A deep dive into passkeys

1 September 2024

Illustrated by our virtual artist, contrasting a traditional padlock with a key (representing passwords) and a digital lock with a fingerprint or a keyless entry symbol (representing passkeys). The background could show a futuristic digital landscape, emphasizing the evolution from passwords to passkeys.

Quick navigation

Passkeys are quickly becoming an important technology for our daily security, offering a future where managing multiple passwords is no longer needed. As we move towards a passwordless world, passkeys are being adopted by major tech companies and security experts. But what are passkeys? How do they work, and why are they seen as the next big thing in digital security?

This article dives deep into the concept of passkeys, exploring their functionality, benefits, challenges, and future implications. I will also analyze real-world examples from recent years that demonstrate the increasing adoption and impact of passkeys in cybersecurity.

The basics of passkeys

A passkey is a digital credential that allows a user to authenticate themselves to a website, application, or service without needing to input a traditional password. Instead of relying on a text-based password, passkeys utilize public key cryptography to authenticate a user. This makes them inherently more secure than passwords, which can be easily guessed, stolen, or phished.

How Do passkeys work?

Passkeys are built on a framework known as WebAuthn (Web Authentication), a web standard created by the FIDO (Fast Identity Online) Alliance. Here’s how it works:

  1. Public and private keys: when a user registers for a service that supports passkeys, their device generates a pair of cryptographic keys: a private key (which is stored securely on the device) and a public key (which is shared with the service).

  2. Authentication: when logging in, the service sends a challenge to the user’s device. The device uses the private key to sign the challenge and sends it back to the service, which then verifies the signature using the public key.

  3. No passwords: this process does not involve transmitting or storing passwords, thus reducing the risk of password-related breaches.

Applications

1. Apple’s integration of passkeys in iOS 17 (2023)
In 2023, Apple took a significant step toward a passwordless future by integrating passkeys into iOS 17. Users can now authenticate with passkeys in Safari and apps that support WebAuthn. This move not only simplified the user experience but also enhanced security by reducing reliance on traditional passwords.

2. Google’s passkey support for Google accounts (2024)
Google announced in early 2024 that it would be rolling out passkey support for all Google Accounts. This allows users to sign in without passwords across all Google services, including Gmail, YouTube, and Google Drive. This move underscores Google’s commitment to leading the charge in passwordless authentication.

3. Microsoft’s adoption of passkeys in Azure AD (2024)
In 2024, Microsoft introduced passkey support in Azure Active Directory (Azure AD), enabling enterprises to implement passwordless authentication across their workforce. This development is particularly significant for organizations looking to enhance security and streamline the login process for employees.

The integration of passkeys by all major tech companies like Apple, Google, and Microsoft highlights the growing momentum toward passwordless authentication. The difference in adoption speed between consumer-focused platforms, like Google Accounts, and enterprise solutions, like Azure AD, is outstanding. While consumer platforms have rapidly embraced passkeys to enhance user convenience and security, enterprise adoption has been more cautious. It’s demonstrating the complexity and security demands of large organizations.

Why passkeys are more secure than passwords?

The flaws of passwords

Passwords have long been the standard for digital authentication, but they come with significant security risks. Common problems include:

  • Weak passwords: many users choose easily guessable passwords, making them vulnerable to attacks.
  • Reuse across services: users often reuse passwords across multiple sites, increasing the risk of widespread breaches if one site is compromised.
  • Phishing attacks: cybercriminals can trick users into revealing their passwords through phishing attacks, leading to unauthorized access.

How passkeys address these issues

Passkeys eliminate many of the vulnerabilities associated with passwords:

  • Phishing resistance: passkeys are resistant to phishing attacks because the private key never leaves the user’s device and cannot be intercepted by attackers.
  • No password reuse is possible: since passkeys are unique to each service and device, there’s no risk of password reuse.
  • Enhanced account security: the use of public key cryptography means that even if a service is compromised, the attacker cannot use the public key to access the user’s account.

Applications

1. PayPal’s adoption of passkeys (2024)
In mid-2024, PayPal introduced passkey support for its users, significantly enhancing the security of transactions. This was a direct response to the increasing sophistication of phishing attacks targeting payment platforms.

2. The NY Times implements passkeys for subscriptions (2023)
In late 2023, The New York Times integrated passkey authentication for its subscribers, addressing concerns about account breaches following several high-profile phishing incidents.

