Apple, Google, and Microsoft are in the early stages of delivering on their plan to provide passkeys based on the FIDO Alliance’s new passwordless authentication standard. But eliminating passwords won’t happen overnight.
The three leading device and platform providers in May collectively announced they would incorporate the new passkeys into their respective platforms. Passkeys are based on the FIDO2 standard, which consists of World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).
Passkeys Start to Roll Out
As expected, Apple became the first provider to provide passkeys with its iOS 16 release late last month, giving millions of iPhones and iPads the ability to use passkeys. Mac users will also be able to implement passkeys when Apple releases its newest operating system update, macOS Ventura, which is due to arrive this month. Last week Google released passkey betas for Android and Chrome.
Once a user sets up a passkey on one Apple device, it can synchronize with any other supported Apple client or service using iCloud Keychain. Also, when a user enrolls one device with a passkey, they can automatically enroll any other Apple device and service that supports them.
Google’s passkey beta lets users create and use passkeys on their Android devices and securely sync them via Google Password Manager. Google software engineer Arnar Birgisson explained in a blog post that passkeys in Google Password Manager are always encrypted end to end.
“When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user’s own devices,” Birgisson noted. “This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign-in to its corresponding online account.”
Demonstrating the Future
Google and Microsoft demonstrated their implementations of passkeys to hundreds of identity and security experts at this week’s Authenticate 2022 conference in Seattle. Google identity and security product manager Christiaan Brand demonstrated how to sign into an account with passkeys, which will appear in an Android update by December. Brand said anyone could sign up for the developer beta in the Google Play Services channel.
“The moment you sign up for this with a particular Google account, you will be able to get the latest updates on your device within a couple of minutes,” Brand said. Passkeys for Chrome OS are on the road map for release next year, he added.
Brand and other identity and security experts at the conference emphasized that authenticating with passkeys is considerably more secure than passwords because they aren’t vulnerable to phishing attacks or other compromises. Passkeys are also easier to use because they consist of cryptographic keys that can run on supported devices and cloud services.
Although Microsoft doesn’t plan to offer passkeys in Windows until next year, the company demonstrated its implementation and shared various observations. For example, Microsoft would like to run passkeys alongside the company’s Authenticator app, according to senior program manager for identity Scott Bingham.
“Passkeys are multidevice, FIDO credentials that are a really compelling solution,” Bingham said. “It can be synced through a platform cloud and available to use on all your devices when you sign into the same platform account.”
While Windows Hello provides biometric authentication for unlocking a PC’s OS screen, it will also enable the new passkeys.
Integrating Online Services and Apps
For passkeys to take off, websites and enterprises that use usernames and passwords for authentication must add support for passkeys. Thousands of organizations worldwide have deployed or are deploying FIDO authentication, enabling them to support passkeys, according to FIDO Alliance executive director Andrew Shikiar, in his opening remarks at the conference.
Among them is PayPal, which last year hired a founding member of the FIDO Alliance, Marcio Mello, as head of product for the PayPal Identity Platform. Mello said PayPal plans to offer support for passkeys in the US for a limited number of customers.
Using an iPhone with the new iOS 16, Mello demonstrated how to create a passkey with PayPal. He then explained that when using iCloud Keychain on a Mac with the updated OS, the passkey is available automatically. When using a device that doesn’t yet support passkeys, if the user had already created one, they could access it by generating a QR code.
“This provides that amazing combination we’ve been waiting for, both convenience and security,” Mello said. “Something that’s absolutely required for us to be able to reach the large-scale consumer deployment that we’d be looking for worldwide.”
While passwords remain the most common credentials for authentication, they are costly to organizations, according to the FIDO Alliance’s Online Authentication Barometer, published this week. The study found that 59% of respondents give up accessing online accounts when they can’t remember their password, and roughly 40% abandon purchases for the same reason. The survey also found that 39% are familiar with passkeys.
Adoption Will Be Slow
Throughout the conference, organized by the FIDO Alliance, there appeared to be widespread optimism among identity and security experts that the standardized cryptographic keys promise to pave the way to a future of passwordless authentication to devices, online services, and applications.
“Passkeys stand to take passwords out of play for hundreds of millions of consumers immediately,” Shikiar said. How immediately passkeys replace passwords remains to be seen, but it will likely be years before they become mainstream, as some people signaled in their presentations.
The widespread adoption of passkeys is promising because users can reuse their credentials among different vendor ecosystems, says Gartner analyst Paul Rabinovich. Because passkeys registered on one device can complete authentication from another device, “we’ll finally see wide adoption of software-based roaming authenticators” embedded as mobile apps or within operating systems, he says.