3 Challenges Passkeys Must Overcome to Hit Mainstream Adoption
- By Gilad Shriki, Descope
- January 29, 2024
None of us are fans of passwords. As an end user, I’m frustrated with creating and managing unique passwords for every online account. As a security practitioner, however, I know the real security dangers if I get lazy with my passwords.
Using passwords correctly requires keeping track of many strong, unique character combinations, thus increasing the need for password managers. As password managers become more popular, they are more likely to be attacked. This password centralization means the blast radius is much bigger when password managers get breached.
I was a victim of the recent LastPass breach. I had to change all my passwords and move all my credentials to a different password manager. This was incredibly painful for me and the many others affected by this one attack. All this pain could have been avoided if we had been using passkeys.
This is why I’m genuinely excited that services have increasingly started supporting passkeys over the past few years. Major websites, apps, hardware vendors, platform providers, and tech companies have embraced passkeys. Adopters include Amazon, Apple, Google, Microsoft, Shopify, Best Buy, and TikTok. While these companies fiercely compete in many other market areas, passkey support is one thing they are all getting behind.
That said, Big Tech alone can’t make passkeys replace passwords. I see three challenges the market needs to address so that everyone can use passkeys everywhere instead of passwords.
Educating the market about passkeys
The biggest challenge for passkeys is market education.
Passkey adoption has been a bit slower on the user side, especially amongst the less tech-savvy. Technical users have started signing up to use passkeys, but non-technical users need help understanding the benefits.
When I think about mass adoption, I think about my mother. She has no idea what a passkey is. She knows concepts like username, email, and password. If she sees a button to “Sign up with a Passkey”, I don't think she'll click on it. Furthermore, my mom thinks that if she inputs her fingerprint while she’s on Best Buy's website, for example, Best Buy will get a copy of her fingerprint. These two concepts combined are what we need to solve with market education.
While security and user experience often conflict, passkeys are an exception. Passkeys are much more secure (they are virtually immune to phishing attacks, unlike passwords) and much easier to use (no need to remember countless passwords). The technology is a very strong authentication method, and it's very easy to sign up with, opt in to, and use with your services. Passkeys are the best of both worlds.
Furthermore, when implemented properly, passkeys are privacy-first. With passkeys, your biometrics are never shared with anyone, ever. They're only used to unlock a key local to your device, just like you may already use your fingerprint to unlock your computer or phone.
Growing passkey adoption across apps and websites
The second major challenge for passkeys is growing the tech’s adoption across apps and websites. Most developers are not yet aware of how to implement passkey support. They must adopt some standards, comply with some protocols, and decide whether to build or buy. It’s not rocket science, but there is some technical effort involved. Doing the work themselves can take a few weeks; if they go with a third party, it can take a few days.
These timelines are just for setting up passkeys. There is still plenty of ongoing work: embracing passkeys is not as simple as flipping a switch. Developers need to set up a migration path for users so that a logged-in user can become a passkey user. They must also build a fallback flow for cases where a device or browser does not yet support passkeys.
Furthermore, like with any other authentication method, maintenance is a big part of the job if developers do the work themselves. Since 70% of total software costs occur after implementation, it’s an arguably more significant part of the initial rollout. Developers thus need to learn about passkeys, implement them, and include ongoing maintenance improvements in almost every sprint to address issues that may come up.
Service providers prioritizing passkeys
As we solve the first and second challenges, the third challenge, focus, will become clear. Web developers and service providers don’t often put authentication on their roadmaps. Companies need to be willing to put passkeys toward the top of their list, or they will fall behind their competitors that do. That said, focus works both ways: companies should not devote so much time to passkey implementation and maintenance that it diverts attention from core product capabilities.
Users will become more educated about passkeys, and developers will become familiar with how to implement support. These two groups will accept passkeys in the future before executives have their aha moment: adding passkeys can help our business by improving the user experience and removing passwords. Early Google data shows that the percentage of users who successfully authenticate through the same device passkeys is 4x higher than the success rate typically achieved with passwords, and logging in with passkeys is twice as fast as logging in with passwords.
I recommend that every CIO and CISO consider moving to passkeys. They should set up passkey education for their users and employees, implement passkey support, and look at options for any old hardware that might not be compatible.
Alongside passwordless methods, passkeys are an excellent tool to help usher in a world without passwords. Adoption is growing, and the technology appears to have staying power. Passkeys have some real challenges to overcome, but now is the time to take them head-on and leave passwords in the past.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Dragon Claws