There was never a question that it would take years to transition the world away from passwords. The digital authentication technology, though deeply flawed, is pervasive and inveterate. Over the last five years, though, the secure-authentication industry association known as the FIDO Alliance has been making real progress promoting “passkeys,” a password-less alternative for signing into applications and websites. And yet, you probably still use a lot of passwords every day. In fact, you may not have any accounts protected by a passkey at all, despite broad adoption from Microsoft, Google, Apple, and many more.
At the RSA security conference in San Francisco next week, Christiaan Brand, co-chair of the FIDO2 technical working group and an identity and security product manager at Google, will present a talk on new features and growth in passkey adoption. He also plans to examine the current challenges that passkeys face in countering the inertia passwords have built up over decades—and the long game of slowly grinding down the password’s dominance.
“What I want to highlight is how far we’ve come, but which problems still remain unsolved,” Brand says. “Passwords are everywhere, and they are bad, but everyone is accustomed to them. Users don’t want to be surprised, and they don’t like change. So it’s very important to think about passkeys as an augmentation. We need to kind of push users toward the thing that will be easier and more secure.”
Over the past year, Brand says, FIDO has made significant progress rolling out features to support its password-less vision. The infrastructure is now in place to back up passkeys so they can sync between devices, get services to prompt users about passkeys rather than always defaulting to username and password, and use Bluetooth-based proximity sensing to share passkey authentication between devices. All three of these points address major usability issues that FIDO publicly set out to improve a year ago.
In practice, though, there are still hurdles, and developing these solutions has taken time. For example, Brand says the new Bluetooth-based proximity-sensing protocol was carefully engineered to avoid the security issues that often plague Bluetooth implementations. The idea was to strip away most of Bluetooth’s functionality and exclusively use the protocol for proximity checks rather than any data transfers. This approach has allowed passkeys to bypass many of Bluetooth’s quirks and reliability issues when attempting to pair devices.
Developing a coherent “user experience” (UX) for passkeys across different operating systems and web services is an ongoing challenge, though. If you, say, log into your Google account from a Mac using traditional passwords, your credentials still get checked against what Google has on file for your account on one of the company’s servers. But the security and phishing-resistant benefits of passkeys come from the fact that they work differently. If you use a passkey to log into your Google account from a Mac, the cryptographic check happens locally and Apple is never directly involved—everything the user experiences during the interaction is facilitated by macOS, not Google.
“If I’m Google implementing passkeys, I cede a lot of control to Apple if my user is on an Apple device, I cede a lot of control to Microsoft if the user is on a Windows device, I cede a lot of UX control to Android and browsers,” Brand says. “So I think we’re in the technology infancy, where all of these different platforms have come up with different UX patterns and UX paradigms. Stitching all of that together is kind of tricky, and that’s probably going to take another nine to 12 months for the industry to support.”
Another big challenge with establishing consistency and continuity will be the long transition to passkeys alone. For the foreseeable future, services must continue to support username and password logins and make sure those systems are as secure and up-to-date as possible while primarily supporting the growth and evolution of passkeys. As password login systems fade from prominence and are neglected, they could produce new types of security exposures in their disrepair.
For now, though, the tech industry is still in the early stages of this long haul transition.
“Part of the problem is that all the stuff that I have in my presentation, we haven’t really seen this put into practice yet,” Brand says. “There are passkey implementations out there, and some folks have dipped their toe in the water, but a lot of the stuff isn’t really in the mainstream consciousness of developers, and certainly not for users. The mass, super-scale adoption is still something that we’re working to make happen.”