It is a well-known fact that transitioning away from passwords will take many years due to the deeply flawed yet widespread nature of digital authentication technology. Despite progress made by the FIDO Alliance in promoting “passkeys” as a password-less alternative for signing into applications and websites, most people still rely heavily on passwords and may not have any accounts protected by passkeys, even though major players such as Microsoft, Google, and Apple have adopted the technology.
At the upcoming RSA security conference in San Francisco, Christiaan Brand, co-chair of the FIDO2 technical working group and a product manager at Google, will discuss the new features and growth in passkey adoption. He will also address the challenges that passkeys face in countering the inertia that passwords have built up over decades and the slow grind to diminish the dominance of passwords. Brand emphasizes the need to think of passkeys as an augmentation to passwords and push users toward the thing that will be easier and more secure.
Over the past year, FIDO has made significant progress in rolling out features to support its password-less vision, including the infrastructure to back up passkeys so they can sync between devices, prompt users about passkeys rather than defaulting to username and password, and use Bluetooth-based proximity sensing to share passkey authentication between devices. These address major usability issues that FIDO set out to improve a year ago, but there are still hurdles to overcome, and developing these solutions has taken time. For instance, the new Bluetooth-based proximity-sensing protocol was engineered to avoid security issues that often plague Bluetooth implementations by stripping away most of its functionality and exclusively using the protocol for proximity checks rather than data transfers, allowing passkeys to bypass many of Bluetooth’s quirks and reliability issues when pairing devices.
Developing a cohesive user experience (UX) for passkeys across various operating systems and web services is an ongoing challenge. When you log into your Google account from a Mac using traditional passwords, your credentials are still verified against Google’s stored information on one of their servers. However, passkeys work differently, and their security and phishing-resistant benefits come from the fact that the cryptographic check happens locally. If you use a passkey to log into your Google account from a Mac, everything you experience during the interaction is facilitated by macOS, not Google.
Implementing passkeys requires ceding control to different platforms like Apple, Microsoft, and Android, which have different UX patterns and paradigms. This presents a challenge in stitching all of them together, which may take another nine to twelve months for the industry to support fully.
Another significant challenge is the long transition to passkeys alone. Services must continue to support username and password logins and make sure those systems are as secure and up-to-date as possible while primarily supporting the growth and evolution of passkeys. Neglecting password login systems as they fade from prominence could produce new types of security exposures.
The tech industry is still in the early stages of this long haul transition, and mass, super-scale adoption is still something that needs to happen. Although some passkey implementations exist, they are not yet in the mainstream consciousness of developers or users.
Go to Source
Author: Lily Hay Newman
