Users love passkeys; more importantly, they can help companies reduce exposure to data breaches and prepare for a cookieless future.
There is a high chance that in a few years Apple’s release of passkeys as part of iOS 16 will be remembered as the beginning of a revolutionary change in how companies implement sign-in for their products. Offering three different ways to sign in using another company? Or rather none at all because of privacy and data ownership concerns? Allowing guest checkout so as to not lose users to atrocious password requirements on the last few yards? These concerns will diminish once consumers become familiar with passkeys.
Passkeys are backed by strong cryptography, are securely stored on the user’s devices and are protected by biometrics. Passkeys are based on open web standards and do not require integration with any third party. Companies can reduce their exposure to data breaches while also preparing themselves for a cookieless future through passkeys that can be adopted today.
Having website visitors and app users become account holders is table stakes for many businesses. From offering subscriber-only content, to verifying that a visitor belongs to a certain group, to simply storing personal information with account creation enables more personalized and streamlined experiences.
The majority of businesses address this by inviting consumers to create an account either by setting a password, receiving a message with a link or code, or using an existing account with another company such as Google, Apple or Facebook.
None of these options is free of concerns. Offering password-based accounts is a very large undertaking in today’s threat landscape. Social engineering, re-use of already compromised credentials and SIM swapping attacks are just a few examples that demand systems and processes be capable of flagging suspicious logins. All this is in addition to warning users about compromised passwords, blocking automated attacks, notifying about account changes, detecting and shutting down counterfeit sign-in portals and protecting a massive stash of passwords. Message-based login mechanisms such as “magic link” share many of these issues as well.
Stakes are high for whoever decides to build authentication from scratch, an undertaking prone to error. For this reason, most small- and medium-sized companies are better off using a third-party identity provider for adding user accounts. With this option, the added challenge is to balance costs — especially when rapidly scaling — not to mention vendor lock-in concerns once reaching a limit with the chosen solution.
