Passkey authentication is gaining popularity and is being used by an increasing number of websites and applications as either a primary or secondary authentication method. Passkeys offer advantages over traditional authentication methods by enhancing security through cryptographic principles and improving user convenience by eliminating the need for complex passwords. Since passkeys are still in their infancy, there are limited guidelines on their usage– leading to poor implementations and inconsistencies across the industry. We expect that as the technology matures and adoption accelerates passkeys will become the de facto authentication standard on the internet. Read this article to understand the key design and implementation practices to follow when integrating passkey support into your online services.
Passkey Overview
The W3C WebAuthn Community Adoption Group and members of the FIDO Alliance designed passkeys using public-key cryptography to securely, efficiently, and seamlessly authenticate users of online services. When users register or enroll with an online service, their device generates a cryptographic public-private key pair for that service. The private key is kept on the device, and the public key is shared with the online service. For authentication/sign-in, the user's device proves possession of the private key by signing a challenge. The challenge-response mechanism between the device and the service completes the sign-in, with the service never seeing or storing the private key. This design ensures user privacy and prevents phishing, as passkeys are unique across different domains and the private key never leaves the user’s device. Because of this, passkeys offer a frictionless experience for customers as opposed to traditional passwords. According to Google, passkeys have a login success rate four times higher than passwords and allow users to log in twice as fast.
Best Practices for Passkey Implementation
Although passkeys are easier to use and more secure, they are more complex to implement than regular passwords. IT leaders responsible for leading the integration of passkeys into their systems should follow these best practices.
- Keep password support. Although the aim is to replace passwords, passkeys are still new and not yet generally accepted by everyone. Implementing passkeys does not mean your application should stop using passwords outright. Users should have the option to choose between passkeys and passwords. It's crucial to respect user preferences and provide fallback authentication options, especially for those who may not be ready to adopt passkeys immediately.
- Prompt users to use passkeys when carrying out account-related tasks. To enhance security and the user experience passkeys should be introduced to users when users carry out account-related activities such as:
- Signing in
- Using account settings
- After account recovery
- Reauthorization.
- Make creating and managing passkeys straightforward. Passkey management settings should also be included within user account settings, enabling users to add, remove, recover or change their passkeys seamlessly.
- Implement cross-platform support to ensure that passkeys work across different ecosystems (Apple, Google, Windows) and that they support local and cloud-based storage. This would allow users to create a passkey on one device and use it to authenticate using other devices without the need for re-authentication. Use features like cross-device authentication to enhance user convenience and security. Additionally, ensure your websites implement passkeys in a way that allows them to be used across different browsers. The FIDO Alliance provides a detailed flow on how to implement this.
- Provide support for multiple passkeys. Websites should allow users to register multiple passkeys for the same account. This provides flexibility and ensures users are not locked out of their accounts if they lose access to their devices.
- Follow accessibility best practices. Passkey implementation should be accessible and adhere to Web Content Accessibility Guidelines (WCAG), ensuring compatibility with screen readers so that all passkey interactions are readable and easy to navigate. Implementation should, for example, consider users with motor impairments by providing alternatives to QR codes. Additionally, designs should offer larger clickable areas or alternative methods that do not require precise movements.
- Support user-friendly communication, feedback and iteration. When introducing passkeys, websites should communicate the benefits and ease of use to users. Sites and applications could prompt users, explaining that they would no longer need a username or password if they use a passkey to log in with that device. Regular testing and user feedback are essential to ensure the passkey system is intuitive and meets user needs.
Recommendations
Passkeys enhance user experience while maintaining security, making them ideal for any website or application because higher user sign-in rates lead to increased user engagement. Use the following recommendations along with passkey integration best practices to implement passkeys in your online services.
- Plan thoroughly before implementing passkeys. Begin discussions with senior leaders and development teams about this authentication approach. Before implementing, it is important to understand the passkey use cases your organization must cover. Ensuring interoperability and seamless integration across multiple systems and platforms is also important, so it is crucial not to dive in with implementation until you are fully ready.
- Make use of developer resources. Passkey implementation is not as straightforward as password implementation so it is important to use developer resources provided with tools, libraries, use cases, and examples of passkey implementation. The Passkeys Dev website is a good resource provided by the W3C WebAuthn Community Adoption Group and members of the FIDO Alliance for passkey adoption.
- Utilize third-party libraries for passkey adoption. Instead of implementing passkeys from scratch, use third-party libraries that may be more comprehensive and cover more passkey-related use cases. It is crucial to ensure that these f third-party libraries are secure and that the providers employ robust security practices before you use them. Start with WebAuthn Awesome and Simple Web Authn. Simple Web Authn also provides examples for setting up passkeys with Express and React.
Bottomline
While transitioning to passkey authentication may appear challenging, passkeys' increasing popularity and advantages are undeniable. Plan carefully and implement best practices to achieve success.
References
- Making authentication faster than ever: passkeys vs. passwords, Silvia Convento, Google Security Blog, May 2023
- Design Patterns, FIDO Alliance, n.d.
- Considering synced passkeys for your enterprise? Avoid the pitfalls that increase risk and cost exposure, Yubico, n.d.
- White Paper: Multi-Device FIDO Credentials, FIDO Alliance, March 2022