New stats from the FIDO Alliance reveal the passkey to be a fast-growing and safe alternative to the password. Tim Green, programme director for MEF ID and Data, took a look behind the data.
Just days ago, the FIDO Alliance confirmed that more than 3 billion passkeys are currently securing consumer accounts. Quite an achievement given that it’s just three years since platforms like Google, Microsoft, and PayPal started supported them.
I think it’s an achievement for another reason: ‘Passkey’ is the latest example of horrible branding by the tech industry.
“Do you want to set up a passkey?” asks your favourite consumer site.
“Er, what the heck is a passkey” replies almost everyone.
The term itself is up there with ‘keychain’ and ‘iCloud’. Confusing and opaque.
So, what is a passkey? Most of you will know, but briefly… a passkey is a method that lets you sign in to a site or app using just a biometric (usually a face scan).
FIDO’s data shows the impressive progress of the passkey. But a deeper dive reveals it to be just one of many authentication options available to consumers and enterprises.“
Once a user on-boards, the service will create two encrypted keys – one public key and one private. The public key is stored by the website/app while the private key is stored in the device. This adds up to an extremely safe authentication method since every passkey is unique to the user and the service. It’s impossible to phish, and (if intercepted) the encrypted credential is useless to any attacker.
Given the obvious problems with passwords (brute force attacks, phishing, horrible UX) and multi factor authentication (SIM swap, social engineering etc), the growth of passkeys is not surprising.
But what do we really know about this ascendancy?
Last week the FIDO Alliance elaborated. It launched a new Passkey Index – a major report into the performance and adoption of the tech. The study includes data from major enterprise users such as Amazon, Google, Microsoft, PayPal, Target and TikTok.
Here are some key take aways:
- An average of 93 percent of user accounts are eligible for passkeys
- A third of consumers have enrolled a passkey
- A quarter use one
- Participants report a 93 percent success rate for passkey logins, compared to 63 percent for other methods.
- It takes 8.5 seconds to sign in with a passkey compared with 31.2 seconds for MFA — a 73 percent reduction in login time
- Survey participants say passkeys reduce sign-in related help desk calls by 81 percent
- 97 percent of respondents are willing to fully transition to a passkey-based authentication strategy in the future
While the passkey clearly has great advantages over traditional password authentication, it is not perfect. The first drawback is availability. For all the milestones listed above, many websites and applications don’t support the tech. But the bigger issue is lock-in. Passkeys are usually tied to specific devices or platforms, making it difficult to access accounts if you lose or change your device. This also means users might need to create multiple passkeys for the same service if accessing it from different devices.
Now, another big challenge is looming on the horizon: what to do about machine authentication? Think about it. The passkey introduced a human factor (the finger or face scan) to stop bots from taking over accounts. But now we are on the cusp of an agentic era in which consumers and enterprises instruct bots to do work for them.
Can the passkey ecosystem accommodate both human and machine users?
The irony is not lost on FIDO, whose Executive Director Andrew Shikiar, says: “We spent the past dozen years or so contemplating how to prevent bots from authenticating, and now we have to figure out how to enable them to authenticate.” The Alliance says this work has started. It is developing new standards and certification programs for digital credentialing to solve this riddle.
FIDO’s data shows the impressive progress of the passkey. But a deeper dive reveals it to be just one of many authentication options available to consumers and enterprises. It’s not without flaws, and it’s not about the replace MFA any time soon.
Find out more about the themes discussed – Join the MEF ID & Data Interest Group.
