Peeling the Apple on Passkeys: Progress with Some Shortcomings
By Jeremiah Mason, SVP, Product, authID
Apple announced at its Worldwide Developer Conference this week that it will launch passwordless logins across its products this fall, dubbed by WIRED as “the first major real-world shift to password elimination.”
And while Apple’s rollout of passkeys is a huge step in the right direction, there are a few ways in which the passkey approach falls short.
Three of the world’s largest tech companies – Apple, Microsoft, and Google (Alphabet) – have each pledged passwordless initiatives and lauded FIDO2 standards that enable passkey technology.
But since the tech giants’ solutions are being developed within their own product ecosystems, there is the risk of a great divide, with users locked into a single platform in order to use their passkeys. WIRED reporter Matt Burgess noted, “At the moment, there are unanswered questions about what happens to your passkeys if you want to ditch Apple’s ecosystem for Android or another platform.”
Ecosystem lock-in will slow adoption and create headaches for developers and end-users, adding overhead and requiring support for different integrations, UX, and policies across brands’ platforms.
At authID, we know that the keys to widespread adoption of security technologies are cost, time to implement, and user experience (UX). While Apple’s passkey approach helps the end-user operate without passwords, we are still in an environment where major websites have not broadly adopted FIDO2.
In fact, many organizations today who have turned on FIDO2 have not gotten it right, enabling FIDO2 but still requiring a password or an installed app and fumbling on UX. While FIDO2 has standardized authentication, it has not standardized the UX and workflows for achieving authentication. This has often resulted in fractured, confusing UX that is bound to hamper adoption.
For mass adoption of passwordless authentication, organizations need an “easy” button, with turn-key vetted UX and security that removes heavy implementation and maintenance burden.
There is nothing worse than trying to log onto a website but discovering your phone is dead or out of reach, and you have not yet set up a secondary device for authentication. With passkeys, if you have not set up a secondary authentication device, you are out of luck if you lose access to your primary authenticator, leading you back to the need for passwords.
There is much focus today on strong authentication, but very little on strong account recovery. This creates an opportunity for attackers, instead of stealing passwords, to trigger account recovery, which most often relies on passwords or other easily compromised mediums such as one-time passcodes or email, even under FIDO2 standards.
The Enterprise Perspective
While potentially improving security for customers, Apple’s passkey approach does little to improve the levels of protection for enterprises and their users.
Enterprises have much more complex security needs and will require a more stringent level of authentication management than what a passkey will provide. Organizations will also require a higher level of assurance that the user authenticating with the passkey is the one for whom it was created.
In short, passkeys as they are being developed by Apple are simply not ready for enterprise-grade authentication.
A More Secure Solution
At authID, we help organizations achieve more secure, cloud-based biometric authentication coupled with FIDO2 authentication. With a patent-pending method, authID takes passwordless security to another level by binding a biometrically confirmed identity, which we call a Verified Selfie™, with the registration of a FIDO2 token on a device. A user can enroll their Verified Selfie™ in just a few seconds and relying parties can require government document validation should high assurance of the identity be required. Once verified, a digital chain of trust between a user, their account, and their devices is established.
authID’s solution is tech brand-agnostic and can be rolled out to organizations today, while overcoming the pitfalls of passkeys. authID users can avoid lock-in to vendor platforms and authenticate from any device. A QR code allows users to hand off authentication to a different device when needed, ensuring max compatibility with users’ devices. Lastly, the Verified Selfie™ can be used to allow the user to recover their account or enroll a new authenticator in seconds, without needing a secondary device handy.
At authID, we’re helping our customers overcome UX and adoption challenges. Integration with Okta, Auth0 and other leading IAM and CIAM vendors means that you can turn on our FIDO2 solution in a matter of minutes and provide users with passwordless authentication. For companies using their own home-grown solution, authID allows for fast integration with any platform that supports OIDC. This quickly enables all authID’s workflows while still allowing for high levels of customization of UX/UI.
Verified Selfie™ makes account portability and recovery strong and seamless. authID offers pre-built, 100% passwordless authentication and recovery workflows, or organizations can build their own using our APIs. As the demand for passwordless continues – and particularly as this reaches the enterprise level – so will an increased need for biometric authentication-enabled systems that are truly passwordless, seamless to implement, and easy for users.
To learn more about how authID is leading on passwordless, click here.