Many aspects of our lives are becoming increasingly reliant on digital services. The pandemic accelerated the widespread adoption of digital services, providing the ideal opportunity for cyber criminals to exploit the growing presence of consumer information online. On the other hand, consumers have continued to rely on basic security measures, such as passwords, to protect their personal data. Apple, Google, and Microsoft are now spearheading a major initiative to improve online authentication security, with the goal of eliminating passwords entirely through passkeys.
Passkeys work by generating a one-of-a-kind digital key that is only valid for one account. This key is only stored on the user’s own device(s), rather than on a server, so it cannot be obtained through a mass data breach. Passkeys cannot be phished from customers because they only work for the site or app for which they were created. They only require biometric input from the user, such as their face or fingerprint, and thus do away with the need for passwords entirely.
Passwords have long outlived their utility. They are detrimental to both cyber security and the user experience. When a password is used as the sole form of security, any account is highly vulnerable to compromise, as cyber criminals have several, often very effective, tools at their disposal to obtain passwords. The scope of digital identity fraud is enormous – and expanding.
Three years ago, Microsoft revealed that it saw more than 300 million fraudulent sign-in attempts to its cloud services each day. The UK government’s Cyber Security Breaches Survey 2022 found that organizations were reporting 15% more breaches in the lead-up to March of this year than during the previous 12-month period.
Passwords are also not user-friendly; they are difficult to remember, especially when a user wants to use a strong password that includes a long string of numeric and alphanumeric characters. And, because users typically have multiple accounts, it’s more tempting to reuse the same password – a decision that can result in all of one’s accounts being compromised if a single account is compromised.
All three tech giants have been working closely with the FIDO Alliance to introduce passkeys, which are a much more secure and effective successor to password-based security. The commitment of these major players to passkeys is likely to drive a rapid change in consumer behavior and expectations. But will other enterprises be ready to respond?
The growth of two-factor authentication
The technology industry has made significant progress in developing solutions to these problems. The rise of two-factor authentication (2FA) has reduced the risks associated with passwords by introducing a verification step that employs information that cannot be easily intercepted. Two-factor authentication has proven to be extremely effective. In 2021, Google began auto enabling 2FA for user accounts; by the end of the year, 150 million users were enrolled, and a 50% decline in compromised accounts was reported.
Though there is evidence of an overall increase in the use of 2FA, the rate of adoption remains slower than it should be. On Twitter, for example, only one in 40 users (2.6%) used 2FA in the second half of 2021. The UK government’s annual Cyber Security Breaches Survey looked at 2FA for the first time this year and found that only around one third of businesses (37%) and charities (31%) had a requirement for employees to use 2FA when accessing their organization’s network and other applications. While 2FA usage was higher among large businesses (79%) and high-income charities (67%), it was especially low in certain sectors, like food and hospitality (18%).
2FA, though effective, is not a perfect system. The additional step involved can be inconvenient and may deter some users. Companies, including Microsoft, have long warned that SMS is not a highly secure method of 2FA, as it opens up a series of security vulnerabilities that can be avoided by using app-based authentication – and yet SMS remains a widespread method. Consumers also appear more willing to use 2FA for their banking and financial accounts than for accounts where they perceive security to be less important (like a transportation, entertainment, or retail account), despite evidence that an email compromise is more harmful than a financial account compromise.
Enter: the passkey
The limitations of 2FA help make the case for what could be a significant moment of progress in digital account authentication: passkeys.
Apple has led the market in introducing this technology by featuring passkeys in iOS 16, which launched this September, and the soon-to-be-released macOS Ventura will also include passkey technology. But Google is hot on the heels of its smartphone rival, having recently announced that it has made passkeys available for users of its beta services on Android and Chrome, with the feature set to roll out widely later this year.
Apple and Google, along with Microsoft, have been collaborating with the FIDO Alliance to create an industry standard and ensure passkey technology can be used across different operating systems and browsers. This means, for example, that it will be possible to use a passkey stored on an iPhone to log in to a website in Chrome on Windows. Beyond purely digital channels, passkeys can also be used to verify a user’s identity with a call center, or in person. This interoperability is a key factor for encouraging uptake among both businesses and consumers.
However, passkey adoption will depend on brands and service providers, along with the tech giants, to put in the work to make the technology a viable, secure platform login option for their customers.
Passkeys are only one solution. For businesses that are operating in highly regulated industries and dealing with privacy regulations and compliance requirements, a comprehensive identity proofing and authentication strategy, especially one that incorporates biometric authentication into their accounts and guards their information, is critical.
Once this technology becomes as widespread as Apple’s FaceID, it has the potential to become the industry standard for authentication soon. Early adopters of passkeys will have a new competitive advantage: a secure, dependable login method with low user friction. With Apple and Google leading the passkey revolution, businesses and organizations have the opportunity to provide customers not only peace of mind but also a streamlined user experience for nearly all smartphone users. And passwords are only the beginning. The widespread implementation of the passkey will necessitate more secure and frictionless authentication across all digital channels.