The password-less technology known as passkeys are esoteric, far from widely adopted, and confusing for consumers.
Based on the WebAuthn standard created by the World Wide Web Consortium and the FIDO Alliance - and jointly supported by Apple, Google, and Microsoft - passkeys are a way of signing into services without passwords using device-based authentication and public-key encryption.
To really change the landscape smaller sites - and their developers - have to adopt passkeys as well, says Anna Pobletts, head of passwordless technology at 1Password, a password-management firm.
With developer services and toolkits rolling out and a maturing infrastructure, passkeys look ready to fully move mainstream in 2024, if mostly for consumer use.
While Apple, Google, and Microsoft already support passkeys in some of their services, Google released its Credential Manager for Android in November to support passkeys across different identity ecosystems, such as 1Password and Enpass.
Some major sites have recently added passkeys - including Amazon and WhatsApp in October - joining dozens of other major e-commerce sites and cloud services - such as Adobe, BestBuy, Ebay, Roblox, and Zoho - to support the technology.
The exact number of web sites and apps that supports passkeys is in flux.
Passkeys.io lists 18 major sites that support passkeys, including brandnames such as Google, WhatsApps, Microsoft, and Amazon.
More Security, But Hard to Implement Passkeys use public key cryptography to exchange and validate a secret, through a mechanism defined by the WebAuthn standard, relying on a device's own security capabilities - or those of a hardware key - to authenticate the user and pass that information to the website.
When a passkey is generated, the user's device stores a private key and sends a public key to the web site, which saves the key during registgration.
The benefit of passkeys over WebAuthn tokens is that passkeys can be synced across a single ecosystem: Any device that uses Apple's iCloud Keychain, for example, could log in using the same set of passkeys, and any device that has 1Password's password-vault application installed could use passkeys saved to that ecosystem across platforms.
Making all this not only easy for people to use, but for developers to implement is critical, says Stytch's McGinley-Stempel.
Overall, 83% of developers are currently working on implementing passkeys for a customer and 68% have personally used passkeys for work, according to the Developers Survey 2024 published by identity management provider Bitwarden.
Understandable, considering that the number of successful logins goes up and the number of password resets goes down when using passkeys.
While authentication infrastructure providers like Stytch are aiming to simplify the move to passkeys for developers, identity providers - such as BitWarden and 1Password - are also providing tools to interface with different passkey ecosystems, including their own.
If tools can make implementing passkeys simpler, then developer and website owners can benefit from the easier security mechanism, says Gary Orenstein, chief customer officer at Bitwarden.
In addition to toolmakers, all the major platforms are offering guidance to developers about how they should implement passkeys.
Similar to anything new it will take time for people to get use to passkeys, says Arnar Birgisson, a software engineer with Google.
Google has prompted its users to make passkeys the default method of logging into its services.
The response has been overwhelmingly positive, with more than 60% reporting passkeys are easier to use than traditional login methods, Birgisson says.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 11 Jan 2024 13:40:15 +0000