Colin Eastman
May 13, 2024

The Passkey Revolution is Happening. But What Is It?

Do you know what passkeys are? There’s a passkey revolution happening, but like many buzzy tech words that have preceded it, the term is often misunderstood and misused. Meanwhile, the primary beneficiaries of passkeys — website and app users — simply don’t know what they are.

So, in this post let’s dig into what the term means and debunk some of the common misconceptions — while exploring some of the key benefits. 

What is a passkey — from a user experience point of view?

Let’s say you're an iPhone user. Simply put, passkey technology allows you to use FaceID or TouchID to log into your favorite apps and websites. 

Put another way, the traditional experience of logging in to a site or online service with a username/password relies on you remembering your password, or “knowledge-based credentialing”. It’s based on the user knowing (and remembering) your account login information. 

Passkeys, on the other hand, rely on possession-based credentialing — something you have (a device) plus something you are (e.g. your fingerprint or the appearance of your face). Users no longer need to remember difficult passwords. 

What is a passkey — from a technology point of view?

Do a little Googling
on how passkeys work and you’ll find some pretty complicated definitions. But the way I explain it is that passkeys are a new technology that does two things. First, it can access the device that you're using. And second, because of its ability to access your device, it can access the mechanism that unlocks your device. In most cases, that’s biometrics — like a fingerprint or your face image (e.g. FaceID or TouchID). But it could also be a PIN code or the password to unlock the device. 

Passkeys use the FIDO2 open protocol to be able to access the device unlock mechanism. When, as a user, you sign up for a website that supports FIDO2, the device you're using (like your phone or computer) creates two special keys: one for you and one for the website. The one for the website is shared with them, but the one for you stays private on your device.

Whenever you want to log in to that website, it sends a special question to your device. Your device uses its secret key to answer the question in a way only the website can understand. These encrypted keys make passkeys much more secure than traditional passwords. 

What are the primary benefits of passkeys? 

There are two primary benefits of passkeys. 

Security: The root cause of an estimated 80% of data breaches is passwords. Because the keys passed between a website and your device are encrypted, passkeys ensure that only authorized individuals are allowed to access protected resources. Identity theft, fraud, phishing, and other security risks are minimized in passkey authentication. 

User experience: With the proliferation of online accounts and services, consumers must remember a growing number of usernames/passwords. Most passkey solutions alleviate the need for users to endure this “friction” to regularly engage with their favorite companies and services. And by implementing passwordless solutions like passkeys — and reducing friction — companies, including online retailers, realize increased conversion rates and sales from new and returning customers.   

Common misconceptions about passkeys

Now that I’ve defined the key points of passkeys, let’s go deeper by explaining what they’re NOT. Here are five misconceptions about passkeys that we hear often during our discussions with digital leaders in different industries.

  1. Misconception: Passkeys and “passwordless” are the same thing

: They are not the same. Passkeys are one of several types of passwordless technology. There are other authentication technologies that alleviate the need for users to enter passwords. These include social sign-on – for example, users can sign into some services using their Google credentials. There are also one-time codes and magic links sent via email or text messages, and authenticator apps that provide dynamic passcodes. These technologies offer similar benefits to passkeys, but none match the security and user experience of passkeys. 

  1. Misconception: One-time codes deliver the same benefits as passkeys

: I’ve had numerous conversations with developers, who, when faced with implementing passkeys, determined the best path to the passwordless experience was to instead add one-time passwords (OTPs). Yes, it’s usually easier to support OTPs. However, users don’t like the awkward dance of toggling between a sign-in page and email or messaging apps — find and copy that code, and then go back to the page to paste it into a form field. So, for users, it’s a different kind of friction than passwords — and only a marginal improvement, at best, to the overall experience.

I recently spoke with a Fortune 500 apparel company that tried to roll out OTP as a quick fix to improve user experience. Three months after launching it, he said less than .5% of users were taking advantage of OTP. It hadn’t reduced their call center instances related to lost passwords. It didn’t result in more users creating accounts. And it didn’t increase conversions. 

And then there’s security. OTP’s simply aren’t as secure as passcodes. While more secure than passwords, a one-time passcode can still be lost or stolen. Passkeys that leverage biometric authentication is… well, it’s going to be hard to steal your fingerprint or face.  

  1. Misconception: Passkeys are easy to implement

: For developers, building your own passkey solution is never easy. True, FIDO2 is an open-source standard — and anyone can try to implement it within their existing authentication stack. But to do so requires a lot of retrofitting. You have to factor in a variety of use cases (new users vs. returning users, etc.), variable user technology (e.g. devices, browsers), and user preferences on each device — creating new UIs for each of those paths and then verifying it works. 

The complexity involved is why we recommend doing a full reboot on authentication — and licensing passkey technology like ours at OwnID that covers all of the major use cases and device/user variables. In a future blog post, we’ll delve deeper into the choice of buying passkey technology vs. building a custom solution. 

  1. Passkeys work in the same way for enterprises and consumers

: Enterprise tech and consumer tech are often completely different, including how passkeys are implemented. In an enterprise, complex identity and access management (IAM) solutions must factor in the role of different workers and what content they should (and shouldn’t) have access to. The security requirements are typically more stringent, especially in the government sector. Many of these enterprise solutions now offer passkeys — and biometric authentication. 

For brands selling to consumers, using passkeys as part of their authentication technology is much simpler. But adding it, in one way, can be more challenging for B2C applications than in the enterprise. Enterprise users are a somewhat captive audience — if an IT leader determines that employees need to use biometrics to beef up network security, they can simply require it.  Trying to convince existing customers to enable passkeys can be a challenge without incentives. 

  1. Misconception: Companies should market passkeys to their users

Yes, companies should market passkeys to their users because of the obvious user experience and security benefits. But they shouldn’t rely on the word “passkeys.” Very few people know what it means. However, most people do understand how using TouchID and FaceID makes it easy to sign into their phones. After all, on average, we sign into our phones more than 100 times per day

So, what if it’s just as easy to sign into every app and website as it is to sign into your phone? As an industry, we’d be better served moving past the “passkey revolution” — and focusing on the benefits of passkeys and the passwordless experience.

Colin Eastman is a seasoned professional with over 15 years of experience in software sales, specializing in Customer Identity for the last decade.  He has held leadership roles at the likes of Experian, Gigya and SAP and has partnered with many enterprise eCommerce companies and Fortune 500s on deploying their Customer Identity and Digital Commerce technology and strategy.