Out of nowhere, I got a message from my father asking, “What distinguishes a password from a passkey?”
At some point during his routine online activities, a website or app—referred to as a “relying party” in authentication terminology—prompted him to generate a passkey. However, he didn’t understand the advantages and felt no urgency. He assumed I would have the knowledge about passkeys and what steps to take when he encounters a prompt to create one. I replied, “Let’s discuss this before you proceed.”
Notifications like the one my father received will become more frequent in our everyday digital experiences. In fact, you’re part of the technology sector’s grand initiative to replace passwords with passkeys.
I support that initiative, but I’m not as hopeful as others might be about how quickly it will happen.
Obstacles to acceptance
While the current plan has a robust technical basis, several key elements are obstacles to immediate acceptance. For instance, the process of establishing a passkey for a specific website should ideally be straightforward (and it sometimes is); however, completely removing that passkey still requires a manual, multi-step approach that has not yet been automated.
Additionally, some current implementations of passkeys for users are so diverse that they may confuse individuals seeking a familiar, recognizable, and consistently repeatable user experience (similar to logging in with a user ID and password).
As long as these and other challenges persist, you have ample opportunity to consider a more comprehensive strategy for transitioning to passkeys, and fortunately, time for revising that strategy if needed.
Since 2021, when Apple first introduced an example of the passkey standard developed along with major companies like Google and Microsoft under the FIDO Alliance, numerous articles have been published on ZDNET and other platforms discussing the advantages and acceptance of passkeys—for individuals and organizations. In essence, the fundamental concept behind passkeys is to eliminate passwords. Due to various factors—including our persistent forgetfulness and lack of awareness of best practices (e.g., never reusing the same password across multiple sites!)—passwords have become a nuisance, and their removal could finally put an end to phishing and smishing scams.
Enthusiasts of passkeys often refer to logins based on passkeys as “passwordless authentication.” If passwords aren’t submitted to relying parties, then they can’t be given to malicious actors either. However, even though some websites and apps support passkeys, it doesn’t signify that they’ll be retiring passwords any time soon. As long as user IDs and passwords remain an acceptable means of authentication, hackers will continue to successfully phish and smish for them.
The magic of passkeys
Regardless of whether your authentication details consist of a password or a passkey, the process always relies on a secret. After three decades of compromised passwords, drained bank accounts, stolen identities, and a wide array of other dreadful consequences, the tech industry recognized the undeniable truth: we are poor at safeguarding passwords.
Despite implementing temporary fixes—like one-time codes sent via text, authenticator applications, and various additional factors of authentication—passwords have continued to prove vulnerable. In some instances, malicious actors have managed to breach security, while in other cases, legitimate users have ended up locked out. As the saying goes, “You can’t put lipstick on a pig.”
Proponents of passkeys claim that they will signal the end of the password era. However, the reality is that the password has effectively perished long ago, albeit in a different manner. We have all relied on passwords without fully grasping the underlying processes. A password represents a specific type of secret—a shared or symmetric secret.
To utilize most online services and applications, establishing a password necessitates first sharing that password with the relying party, which is the operator of the website or application. While history has shown that shared secrets can work effectively in highly secure and often temporary situations (e.g., encrypted data transmission through tunnels), if the site HaveIBeenPawned.com teaches us anything, it’s that authentication for sites and apps isn’t one of those scenarios. Passwords are far too easily compromised.
A passkey, on the other hand, relies on a secret that is never shared. This secret—the private key of a public/private key pair—remains solely with the end user and is never presented to the relying party. It is not revealed when the end user sets up or resets their credentials with a relying party, nor during the login process. If you’re familiar with cybersecurity and suspect the involvement of public key cryptography, your instincts are likely correct. The technical side of the passkey user experience follows the typical workflow of public key cryptography.
For non-technical individuals, such as my dad, the concept of logging into a website or application without being prompted for a secret password can seem almost magical. If you’ve experienced the seemingly magical functionality of passkeys—when they operate as intended (which isn’t always the case)—it indeed feels like a form of magic. My father was skeptical when I explained this to him. Perhaps you feel the same way?
The passkey user experience noticeably lacks any elements that give the impression of an ongoing exchange. It operates at an unsettlingly quick pace and requires little thought. At the same time, the necessity of secret passwords to safeguard nearly everything (including our homes) is so ingrained in our psyche that suggesting an alternative—especially something “passwordless”—seems almost blasphemous.
Derek Hanson, Yubico’s vice president of standards and alliances, agrees. Yubico manufactures a range of small USB and wireless (NFC) devices where users can store their passkeys for various sites and applications. Hanson is also actively involved in multiple working groups at the FIDO Alliance, including those focused on user experience and marketing communication.
Skeptical users
“There is indeed a password dilemma. Few would dispute that fact. For the last 30 or 40 years, we have conditioned people to understand how passwords function online. And it’s true that relying parties have made significant strides to enhance the user experience,” Hanson communicated to ZDNET. “However, we have become so accustomed to the obstacles and frustrations associated with passwords over the years that we’ve simply been worn down as users, accepting that this is how the internet operates.”
Hanson expresses concern that the passkey standard is at a critical juncture in its brief history; a substantial number of users have been introduced to the passwordless technology—and even experimented with it—but still lack the assurance to abandon their user IDs and passwords entirely.
“We are currently at a pivotal moment,” mentioned Hanson, indicating that users are weighing the external dangers of hackers seizing their accounts if they cling to their passwords against a lingering fear that transitioning to the new technology may lead to account lockouts.
His worries are valid.
Based on my thorough evaluations of passkeys (which I will detail here on ZDNET) and other concerning reports, the foundational technology is reliable. Nevertheless, the widely varying user experiences that are built on top of this foundation cannot possibly foster user confidence. A recent article from Microsoft suggests that the security advantages of passkeys alone will not motivate user acceptance. User experience designers must meticulously consider “every pixel” of the user interface.
“[As it stands now], I don’t believe it’s ready for certain individuals with specific computer skill levels. I think it isn’t quite developed enough due to all the rough edges,” said Hanson. “That being said, there is a focused initiative to push for improvements across platforms and relying parties.”
When a single entity like Microsoft has control over all three components—as may occur when a user logs into Microsoft 365 (the relying party) from a Windows-based PC (the platform, which has a built-in credential manager)—that entity possesses complete authority over the entire passkey process and the extent to which the three components are smoothly integrated.
However, when the user attempts to log into a Gmail account from their MacBook Pro that opts to use Bitwarden for credential management, three independent parties are involved. Google’s Gmail serves as the relying party, Apple’s MacOS acts as the platform, and Bitwarden operates as the credential manager. None of these three parties has total control over the entire user experience, and each might have conflicting interests.
In such scenarios and others like them, the chances of achieving a user-friendly, confidence-inspiring outcome are significantly reduced. To eliminate the rough edges, far greater collaboration among the various stakeholders will be essential.
Leave a Reply