3. Slack introduces passkeys for enterprise users (2024)
Slack, a leading communication platform, rolled out passkey support for enterprise users in early 2024. This initiative aimed to protect organizations from credential-based attacks, which have been a significant threat in the corporate world.

The adoption of passkeys by financial institutions like PayPal and media companies like The New York Times demonstrates their commitment to protecting users from increasingly sophisticated cyber threats. The push by enterprise platforms like Slack to adopt passkeys reflects a growing recognition of the need for robust security measures in the corporate environment. These shifts from passwords to passkeys mark a big change in digital security, where both user experience and security are given equal importance.

The challenges of passkeys adption

User education

While passkeys offer significant security benefits, one of the main challenges is user education. Many people are still unfamiliar with the concept of passkeys and may be hesitant to adopt a new authentication method.

Device compatibility

Another challenge is ensuring that passkeys are compatible across different devices and platforms. For example, a user might have an iPhone and a Windows PC, and they need their passkeys to work seamlessly across both.

Applications

1. Bank of America’s gradual rollout of passkeys (2023-2024)
Bank of America began rolling out passkeys in late 2023, but the process has been gradual. The bank faced challenges in educating its customers about how to use passkeys, particularly older customers who are less tech-savvy. The rollout has been accompanied by a significant educational campaign, highlighting the need for user awareness when introducing new security technologies.

2. Amazon’s passkey pilot program (2024)
In 2024, Amazon launched a pilot program testing passkeys with a subset of users. The pilot revealed challenges related to device compatibility, particularly for users accessing Amazon on multiple devices with different operating systems. Amazon has been working on resolving these issues before a wider rollout.

3. Uber’s passkey integration challenges (2024)
Uber faced difficulties in integrating passkeys into its platform in early 2024. The company’s diverse user base, which spans across various devices and countries, made it challenging to ensure a seamless experience for all users. Uber’s approach involved collaborating with device manufacturers to improve compatibility and user experience.

The challenges faced by these organizations highlight the importance of considering user education and device compatibility when implementing passkeys. These issues underscore the need for a phased approach to adoption, allowing time to address issues and educate users about the benefits and use of passkeys. The difference in how these companies are handling the rollout also illustrates the diverse approaches needed to address the unique needs of their respective user bases.

Perspectives

Industry adoption

The adoption of passkeys is expected to continue growing, with more industries and sectors embracing this technology. As more companies recognize the security and usability benefits, passkeys are likely to become the standard for digital authentication.

Technological advancements

Advancements in technology will also play a crucial role in the future of passkeys. Innovations in biometric authentication, such as fingerprint and facial recognition, will likely be integrated with passkeys to create an even more seamless and secure user experience.

Applications

1. Visa’s plan to implement passkeys globally (2024)
Visa announced in mid-2024 that it plans to implement passkeys for its global customer base by the end of the year. This move is part of a broader strategy to enhance transaction security and reduce fraud.

2. X-Twitter’s exploration of passkeys for ecure login (2024)
Twitter, now rebranded as X, has been exploring the integration of passkeys for secure login, as revealed in a 2024 announcement. The platform is testing this feature with select users, focusing on enhancing account security, especially for high-profile accounts that are often targeted by hackers.

3. European Union’s initiative for passkey standardization (2023)
In 2023, the European Union began an initiative to standardize passkeys across member states as part of its broader digital security framework. This initiative aims to create a unified approach to digital authentication across Europe, making it easier for citizens and businesses to adopt and use passkeys.

The future of passkeys looks promising, with significant advancements and widespread adoption on the horizon. The involvement of major financial institutions like Visa and social media platforms like Twitter indicates that passkeys are not just a passing trend but a fundamental shift in digital security. The European Union’s push for standardization also suggests that we might see more coordinated efforts globally to make passkeys a universal standard. However, the success of these initiatives will depend on continued technological innovation and effective user education.

Final thoughts

Passkeys represent a major leap in digital security, offering a secure and user-friendly alternative to traditional passwords. As more companies and industries embrace passkeys, we are probably moving closer to a future where phishing, password breaches, and other cyber threats will become much less common.

However, the widespread adoption of passkeys comes with challenges. Issues like user education, device compatibility, and technological integration need to be addressed to ensure passkeys can become the new standard for digital authentication.

As cybersecurity evolves, so must our methods of protecting digital identities. Passkeys offer a promising future for secure authentication, eliminating the need for complex, hard-to-remember passwords. Embracing passkeys is a significant step toward a more secure and user-friendly digital experience.