Apple, Google, and Microsoft have committed to make passwords a thing of the past, taking another step towards a future without passwords.
Despite all their cons, passwords remain the most popular mechanism for enforcing security to protect users’ data. Some may think that the idea of “the future without passwords” is not new. There are existing authentication techniques, like biometric sensors and hardware keys, that do not require users to enter complex passwords to sign in. However, the initial account creation still requires the use of passwords due to various reasons that will be explained in the "Existing Passwordless Options" section.
Earlier this year, Apple, Google and Microsoft united to work on implementing passwordless sign-in on all major platforms. During its World-Wide Developers Conference in May 2022 (WWDC22), Apple announced the use of passkeys for the future without passwords through its 2022 rollout of iOS16 and macOS Ventura. The iOS and macOS rollout that took place in the fall of 2022 and Google's announcement of bringing passkey support to Android and Chrome in Oct 2022 were a huge step towards the actualization of the future without passwords. However, many people have yet to fully understand how we can have a true passwordless digital world, which leads to the idea of passkeys. In this blog post, we’ll discuss what’s wrong with passwords and how passkeys work to get us closer to a future without passwords.
Passwords have several vulnerabilities. First of all, passwords are shared secrets. When users create new accounts, their passwords are stored in a server. The server verifies a user’s identity by comparing the stored one with what the user enters. Hackers can attack the servers and gain access to users' passwords. Even if developers implement storage of passwords with hashing and salting correctly, it is still possible that the server software leak passwords in other bugs: such as via leaving passwords in logs. Passwords are also very susceptible to different types of attacks such as phishing, MITM, etc.
In addition, it is said that a single password is used to access five accounts on average, which is a leading factor in why people are hacked. Using different passwords can also be a risk factor since people might have a hard time remembering all of them. As a result, tech giants like Apple, Google and Microsoft are working together to create a future without passwords with passkeys.
There are already several passwordless options that exist. Below are some examples.
In general, going passwordless is more secure than user-generated passwords since the credentials used for passwordless authentication are harder for hackers to replicate or spoof.
Nevertheless, the current state of passwordless authentication isn't enough for everyday use yet. Hardware keys are inconvenient to use and backup limited its popularity. You can't transfer biometric data between iOS and Android devices. Hackers can intercept OTPs sent through SMS or emails before they reach the intended users or they can get the OTPs through phishing.
Passkeys are the alternatives to using passwords that will actualize the future without passwords. They offer users a passwordless sign-in to websites and applications. It is more secure, reliable, and convenient than using passwords and existing passwordless solutions.
The design of the passkeys is based on the web authentication standard that uses public key cryptography, which reduces the threat from potential database breaches. When user registers with a site or app, it will generate a public-private key pair. The public one is stored on the server but it is useless to the attackers as they cannot derive the user’s private key, which is required to complete authentication, from the public key.
When logging into websites or apps, users simply have to unlock their devices using biometric authentication, like Face ID or Touch ID, to authorize the use of passkeys for authentication.
Passkeys have also made cross-device and cross-platform authentication possible. Since passkeys are based on FIDO (Fast IDentity Online) standards, they will be supported by many popular platforms and browsers such as Microsoft Windows, Microsoft Edge, MacOS, iOS, Safari, and Android. Not only will Passkeys be synchronized across devices of the same origins, users can also log into websites and apps on different platforms. For example, even if users initially create the accounts on iOS, they simply have to scan a QR code generated by other platforms, such as the Chrome browser, with the registered iOS device to log in.
Google brought passkey support to Android and Chrome in Oct 2022. Apple also started supporting the use of passkeys on iOS and macOS. Prepare yourself for the future without passwords with Authgear!
Authgear allows developers to easily support the use of passkeys as a primary authenticator on your apps. After you integrate you apps with Authgear, all you have to do is click on a toggle to support passkeys on your apps. It will facilitate easy access without having to log in with passwords.
Furthermore, Authgear also comes with a set of authentication and user management features, such as pre-built signup and user profile pages, user analytics, WhatsApp OTP, social logins, etc., to help you provide better user experience, increase app conversion rate, and boost user retention rate.
Learn more about our Passkey API or request a demo to see how you can benefit from Authgear.
Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website.
