Auth & identity
December 1, 2023
Author: Alex Lawrence
Ah, the password — simple, personal, and painfully unreliable.
If you’re like many folks, you’re choosing passwords every week that are simple and easy to remember – creating low-hanging fruit for bots and hackers to easily exploit. What’s worse…you’re using them across multiple platforms and accounts, effectively 10x-ing your security risk.
But when you try to think of a more ‘secure’ password, you’re doomed to amnesia. How many times have we all hit that “forgot password?” button only to create a new one we forget two weeks later? Complex passwords, while more secure, present a different challenge — they are hard to remember and manage, especially when users have multiple accounts across various platforms.
This article looks at the inherent flaws of passwords in detail, and why passkeys — a replacement for passwords that is cross-device, cross-platform, and cross-ecosystem — could provide a truly lasting solution that is more secure and user-friendly for users, applications and the many businesses that increasingly rely on frictionless authentication.
Passwords as a means of authentication have been in use since ancient times. They served as a rudimentary security measure to protect resources, with soldiers using them to safeguard entrances to forts and camps. Fast forward to the modern era, and we still see the same concept being used today: a secret phrase or string of characters that allows access to something valuable.
But as technology evolved, passwords were no longer just needed for physical protection. With the advent of personal computers and eventually smartphones, digital security became a pressing issue. This is where traditional passwords began to show their glaring vulnerabilities.
The primary issue lies in the simplicity and predictability of user-created passwords. As humans, our ability to remember complex information is limited, and our tendency to lean towards easily guessable passwords is all too common. Creating unique passwords can truly be a headache.
Our tendency towards password reuse compounds the danger of easily guessable passwords. Many users happily reuse the same password across multiple platforms, such as Google accounts, but most folks don’t know just how risky this can be – or, they simply don’t care enough.
But if one account is compromised, all accounts using the same password are equally vulnerable. The situation worsens with the advent of automated brute force attacks, where bots can attempt thousands of combinations per second, breaching even moderately complex passwords.
Even when users opt for complex passwords, they often forget them due to their less personal or memorable nature, leading to frequent password resets and further undermining security.
There is clearly a need for more reliable and user-friendly authentication measures to keep accounts secure. Among the promising potential solutions introduced in recent years to solve the password dilemma are web authentication (or WebAuthn), one-time passcodes (OTPs) and magic links. All three of these fall under the category of something you have or something you are – vs. something you know – making them less portable with the potential to negatively impact the user authentication experience by being more cumbersome.
WebAuthn, endorsed by the World Wide Web Consortium (W3C), aims to replace traditional password inputs with local authentication assisted by devices like security keys, biometrics, or mobile phones. Theoretically, this approach offers a more secure and user-friendly experience, eliminating the need for users to remember complex passwords while simultaneously enhancing protection against phishing and password theft.
However, the anticipated broad adoption of WebAuthn has been slower than expected. The primary barrier is its perceived lack of user-friendliness due to the need for hardware (e.g. security keys or biometrics-enabled smartphones). Passkeys, WebAuthn credentials themselves, are one of the promising new authentication measures designed to address this inconvenience. More on that later.
One-time passcodes (OTPs) are passcodes with an expiration date as part of a two-step authentication process for users to access their accounts by inputting the passcode sent via email, text or authentication app. The natural drawbacks in the experience are obvious: a user needs a phone number to receive an SMS, or must take steps to login to an email account for email-based OTPs, often involving multiple clicks and steps. OTPs via SMS pose security risks such as sim swapping, and a user can sometimes be made to wait more than just seconds for OTPs to deliver — far from ideal.
Lastly, email magic links have struggled to provide the right balance for similar reasons to OTPs, requiring an email account login with multiple clicks, navigation across browsers, and potential lag in the email being received.
Ultimately, while password alternatives like WebAuthn offer compelling security enhancements, their adoption hinges on striking a balance between enhanced protection and user convenience. Until the proper balance is achieved, traditional passwords — despite their flaws — will continue to serve as the de facto standard for user authentication.
This is where the concept of passkeys comes into play as a potentially superior alternative to traditional passwords.
So what are passkeys, and why are they gaining in popularity among not just the tech and auth savvy, but also consumers?
