logging in with a passkey. We’ve heard some concerns about biometric information being sent to a server. This is not the case; your biometric information never leaves your device.

The step in passkey-based login where the user identifies themselves is the exact same step used when the user unlocks the device. This step isn’t limited to facial or fingerprint recognition, but any information that identifies the user to the device — it could also be the device’s password or PIN, a USB security key, or a password/identity management application.

Once the user has confirmed their identity with the device, the device sends the user’s passkey information — not their biometric information — to the authorisation server.

The cross-device experience

Let’s consider a cross-device case:

• Suppose you’re trying to log into a website on a Windows PC, which doesn’t have your passkey for the website.
• You have your Android phone, which has the passkey for the website.

Since your Android phone has a passkey for the website, you can use it to log the Windows PC into the website, a process we call cross-device authentication.

You start with the Universal Login box on the Windows PC:

The next step is to start the passkey login process. One way to do this is to click on the Email address text field, which makes the autofill pop-up appear:

Click Use a passkey on a different device. You’ll be taken to the Use your passkey screen:

The other way to get to the Use your passkey screen shown above is by clicking the Continue with a passkey button at the bottom of the Universal Login box.

Click the Use a different phone or tablet option, which lets you log in using another device, which in this case will be the Android phone. This QR code screen will appear:

With your Android phone, you scan the QR code. Once it’s scanned, the phone gives you the option to open the QR code’s link:

To proceed, open the link. This screen will appear:
 

If the Remember this computer option is checked, the PC will be given its own passkey for the account on the website and you won’t need the phone to log in on the PC afterward.

Click the Allow button to continue logging in. This pop-up will appear on the Windows PC…

…and on the Android phone, you’ll be asked if you want to use the passkey on your phone to log in on the PC:

Press Continue to use the passkey. You’ll be prompted to confirm your identity by using the same method you use to unlock your phone. In the case of this phone, the options were to use the fingerprint scanner or press the Use PIN option to enter a PIN instead:

After scanning your fingerprint or entering your PIN, you will be logged in.

As a security measure, cross-device authentication requires Bluetooth to be enabled on both the computer and mobile device. This ensures the mobile device is near the computer, which makes phishing attacks nearly impossible. 

To gain access to your account through phishing, an attacker would need to:

1. Follow the login steps above until presented with the QR code
2. Photograph or screen-capture the QR code
3. Send it to you via email, text, or other method used in phishing and convince you to scan the QR code

…and they would have to do so before the login process times out. This approach reduces the phishing attack surface from “anywhere in the world” (since passwords can be used anywhere) to the few square meters around your computer.

How passkeys work

While it’s relatively easy to deduce how the username/password system works, the mechanism underlying the passkey system isn’t as obvious. We’ll try to explain it in this section, which will also explain passkeys’ advantages over passwords. 

A passkey is actually two keys

When we use the term “passkey,” we’re actually talking about a credential that contains two keys called a cryptographic key pair:

• One key is the public key, which you can distribute freely, post online, or even display on a billboard in the busiest city in the world. 
• The other key is the private key, which you keep secret and share with no one.

You create both keys simultaneously, and they’re a matching pair. A public key will work only with the private key it was generated with and vice versa.

As you may have already guessed, the public and private keys aren’t physical keys, but digital ones. They’re long sets of numbers often represented as strings of characters. They’re mathematically combined with messages — which are also just long sets of numbers — that you want to send securely.

Logging in with a passkey

As we said earlier, a passkey contains a public key and a matching private key. Here’s where those keys are used:

• Like a password, the private key is meant to be a secret. It’s also generated so that it is long and nearly impossible to guess. You don’t (and probably can’t) memorise it. Instead, you store it on a device you own and trust, such as your computer, phone, tablet, or security key.
• A copy of the public key corresponding to your private key is stored on the authorisation server, also known as the relying party or RP for short — the server that presents you with the login box and logs you into your website or application. For users logging in via Okta’s Customer Identity Cloud, we are the RP.

A passkey also contains information about… 

• The relying party (the server) — either an ID or its domain. The user’s device’s operating system uses this information to interact only with the RP it was enrolled for, making it resistant to phishing.
• The user, so that the user doesn’t have to provide a username or email address — they can simply select one from Email address text field’s autofill menu or click the Continue with a passkey button. We say that a passkey is discoverable because it includes this information.

Here’s how logging in works with a passkey:
 

1. When the user initiates the login process, the website or application sends a request to the authorisation server (a.k.a. relying party or RP).
2. The RP responds with a challenge — a message that must be answered and signed.
3. The website or application receives the challenge, and the user is prompted to verify themselves on their device.
4. The user chooses a method to verify themselves on their device. This could be via biometrics, a password or PIN — whatever they would use to sign into the device.
5. Now that the device has confirmed the user’s identity, it uses the private key to sign the challenge and sends it back to the RP.
6. The RP receives the signed challenge and validates it using the public key. 
7. If the signed challenge is valid, the user is logged in if there are no additional factors in the login flow (such as an authenticator app or a required response to an SMS message).

Advantages of passkeys

Passkeys provide many advantages over traditional username/password authentication, including:

• Speed and simplicity. Logging in with passkeys, especially when using biometrics, is much faster. We’ve seen scenarios where users authenticate twice as quickly with passkeys, and four times as fast once they don’t have to enter either an identifier or a passkey. Enrollment speed also increased by 44% — nearly twice as fast.
• Strong credentials. Since passkey credentials are cryptographic keys, they are always strong, never reused, and impossible to guess. 
• Phishing resistance. Passkeys only work with the RP that created them. This means that users can’t be tricked into using a fake lookalike version and submitting sensitive information.
• Safer from data breaches. With a passkey system, authentication servers store only public data. Unlike the hashed passwords obtained from a breached username/password system, a collection of users’ public data from a system that supports passkeys is useless to hackers.

Enabling passkeys in Customer Identity Cloud

Passkeys are available as a feature on all Customer Identity Cloud plans — even the free ones! This means that if you want to familiarise yourself with passkeys and their user experience, you can set up a free tenant and add passkey-enabled authentication to your applications at no cost.

Try passkeys now and see how you can give your users a more convenient, more secure login experience! 

• If you’re new to Okta Customer Identity Cloud Powered by Auth0, sign up for a free trial account!
• If you already have an account, you’ll want to look at:
  • This article on our Customer Identity Cloud blog, Activate Passkeys and Let Your Users Log in without a Password  

Our passkeys documentation