What are Passkeys?

1/20/2023 Jing Gu

As a developer, you've probably heard of passkeys. But what are they exactly? And why should you care? With many big names in tech ditching traditional passwords for passkeys, there's no better time to get acquainted with this new form of authentication. In this blog post, we'll explore what passkeys are, how they work, and why they're so important for developers to understand.

What are passkeys?

Introduced by FIDO, an open industry association for open standards for authentication, a passkey at a high level is a password replacement. On a technical level, a passkey is a FIDO credential comprised of a cryptographic public-private key pair. A passkey can be multi-device or single device. 

  • Multi-device passkeys refer to passkeys managed by a user's phone or computer operating system and synced between the user's devices via the operating system's cloud service. For example, if a user creates a passkey on their iPhone, it is synced to their MacBook via iCloud. 
  • Single-device passkeys refer to passkeys that cannot be copied from the device on which it was created. This provides greater security assurance since the passkey is never exposed to the cloud. Beyond Identity Universal Passkeys are single-device passkeys to maximize security while ensuring that the user can securely extend their passkey to additional devices.

In combination with local device biometric or PIN, passkeys help ensure that only the rightful owners of accounts can gain access securely. They also improve user experience by reducing friction during onboarding processes, making it easier and quicker for users to create accounts and securely log in.

What can developers do with them?

Increase the security of applications

Passkeys help protect user accounts from unauthorized access. With no password used, it's much harder for a bad actor to gain access to a user's account via brute force attacks, stolen credentials, or phishing attacks.

  • Phishing-resistant: Unlike SMS one-time passcodes (OTP) and push notifications, passkeys cannot be phished. Phishing is a social engineering attack in which an adversary use email or a threat-actor controlled website to get the user to enter their credentials. Passkeys transfers the responsibility of detecting whether a link is valid, away from the end user. 
  • Shields against sophisticated password-based attacks: Passkeys guard against credential stuffing and other password-based attacks because it allows companies to authenticate users without a shared secret. 
  • Significantly decrease account takeover fraud: Passkeys also help reduce substantial account takeover fraud by making it more difficult for hackers to access user accounts.

Accelerate onboarding and user experience

Passkeys also improve the user experience by reducing friction during account creation, authentication, and account recovery processes. This helps speed up onboarding times and reduces the number of hoops users have to jump through to access their accounts.

  • No passwords: Passkeys provide a secure and easy way to authenticate users without needing passwords or enforcing password complexity rules. This eliminates friction from user registration leading to lowered drop-off and accelerated onboarding. 
  • Reduce customer support costs: By eliminating long-forgotten passwords, passkeys can reduce customer support costs by freeing up resources that would have otherwise been spent helping customers log in.
  • Familiarity with local device biometrics and PINs: Multi-factor authentication with passkeys and local biometric means users are already familiar with the technology, and they don't need to learn new software or take on additional training.

Future-proof applications

Passkeys are designed to be future-proof—they can easily integrate with existing frameworks and technologies. This makes them ideal for developers who need to quickly and securely build authentication features into their applications.

  • Increase competitive advantage: As more companies move toward passwordless authentication, developers can help their organization stay ahead of the curve by implementing passkeys into their applications.
  • Provide user flexibility for authentication: Passkeys allow users to choose their preferred authentication method and make it more convenient.
  • Improve app accessibility: Passwords present a few barrier to accessibility for users with disabilities which make it difficult if not impossible to use. Passkeys opens up additional biometric modalities such as fingerprint or facial biometrics as well as possible deployment models such as local PIN entry and QR code scans.

How can developers implement passkeys?

There are several different ways developers can implement passkeys. The most popular approach is to use an API or SDK for authentication. This allows developers to integrate the passkey solution into their existing applications and websites quickly and easily.

Alternatively, you can build passkey support with WebAuthn and operating system-specific FIDO APIs. Apple and Google have documentation dedicated to this option.

Developers can also use third-party authentication services such as Beyond Identity to set up and manage passkey authentication quickly. These services are easy to integrate, cost-effective, and have various features that help developers get their products off the ground quickly.

Conclusion

Passkeys are a powerful and effective way of keeping user data secure. By implementing them, developers can protect their applications or websites from unauthorized access while providing a better user experience in the digital world by replacing the root cause of user headaches and security issues—the password. 

Beyond Identity is FIDO2 certified and our Universal Passkey Architecture ensures compatibility with all operating systems, browsers, application environments, and identity protocols. You can start building for free: https://www.beyondidentity.com/developers/signup