Passkeys are an advanced, biometric-based authentication method developed by the Fast Identity Online (FIDO) alliance, aimed at replacing traditional passwords. They employ the WebAuthn standard with local biometric verifications, such as FaceID or TouchID, to generate a pair of asymmetric keys for secure authentication.
Most importantly, passkeys can be shared and synced across various devices and platforms – offering unmatched portability and convenience in biometric-based authentication.
Let’s break down how the battle of passkey vs password authentication took shape.
In 2021, FIDO – composed of major tech platforms like Apple, Google, Microsoft, and even a little auth provider you may have heard of called Stytch – introduced passkeys as a new ‘passwordless’ technology in order to enhance the usability of biometric authentication for consumers. While not a new concept, passkeys promised to address significant user experience challenges associated with existing biometric authentication technology.
Passkeys offer a unified solution to the problem of managing multiple accounts. They allow users to securely log in to various services without the need to remember or input a correct password for each. This not only enhances security but also streamlines the authentication process, making it more user-friendly.
Major cloud platforms including Google, Apple, and Microsoft, as well as mobile operating systems like Android and iOS, are increasingly adopting passkey technology, shifting away from relying on passwords alone for their authentication strategies.
Passkeys are often integrated with biometric authentication systems, such as facial recognition or fingerprint scans. Biometrics is one of the most crucial advancements of multi-factor authentication in recent years. Passkeys are designed to combine the factors hardest to hack: “what-you-have” (i.e., the private key) and “what-you-are” (i.e., your biometric information). This has the potential to significantly bolster security beyond two factor authentication, protecting against common threats like phishing attacks.
Biometric authentication adds a level of physical proximity and personalization to the security process for online users and businesses as well. For instance, a user might use a face scan on their Apple device to authenticate their identity, which then grants access using the passkey. It’s more secure than passwords but also faster and more convenient, reducing the average time spent authenticating.
Perhaps the most important element for adoption of newer authentication methods is the user experience. Fortunately, passkeys leapfrog the WebAuthn UX dilemma in one crucial way: the ability to sync authentication across multiple devices.
As with WebAuthn, logins with passkeys are almost instantaneous, often requiring just a simple biometric check or the proximity of a device. However, while the technical backbone of passkeys lies in WebAuthn technology, what makes them truly unique is that you can sync them across multiple devices. The single-device limitations of WebAuthn may have finally met their conqueror.
This combination of passkeys and the cloud (as well as bluetooth/NFC technology if the user is physically close to their devices) now means it’s possible for a passkey created on your laptop to be easily ported over to your phone, unlocking the device and its applications alongside a whole new level of UX joy.
Not surprisingly, operating systems like Windows and macOS, along with mobile platforms such as iOS and Android, have thrown their confidence behind the future of passkeys. With cloud support from these major players (iCloud, Google Cloud, and Azure), and the likely widespread adoption that results, users can enjoy the exact same (minimal) security and authentication steps on any device they use – whether on desktop or smartphone, Android or iOS.
As we continue to witness broader adoption, passkeys are uniquely positioned to redefine digital authentication for the better, ensuring a safer and more efficient digital experience for businesses, developers and users worldwide.
Despite the incredible flexibility and efficiency they can provide, a seamless passkey authentication experience hinges on cross-platform compatibility – and not every end user will be set up for this given the variance among operating systems and devices. Being able to log in to your Chrome browser using a passkey stored on your Apple device sounds amazing but may not be an experience within reach for some developers and their users.
Some of the challenges to adoption of passkeys facing businesses, developers, and end users include:
With these challenges in mind, Stytch can offer both the passkey enthusiast or the password adherent multiple options to face the ever-evolving threats in auth land. We recommend an approach to passkeys that thoughtfully balances the needs of your end users with the security requirements of your industry. One size fits all doesn’t apply here. Read more on Stych’s approach to passkeys and how we can help businesses and developers find the strategy that fits their user’s best.
Not ready to move forward on passkeys but want to improve your password setup? By anticipating our human tendency towards password reuse, Stytch has built breach-resistant layers into our Passwords solution so you can protect your users against using weak and compromised credentials and prevent data breaches.
To learn more about our approach to biometrics — and how we’re opening the door to multi-device, phishing-resistant passkeys — get in touch with one of our auth experts. You can also sign up for a free account to try our solutions out for yourself.