Utilising device-based authentication and public-key encryption, passkeys offer a means of accessing services without traditional passwords. They serve as a means to access apps and websites without relying on a traditional username and password combination.
Generated by your device, it consists of a pair of cryptographic keys—a public key and a private key. The public key is stored by the apps or websites, while the private key remains exclusively on your device. Once your device verifies your identity, the combination of these keys allows access to your account.
Notably, major entities such as Apple, Google, and Microsoft have integrated passkeys into some of their services. Google’s release of Credential Manager for Android in November further supports passkeys across various identity ecosystems, including 1Password and Enpass.
“As the technology gains traction, it is crucial for smaller websites and their developers to embrace passkeys for a significant impact on the authentication landscape,” says Anna Pobletts, head of password less technology at 1Password.
Additionally, technology companies and tool vendors are introducing developer services and toolkits to facilitate the implementation of passkeys in websites and web applications.
“For developers, in particular, they are so critical to making passkeys successful because they’re the ones who are ultimately going to build the features into sites,”
“And passkeys, they’re just a lot more complicated to implement than passwords, so we have to give developers more help and more tools and more resources,” she says.
Tytch, a provider of authentication infrastructure, has recently introduced tools designed to assist developers in seamlessly incorporating passwordless authentication into their applications.
The goal is to simplify the process similar to how Stripe streamlined the addition of payment processing capabilities to applications.
Various identity providers, including Bitwarden and 1Password, offer tools that interface with diverse passkey ecosystems, including their proprietary ones. Additionally, major platforms like Google provide guidance to developers on implementing passkeys.
Despite the enhanced security that passkeys provide by utilising public key cryptography to exchange and validate secrets through the WebAuthn standard, implementation can be challenging.
Passkeys rely on a device’s inherent security features or those of a hardware key to authenticate the user and transmit that information to the website. Devices using Apple’s iCloud Keychain or those with 1Password’s password-vault application installed can access platforms across devices with the same set of passkeys.
The passkey generation process involves the user’s device storing a private key and sending a public key to the website during registration. When a user wishes to access the website, the site sends a lengthy random string to the user.
After user authentication, the device encrypts the string with the private key and sends the encrypted information back to the website. The website then decrypts the string with the public key to authenticate the user.
According to Reed McGinley-Stempel, the CEO and co-founder of Stytch ensuring that both end-users and developers find this process not only user-friendly but also straightforward to implement is crucial.
“One of the big things is passkey configuration. How do you make that dead simple for developers so they don’t need to become one of the experts?”
“There’s much more to think about when you go from passwords to passkeys, especially how you handle post-authentication UI for managing passkeys.” she said.
Developers Survey 2024
In the face of challenges, developers exhibit significant enthusiasm for integrating passkeys into their websites and cloud applications.
The latest “Developers Survey 2024” by Bitwarden reveals that 83% of developers are actively engaged in incorporating passkeys for their clients, and 68% have personally employed passkeys in their professional tasks.
Apparently, the interest is justified, given that the utilisation of passkeys tends to increase successful logins while simultaneously reducing the need for password resets.
Gary Orenstein, Chief Customer Officer at Bitwarden, suggests that developers and website owners stand to gain from simplified security mechanisms if tools can streamline the implementation of passkeys.
“If they can have a higher successful login rate, great, more time in the app. If they can reduce password resets, great, more time in the app,”
“A lot of the problems that developers have had to deal with as an industry in the past with traditional login-password mechanisms are getting streamlined to where that becomes just just less problematic than it may have been in the past. “he says.
“When each one of those big announcements comes out … we get a spike in interest from developers and customers,” Stytch’s McGinley-Stempel says.
“It’s kind of this compounding effect. … It’s hit the inflection point, which WebAuthn itself never hit, because you solved these technical issues and it’s being adopted by these big, well-respected consumer experiences.” she said.
Passkey Adoption – By The Numbers
It’s estimated as of December 2023, 334,000 1Password users are trying passkey technology, split 79% consumer and 21% business customers. The most significant spikes in adoption come when another large platform announces support.
With developer services and toolkits rolling out and a maturing infrastructure, passkeys will be available on more sites and applications in the coming months.
Determining the precise count of websites and applications that presently incorporate passkeys poses a challenge due to the dynamic nature of the digital landscape.
According to Passkeys.io, a resource highlighting this security feature, there are 18 prominent websites supporting passkeys. Notable brands like WhatsApp and Amazon are among these, reflecting the broad adoption of this authentication approach.
For a more comprehensive perspective, 1Password’s Passkeys.directory enumerates a more extensive list, citing 92 websites that leverage passkeys for enhanced security measures.
This expansive compilation includes renowned entities such as BestBuy, DocuSign, eBay, Okta, and Uber, signifying the widespread integration of passkeys across various sectors.
