ID Notes

< ID Notes

Passkeys - Unforgettable in Every Way

Aug 17, 2023

Passkeys, also known as Multi-Device FIDO Authenticators, directly tackle several major weaknesses of passwords. These include:

• Phishing-Resistant Protocols with enforced host specificity prevent nearly all phishing and smshing approaches.

• Strong Cryptographic Authentication Handshakes eliminate the risk of brute-force guessing.

• Unique Keys for Each Relationship eliminates vulnerabilities caused by password reuse; exposure at one entity does not compromise security at another.

• Advancements in Standards for Utilization of Protected Hardware Modules enhances device-level security by preventing interference from malicious apps.

These improvements alone are compelling reasons for service providers to embrace adoption. However, the most significant advantage of passkeys lies in nearly eradicating the need for customers to click on “Forgot Password”.

Businesses currently grapple with substantial costs due to "Forgot Password" friction:

• Customer Support for Recovery: The expense of customer service and support for password reset is often more significant than fraud losses. Particularly, challenges in digital experiences can lead to increased support costs.

• Customer Abandonment at Reset: When faced with even minor friction, customers might abandon interactions or seek services elsewhere. Studies indicate that 75% of password reset emails go unresolved, implying substantial delayed or lost business due to this friction.

Google's initial research into Passkey adoption reveals that their end users achieve nearly 5 times the success rate of login attempts compared to passwords. Moreover, they complete passkey logins in half the time of password logins. This suggests that Passkeys could enhance customer outcomes at login, significantly reduce customer service costs, and simultaneously boost customer engagement.

However, with any new technology, there are considerations and potential challenges in implementation and adoption. A primary concern with the authentication scheme is the close connection between passkey implementation and cloud identity accounts:

• Inadvertent or Unauthorized Devices: Devices inadvertently or unauthorizedly participating in the same cloud account might be synced, potentially leading to security breaches.

• Account Takeover or Loss: The consequences of account takeover or loss of access are magnified with passkey authentication.

There will also be changes in easy sharing interactions we take for granted today as passkeys cannot be shared as easily as passwords. Actions such as sharing accounts or logging in on someone's behalf will require new authorization methods. Aggregator services will face fresh challenges in seamlessly connecting accounts. This is a good development - there should be clear and reliable authentication for who is using a service - but it will change some of the common low risk interactions we have today.

Passkeys can serve as robust primary authenticators when combined with other risk indicators. Ideally, requiring support for device-specific indicators in all implementations would empower service providers to make informed decisions about risk and friction at a transactional level, addressing significant pain points.

In all, I am optimistic about the potential of passkeys to enhance overall security and usability in strong authentication. I hope that more service providers will share their experiences and successes, further enhancing the technology and promoting adoption.