As passwordless identity becomes mainstream, the term “passkey” is quickly becoming a new buzzword in cybersecurity. But what exactly is a passkey and why do we need them?
A passkey is a digital credential that can only be used by the authorized user. This commonly requires unlocking a device with a biometric marker (such as facial or fingerprint scan) or a unique factor (e.g., a PIN). Essentially, if your device asks for your fingerprint or face scan to “sign in” with Google, Apple, or a social media site, it’s likely to soon ask you to activate a passkey.
Passkeys use was fast-tracked last year when tech giants like Apple, Google and Microsoft announced support for them in their products. Apple made passkeys automatic in its latest iOS releases, Microsoft expanded passkey use in Windows 11, and Google has enabled them in Chrome and Android devices, which has extended them to services such as DocuSign and PayPal. In October 2023, Google started offering passkeys as the default method for users signing into their accounts.
The evolution of passkeys
But, when it comes to passkeys, the devil is in the details. That’s because the term has come to mean different things to different people. Consider Fast Identity Online (FIDO), the open-source authentication standard that provides a way to bind an identity to a device and enable passwordless authentication. FIDO passwordless credentials are often confused with passkeys, and even the FIDO Alliance embraces the term “passkey” to describe FIDO passwordless credentials since the term has gained so much traction.
But FIDO is a single-touch multi-factor authentication (MFA) experience that has evolved into a passwordless experience. Behind the scenes is an encrypted key in the user’s possession, usually in a secure password vault. This replaces the traditional approach of storing passwords in a centralized server—the source of many account compromises and phishing problems for decades.
Passkey adoption will grow exponentially since FIDO is built into popular browsers and platforms. However, there is still confusion in the marketplace about their use. For example, when passkeys were first introduced, most deployments were limited to a single browser. When a user acquired a new device, it had to be re-registered, which meant going back to — you guessed it — a username and password for authentication, thereby defeating the goal of portability.
The challenges and promises of passkeys
Recent advancements now allow private keys to roam between devices, improving enterprises’ usability but also introducing the risk of users sharing their keys willingly with bad actors or falling victim to a phishing attack.
For enterprises, it is possible to restrict the number of devices that can use a passkey. In this case, a device-bound passkey needs to have a device attestation, so that key is limited to only working on one phone or only to a device authenticated via a token—such as a YubiKey, for example. Now it’s much more complicated, almost impossible, for another person to use that device unless the authorized user unlocks it.
Adding a FIDO solution makes it much easier for developers to code these protections into all applications. Drop a couple of lines of code into the app, and the solution can take care of the rest. It will detect if a browser can accept a passkey and handle all the necessary handshake processes. The next time the user tries to log in, the device will prompt them to use the proper mechanism—Touch ID, Face ID, Windows Hello or some other platform.
Additionally, a FIDO solution can enforce policies that can be implemented to adapt to the level of risk of a transaction or application. This ability eliminates the need to build that policy enforcement downstream into each application.
A third benefit accrues when users want to work across different applications at the same company. Having a single passkey work across all the applications a user is authorized to access provides a single sign-on protected with MFA.
To enable the widespread use of passkeys — whether on Apple iOS, Google Android or web browsers — requires a platform that supports any FIDO authentication. By allowing a user to switch between devices, including physical tokens, with minimal effort, passkeys can play a key role in passwordless authentication user journeys.