Passkeys: A Milestone Towards a Passwordless World

Are you familiar with "World Password Day"? Intel established World Password Day on the first Thursday of May each year to raise awareness about the role of strong passwords.

On last year's World Password Day, May 5, 2022, Apple, Google, and Microsoft announced plans to expand support for passwordless authentication using FIDO2 (hereafter, FIDO2 authentication) for sign-in, as created by the FIDO Alliance (note 1) and the World Wide Web Consortium (W3C). Following this announcement, leading vendors both domestically and internationally steadily prepared to create passwordless authentication platforms.

Then, on May 3, 2023, coinciding with this year's World Password Day, Google announced in a statement that it would begin supporting passkeys for Google accounts. Moving forward, passkeys will be available as an additional authentication option alongside existing methods like passwords and 2-step verification.

With major corporations like Google supporting passkeys, more people are expected to have opportunities to use FIDO2 authentication with passkeys. This is very welcome news for us at ISR, who have been members of the FIDO Alliance since 2014 and have promoted the adoption of FIDO-based biometric authentication. However, significant societal changes often bring anxiety and questions. In this article, we/ll introduce what passkeys are, the authentication procedures using passkeys, and key points for implementing them in businesses.

What are "Passkeys," the Alternative to Passwords?

Passkeys refer to credentials (authentication credentials) used in FIDO2 authentication that can be transferred and synced between devices. So, why were passkeys created? Let's start by explaining their background.

Recently, many technologies known as passwordless authentication exist, but there are various methods, and not all are equally secure. For example, methods that directly exchange biometric information online can be more problematic than stolen passwords during phishing attacks. This is because stolen passwords can be changed, but fingerprints or faces cannot be changed if stolen. Also, passwordless authentication relying on Short Message Service (SMS) is very vulnerable to Man-in-the-Middle attacks (note 2).

On the other hand, FIDO2 authentication, a technical standard established by the FIDO Alliance, is a robust user authentication mechanism using public-key cryptography. It performs identity verification using biometric information like fingerprints or faces, or PINs, on an "authenticator" such as a security key, or on a "device (platform authenticator)" equipped with Touch ID or Windows Hello, and sends only the result to the server for authentication. Since the user doesn't share credentials with the authentication server, the risk of information leakage due to phishing or hacking is reduced. Furthermore, these credentials and PINs are securely stored within the authentication device and never transmitted over the network.

Learn more about Passwordless Authentication with FIDO2

Passkeys: Combining Security and Convenience

However, FIDO2 authentication also had its challenges. Previously, credentials used for authentication were stored on the user's device. If a device was replaced or lost, the credentials couldn't be transferred to the new device, requiring re-registration every time. While FIDO2 authentication is very robust and highly secure, this convenience issue contributed to its slow adoption.

To resolve this, the FIDO Alliance announced passkeys in March 2022. As mentioned, passkeys link to cloud accounts like Google accounts or Apple IDs and can be synced between devices. This improvement in convenience led to a series of announcements from leading IT vendors, including Apple, Google, and Microsoft, about supporting passkey-based authentication mechanisms in their operating systems and web browsers for smartphones and PCs. Finally, in May 2023, Google began supporting passkeys for Google accounts.

How is Passkey-based Authentication (FIDO2 Authentication) More Secure Than Password Authentication?

Password authentication has many problems, one of which is that a password is merely a string of characters; it can unlock access to protected corporate data without considering who possesses it.

In contrast, passkey-based authentication (FIDO2 authentication) is a multi-factor authentication approach that prioritizes the possession of an authenticator as the primary factor. Fundamentally, authentication factors include "knowledge," "possession," and "biometrics." The more different factors are combined, the stronger the security is said to become.

By registering a passkey and linking the device, which becomes the authenticator, as a "possession factor" with another element, passkeys evolve from a security style primarily based on "knowledge" (like passwords) to a "possession + biometric" security style.

Passkey Security: Data Insights

In a blog post titled "Making authentication faster than ever: passkeys vs. passwords," published by Google on May 5, 2023 (US time), several data points collected by Google from March to April 2023 were presented. According to this, the success rate of passkey-based authentication was found to be four times higher than that of password authentication. The table below shows that while the average success rate for password authentication is 13.8%, the success rate for local passkeys is 63.8%.

Beyond its high authentication success rate, another strong point of passkeys is their speed in completing sign-ins. The graph below illustrates the time spent on authentication by passkeys versus passwords. It shows that users using passkeys successfully signed in within an average of 14.9 seconds, whereas using passwords typically took twice as long (30.4 seconds).

