Already buoyed by the support of tech giants Apple, Microsoft and, most recently, Google, passkeys have taken another major step along its journey to becoming a ubiquitous replacement for conventional passwords.
At the 2023 Identiverse conference, the nonprofit standards organization FIDO Alliance unveiled its new user experience guidelines for passkeys, which are generated and stored securely on users’ devices after those individuals register for a web application or service via their biometric data or a PIN. Among the various benefits: Users do not have to remember any credentials, nor are they prone to losing them via phishing scams. Moreover, passkeys can be synched across multiple user devices without having to re-enroll each time.
While the demise of passwords is likely not imminent, this latest announcement certainly represents progress for organizations who seek a more secure way of facilitating user access.
Andrew Shikiar, executive director and CMO at FIDO Alliance, detailed the new UX guidelines, plus other steps the organization has taken over the last year to address some of the more legitimate concerns surrounding passkeys that were expressed at the previous year’s Identiverse conference.
Shikiar listed three key issues expressed by skeptics over the past year: asking users to change their behaviors after decades of passwords; the risks of syncing private keys via a cloud service within an enterprise setting; and fear that the aforementioned tech giants might dominate this space and dictate how other organizations conduct their authorization.
“These are all good questions that we as an alliance, as a body, had to work through,” said Shikiar. “Happy to share today that we’ve made some progress on all fronts, providing some answers to these pointed questions.”
Regarding concerns over users’ reluctance to change their ingrained password habits, FIDO Alliance believes the UX guidelines for passkey creation and sign-up could help break down resistance by ensuring a favorable experience.
“We have the best and brightest authentication engineers poring hours upon hours into our specifications with UX. We have … experts in design, in user interface and accessibility, all collaborating inside the FIDO Alliance’s UX working group to help steer this project,” said Shikiar, adding that over 30 companies and dozens of contributors have helped steer this effort.
The research conducted during the formation of these guidelines yielded some significant observations.
“The big ‘aha’ that we found is that passkeys present a very different user journey than we anticipated for enrollment,” Shikiar explained. "It’s a different user journey than you do for WebAuthn enrollment. And that was a big finding that we had. And every early adopter has basically run into the same thing. In fact, we’ve talked to two or three companies who have deployed passkeys and then saw our UX guidelines. And their feedback was, ‘Well geez, this could’ve saved me probably about two months of development time and countless dollars.’”
Among the tips included in the new UX guidelines: Help familiarize users with the concept of passkeys by associating the technology with security experiences people already know; make passkeys a primary option in account settings; and design your user experience around your company’s own unique security and business needs.
Shikiar also said he understands the trepidation around the syncing of private keys — but “we did it for a purpose. We did it to increase usability and drive consumer adoption at scale.”
“That being said, we also want passkeys to work in the enterprise,” Shikiar continued. “And if we want passkeys to be an inevitability, it means we to need to give guidance to enterprises on how to utilize passkeys for workforce authentication.”
Passkeys to come from companies other than Apple, Google and Microsoft
To that end, Shikiar announced that FIDO Alliance this June will be releasing a series of papers —developed by its enterprise-focused members — that examines various corporate use cases for passkeys. This effort will also be supplemented by a June 29 virtual summit on this same topic.
Shikiar also reassured the crowd that passkeys would not become the domain of Apple, Google and Microsoft.
“[They] are never meant to be solely the remit of the big three platforms. We know that … would never fly at worldwide scale,” he said. “In fact, the [big-tech] platforms themselves are deeply, deeply committed to enabling other companies to serve as passkey providers.”
Still, “the concern here has always been: How do you enable this at scale? How do you make sure this happens in a secure way?” Shikiar added. “Because if someone’s passkey repository is jeopardized, then the whole thing comes crumbling down.”
To ease fears in that regard, Shikiar noted that several leading credential providers within the FIDO Alliance’s membership community already have products available today that allow users to sync their passkeys. Moreover, “we’re working on a program that will delineate passkey providers who are doing so in a fully secure way that protects, encrypts the passkeys and ensures that clouds are fully secure,” he said, noting that this offering will hit the market “in the next couple of months.”
Passkeys still have some evolving to do, Shikiar acknowledged (for example, in the area of attestations). “But make no mistake: Passkeys are built upon a fully mature foundation and are ready for prime time,” he stated. “They’re building on many, many years of contributions, iterations and expertise… We’ll see many, many more brands embracing passkeys in the months to come.”
Alex Simons, corporate VP, identity and network access product management at Microsoft, echoed those sentiments during his own keynote session.
“A year ago, I was highlighting how excited I was about the fact that Microsoft, Google and Apple had all agreed to endorse passkeys, the latest version of the FIDO protocols, and that we were going to build those directly into our platforms,” said Simons. “This year at World Password Day you probably, hopefully, saw a ton of the coverage. It’s happening. All of the mobile platforms… now have support. Microsoft, of course, for Windows has had support for a long time. And we are finally at the point where passkeys and passwordless authentication can start to go mainstream for a broad set of consumers.”