In May of 2023, Google announced that it had begun to integrate passkey support for its accounts, highlighting that passkeys are “easier to use and safer” than most other forms of two-step verification. As we noted in our previous blog post on passkeys, we anticipate that the password-less future is about 3-5 years away. However, for some—and as Google’s latest push suggests—the time to introduce passkeys as an option might be now. And so, for the second installment in our passkey blog series, we are taking a more technical dive into how passkeys work, how to talk about this within your organization, and what you need to consider before taking steps toward implementation.
Building a Proof of Concept
For our solution test case, we implemented passkeys alongside existing username and password authentication 1) to demonstrate the practicality of doing so and 2) to embrace the reality that we are still at least a few years away from being able to go fully passwordless. We integrated with our existing JSON Web Token (JWT) authentication patterns on both the back- and front-end, meaning we could treat passkeys as just another authentication option, reducing the impact of the changes. Our front-end clients expected the same API response for a successful passkey login as they did for a username/password login. With this approach, all other network traffic leveraged the same JWT patterns, so the downstream API calls were unaffected by the addition of passkeys.
While adding passkeys means simply adding another form of authentication, generally speaking, there may be other parts of your application that could be impacted by the introduction of passkeys. For example, since passkeys offer heightened security, you may consider removing two-factor or multi-factor authentication. Depending on your implementation, the removal of those features when the user authenticates with passkey may require both front-end and back-end changes to ensure a seamless transition in the user experience.
Passkeys in Context
Passkeys and Passwords
Similar to our test case approach to implementing passkeys, we think it is best to plan for a significant period during which your users will have both passkeys and passwords as login options. Eventually you may be able to phase out passwords, but for a smooth introduction of passkeys as a login option, users are going to need to feel confident in passkeys and what they are capable of, which won’t happen overnight.
Passkeys and Third-Party Authentication
One of the primary reasons front-end experiences offer third-party authentication as an option (e.g., Facebook, Google, Amazon, and Apple) is to streamline account creation and to simplify the login experience for a user. Passkeys can either serve as a replacement for these integration points or they can be offered as another authentication option for your users. This is not solely a technical decision, but one that should be made in partnership with your product team. There are certainly tradeoffs to using third parties to authenticate users, such as data sharing with these parties and, in the case of Apple, the requirement that some personal information may not be provided to protect the users’ privacy. We recommend that you make an effort to fully understand the reasoning behind using a third party to authenticate. If those can be satisfied with passkeys, it may be time to move in that direction.
Passkeys and Customer Identity & Access Management (CIAM)
Passkeys and Single Sign-on (SSO)
One question we have gotten repeatedly is how passkeys can be introduced within an SSO flow to take advantage of the heightened security and better user flows. In short, it depends on your SSO provider, as passkeys are not something that can be added without changes on their side. Most SSO providers already support public/private key authentication of other forms, so our hope is that the introduction of passkey support will be forthcoming. Microsoft and Okta, common providers of SSO, have already provided information on password-less authentication, so we anticipate support being added soon.
Passkeys and Systems Integration
Integrating passkeys into an environment can be straightforward when leveraging the many frameworks available. When integrating passkeys with your in-house built authentication system, it's ideal if you don’t have to start from scratch. This is especially the case since passkeys are built upon the WebAuthN foundation, and there’s no reason to reinvent the wheel. While there are a few to choose from, we found the open-source framework provided by Yubico to be the most useful. It integrates well with existing Java Spring applications and is as close to a turnkey solution as you can get for implementing passkeys on your back end.
There are also some great materials provided by Google, Apple, and the web community that provide good background on passkeys and make it easier to implement. For Android applications, the SDKs require little setup and modification when integrating with services provided by Yubico, mentioned above. Google provides some great resources to get you on your way and this article was our favorite. The iOS SDK is also quite thorough, but does require a bit more work to get passkeys up and running. However, once implemented, it worked and integrated well within our existing applications. The SDKs for web were similar to iOS in that they require a bit more work to integrate with an environment.
Here are two of our favorites resources to get started on the web (here and here, both from web developers at Google). We were pleasantly surprised with how well web frameworks performed across multiple browsers without much issue at all.
Passkeys and Account Recovery
When implementing passkeys, you can’t overlook account recovery. While a passkey can’t be lost because it is saved to the cloud, there is the possibility that it could seem lost from the user’s perspective. For example, if a user loses full access to where the passkey is stored—or if using a device with multiple accounts such as a family iPad with multiple iCloud accounts they switch between—the passkey may seem lost when, in reality, the user is accessing the wrong account. Depending on the implementation and whether users still have passwords, account recovery may be different. For instance, if your implementation of passkeys is intended to provide an additional login option, but the user still has a password, your recovery flow may leverage the existing password recovery. However, if you choose to remove users’ passwords altogether and go with passkeys alone, then you would need to have a new recovery flow that would allow the user to verify their identity and create a new passkey. This could look similar to a password recovery flow, with the exception of the user creating a new passkey instead of a replacement password. Or, this might include the user receiving a one-time password via email or answering security questions.
Making the Business Case
Once you have assessed the current state of your authentication regime and the likely impact of embracing passkeys, you will probably need to explain the benefits of going passwordless (and the ROI in particular) to senior leadership.
For your C-Suite: To help explain the advantages of passkeys, we found this 15-minute talk from the Google IO 2023 conference gave a great all-levels overview of both the technology and the possible end-user experiences to those who might not be as familiar with the technology. Be sure to revisit our first blog post in this series for more on why passkeys could be great for you and your users.
For your CIO, CTO, and engineering team: It’s important to highlight that while passkeys themselves are new, the technology of WebAuthN is tried and true. Whether your back-end is leveraging an off-the-shelf CIAM or a custom authentication implementation, there are ways to efficiently implement passkeys without having to reinvent the wheel. We have found it helpful to highlight that what truly is new here is the front-end passkey implementation. While integrating with Apple, Google, and Microsoft for passkeys is new, each organization has taken the time to provide a framework to lighten the technical burden and ensure a consistent implementation.
Beyond presenting the benefits passkeys offer in terms of increased security, ease of use, and future-proofing customer authentication, you may also find that there are public relations, marketing, and brand considerations. In our third installment of this passkey blog series, we will dig into the implications of implementing passkeys from the perspective of the customer and brand experience.