Misconceptions about Passwordless Authentication

FIDO-based passwordless authentication offers not only robustness but also excellent convenience. However, it is often mistakenly perceived as sacrificing the simplicity and ease of use of traditional password authentication.
Since July 2021, ISR has been offering passwordless authentication features across all CloudGate UNO plans without additional cost. While the proportion of users choosing passwordless authentication has steadily increased, it remains lower compared to users who opt for passwords only or a combination of passwords and multi-factor authentication.

On the other hand, feedback from early adopters of passwordless authentication has been overwhelmingly positive. System administrators are satisfied with the simplicity of CloudGate UNO's passwordless solution, which adopts a zero-trust architecture. IT support is relieved from frequent password resets caused by user typos, and end-users benefit from a faster sign-in process and the elimination of the need to remember passwords, receiving better service.
Users hesitant to transition to passwordless authentication might not realize that traditional password authentication isn't simple and easy to use; it's merely a long-ingrained habit.

Passkey Authentication Procedure

CloudGate UNO, the identity management platform provided by ISR, offers three "authentication methods" for identity verification during access:

① Password Authentication: Authentication using only a password

② Passwordless Authentication: FIDO2-based passwordless authentication using biometrics, etc. / Pocket CloudGate

③ Multi-Factor Authentication: A combination of an authenticator available with CloudGate UNO and password authentication.

FIDO2-based passwordless authentication in option ② refers to authentication using passkeys. CloudGate UNO already supports FIDO2 authentication, so you can use passkeys. Here are the actual steps:

Passkey Authentication Procedure with CloudGate UNO

Since CloudGate UNO is a Single Sign-On (SSO) service, you can sign on to numerous integrated services with simple steps like the one above.

Currently, cloud services and servers that support FIDO2 are limited. If you consider implementing passkeys as corporate security, using CloudGate UNO, which supports FIDO2, allows you to sign on with passkeys even to cloud services and internal systems that do not natively support FIDO2.

Steps for Passkey Implementation

Authentication using passkeys is very simple. However, for a company, changing familiar authentication methods can be a high hurdle for both system administrators and users. Questions abound, such as where to start, whether it can be achieved with existing resources without additional cost, or where to configure settings for a trial implementation.
Therefore, ISR recommends proceeding with passwordless authentication implementation in the following two steps:

Step 1: Selection and Verification of Biometric Authenticators

• Identify how many available devices within the company are FIDO2-compliant and support passkeys (e.g., Windows Hello or Touch ID).
• For employees using devices without FIDO2-compliant biometric authenticators, consider purchasing authenticators or exploring BYOD for smart devices.

Step 2: Phased Rollout by Department

• Conduct information sessions for employees to help them understand the effectiveness and benefits of transitioning to passwordless authentication.
• Begin the transition with IT-savvy departments, such as system administrators or engineering teams, to accumulate insights and knowledge.
• Address larger departments, such as sales, last, aiming for a smooth transition.

Keys to Success

• By pre-confirming passwordless-compatible and non-compatible devices, you can more easily set the overall budget.
• Gain employee cooperation by ensuring they understand the effectiveness and benefits of passwordless authentication beforehand.
• Continuously revise knowledge bases and procedure manuals to adapt to on-site conditions.
• Prepare CloudGate UNO's security profiles for passwordless authentication in advance and apply them to users sequentially.
• Prepare backup authentication methods for when biometric authentication doesn't work.

Summary

Password authentication is a technology from the 1960s. At that time, it was envisioned that a single mainframe computer would be used by a limited number of developers, so stringent password management was not required as it is today.

As information technology, including computers and the internet, developed, older authentication technologies also needed to evolve. However, for a long time, alternative technologies to password authentication struggled to emerge. Even when highly secure technologies were developed, if they didn't offer convenience, many users would avoid them, ultimately leading to continued reliance on traditional password authentication and increasing security risks.

However, with the advent of passkeys, passwordless authentication is now expected to completely replace password authentication in the near future. While a truly passwordless era may still be some time away, now is the time to start preparing to transition to this new era of authentication by using passkeys.

※1　FIDO Alliance: An open industry association with a mission to focus on authentication standards to reduce the world's over-reliance on passwords.
※2　Man-in-the-Middle Attack: An attack where an intruder intercepts communications between a user and a service (like a web application) to steal personal information, perform unauthorized fund transfers, or make unauthorized password changes through eavesdropping or impersonation.