Passkeys continue their rise in popularity as an alternative form of user authentication that eliminates the need for usernames and passwords. Cybersecurity professionals have long considered strong passwords as one of the best defenses against security vulnerabilities. However, because web users often create weak passwords or reuse passwords, attempts have been made to develop new ways that can address the underlying problem.
The passkey idea first began to take hold in 2009 when Validity Sensors, in conjunction with PayPal, developed the concept of using biometrics in place of passwords for online identification. In July 2012, they founded the FIDO Alliance, a web security collective, which publicly announced its initiatives in February 2013. Since its establishment, FIDO’s membership has grown, with Google joining in April 2013 and several technology leaders such as Samsung adopting the technology publicly.
Passkeys are fast becoming an alternative to using traditional passwords, and much of the underlying technology on two-factor authentication and biometric systems have already been integrated into everyday tech life. However, passwords remain the standard method of access to websites and software programs, which are inherently vulnerable to phishing and other attacks designed to steal or bypass credentials.
The FIDO Alliance claims that passwords create both security risks and friction in the user experience. The alliance states that more than 80% of data breaches are the result of compromised passwords, a problem exacerbated by the fact that passwords are frequently reused—up to 51%. It also claims that one-third of all online purchases are lost due to customers forgetting an account password, which prevents them from completing the checkout process.
Recently, Apple announced its passkey feature, which utilizes existing iOS technology that powers Touch ID and Face ID features. The tech giant revealed that passkeys are integrated into the iPhone 14 and iOS 16, allowing users to create accounts and log in using their fingerprint or facial image instead of a password to authenticate their credentials.
When logging into a site that uses passkey technology, a push notification will be sent to the smartphone the user used when registering the account. Once the user applies their face or fingerprint to unlock their device, it will create a unique passkey and communicate it to the website, allowing the user to log in without entering login information or transmitting their biometric data through a potentially insecure Wi-Fi connection.
Passkeys are part of the Web Authentication API and only function for the website on which they are created. Furthermore, they are stored on the user’s device instead of on a physical or cloud-based server.
While Apple isn’t the only company in the passwordless login game, tech companies such as Google and Microsoft have also included passkeys on their operating systems and devices. Other companies that have adopted passkey technology include Facebook, eBay, and Salesforce.
Despite passkeys proving popular, concerns have been raised about unwittingly using proprietary technology that could cause problems if a user switched to another vendor’s product. However, by utilizing an existing passkey on a device with Google Chrome running on either iOS 16 or later or on a Windows machine, an existing passkey for an iPhone or Apple device can be used on products from other vendors.
In conclusion, passkeys are a valuable addition to cybersecurity measures that reduce the need for usernames and passwords, and as more tech companies adopt passwordless logins, the technology and standards to ensure their interconnectivity must improve.