Alexis Kestler
Hey there!
I wanted to reach out about an important new technology I think could really impact your app – passkeys. As someone who‘s a bit of a security geek, I‘ve been following passkeys closely since they emerged. I wanted to share what I‘ve learned in case it‘s helpful as you make plans for the future of your app.
In my view, passkeys are set to fundamentally transform how your users log in and authenticate. I know we all suffer from password fatigue these days, so passkeys can‘t come soon enough!
Here‘s a more detailed look at what exactly passkeys are, how they improve on passwords, where major platforms currently stand in supporting them, and the key considerations as you evaluate adopting passkeys in your app.
Passwords are flawed – here‘s how bad it really is
I‘m sure you don‘t need me to tell you passwords are problematic. But some recent statistics really highlight how dire things have gotten:
- 81% of data breaches are caused by weak or reused passwords [1]
- People have on average 100 online accounts requiring passwords [2]
- The average user has to reset their password 4 times per year [3]
As developers, we‘ve tried various tactics to cope – password expiration policies, complexity requirements, nagging customers to use password managers.
But these are just band-aids on top of a fundamentally broken system based on shared secrets. It‘s no wonder 81% of users get frustrated dealing with passwords on a weekly basis [4].
There has to be a better way, right? Well, passkeys aim to provide exactly that.
How passkeys improve on passwords
Passkeys take a completely different approach than passwords:
Public key cryptography
Passkeys use industry-standard public key cryptography instead of shared secrets. This eliminates the risks of phishing and breaches inherent with passwords.
Device-bound keys
Encryption keys stay securely on your users‘ devices. So there‘s no sensitive data sitting on your servers for hackers to steal.
Biometric / PIN authentication
Your users confirm their identity with biometrics or PINs on their devices. No need to manually enter cumbersome passwords.
Platform-managed synchronization
Keys synchronize seamlessly through platform services like iCloud Keychain or Google Password Manager. Users stay logged in across all their devices.
This adds up to an authentication experience that‘s both more secure AND more convenient for consumers. Passkeys are a classic win-win scenario if we can drive adoption.
And the major platforms are putting their weight behind this…
Platform support makes passkeys viable
Passkeys used to be a bit of a theoretical concept. But now all the major platforms have shipped support to make passkeys a reality:
- Apple has fully integrated passkeys into iOS/macOS, storing them in iCloud Keychain [5]
- Google has passkey integration in Android and ChromeOS, backed by Google Password Manager [6]
- Microsoft added platform support in Windows 11 and Edge, with increased OS integration coming [7]
In addition, all the major browsers now have initial passkey capabilities built-in.
This covers a large portion of the consumer landscape. And with platforms like Apple and Google actively pitching passkeys in their marketing, education efforts have kicked into high gear.
So the tech giants are clearly putting their weight behind passkeys. As an app developer, you can piggyback off these efforts to progressively roll out passkeys to your users as they upgrade devices.
But introducing any new technology always requires some thoughtful planning…
Key considerations for adopting passkeys
Adding passkey support alongside your normal password login is totally feasible. But here are some key considerations I‘d suggest thinking through:
User Experience
- How will you introduce passkeys to your users? Can you incentivize enrollment?
- At what points should they be prompted to enroll passkeys?
- How will you handle fallbacks if users lose access to their passkey?
Architecture
- What updates are needed on your authentication server and APIs to support WebAuthn?
- At what cadence can you iteratively build support across different parts of your infrastructure?
Security
- How will you ensure users register platform-managed passkeys rather than third party authenticators?
- When might relying on passkeys alone be risky? Will you direct high-risk users to additional factors?
Motivations
- Are you adding passkeys to boost security, improve convenience, or just remain competitive?
- How will you measure success and value from passkey integration?
Thinking through questions like these will pay dividends in shaping a smooth rollout.
It‘s time to start planning your passkey integration
Passkeys still have a long journey ahead to completely displace passwords. But all the pieces are falling into place to make passkeys a viable reality:
- User demand is there – People hate password headaches and love convenience.
- Platform support exists – Device-makers are delivering built-in capabilities.
- Technology is proven – Public key crypto has been trusted for years.
Many apps are already working on integrations given the clear security and convenience benefits. I encourage you to start planning as well.
Be among the first in your category to adopt passkeys and reap the rewards. Then watch as delighted customers respond positively to leaving passwords behind!
Let me know if you have any other questions!
[1] Verizon 2022 Data Breach Investigations Report[2] Digital Guardian: Password Habits Still Need Work in 2022
[3] Statista: Frequency of Resetting Passwords
[4] LastPass Global Password Security Report 2022
[5] Apple: Use passkeys on your iPhone, iPad, and Mac
[6] Google Help: Use passkeys on your Android device
[7] Microsoft Tech Community: Windows 11 to support WebAuthn/FIDO2 security keys
