Find out how multi-device FIDO credentials can finally replace passwords for consumer logins while offering an improved user experience and much better security.
In March 2022, the FIDO Alliance published a whitepaper on a new concept called "multi-device FIDO credentials, or short “passkeys”. Serious efforts have been invested into this topic, mostly by two of the key players of the FIDO Alliance: Google and Microsoft. Apple did their own share of work, which they introduced on its own as “Passkeys in iCloud Keychain” at WWDC 21 back in June 2021 and the tech has been in developer preview on iOS and macOS since then. So why are passkeys such a big deal? Let me explain…
“But what if I lose my phone?“
Ever since the introductions of FIDO (back in 2014) and its sort-of-successor WebAuthn (2019), the most daunting question for anyone promoting FIDO’s passwordless benefits has always been: “But what if I lose my device?”. I heard this question probably a few hundred times – and honestly, there was no good answer. Until now.
But before we start with passkeys and multi-device shenanigans, you may ask “What is FIDO or a WebAuthn credential again?” (if you know the answer, feel free to skip to the next headline). Well, it’s a piece of cryptographic information, a private key, stored on your computer, phone, tablet, smart watch, or Security Key for that matter. You will never actually see that private key, nor will anyone else (hence the “private”). In a WebAuthn login ceremony – from the user’s perspective that simply means a biometric gesture (think Touch ID, Face ID, or Windows Hello) – the private key is used to generate a signature (you also won’t see that, as it happens behind the scenes). This signature then proves against a server that it has been created with that unique private key, without ever risking giving away the key itself. So far, that’s regular asynchronous cryptography, but natively supported by your device and put in a web standard (“WebAuthn”) for every website or app to use, already supported by every major web browser and operating system.
Without even knowing, we got our hands on a very strong 2-factor authentication (2FA) mechanism. This is due to the fact that a biometric (inherence factor) is combined with cryptography (proof-of-possession). Even the website’s URL is checked in the process, making it fully phishing-proof – the beauty of WebAuthn.
Now back to business, we're here for the new passkey stuff.
Not so fast. The FIDO Alliance whitepaper introduces “multi-device FIDO credentials” – meaning that your secure login information will be available on multiple devices. In fact, we could also call them “synchronized WebAuthn credentials”. But the name that will be used when facing the end user – the consumer – is “passkey”.
Your device(s) will take care of passkey synchronization. Once the technology is released later this year, you will be able to use your passkeys on all devices that use the same iCloud/Microsoft/Google account. It works pretty much like a modern cloud-synced password manager (e.g., iCloud Keychain or 1Password), just without the passwords.
Coming back to answering the daunting question: with passkeys, if you lose your device, you just power up a new one, and you're back in. Your passkeys will already be there and allow you to sign in to your services with Touch ID et. al. straight away. 🤯
And if you sign up on a website on device A and want to access the same website later on device B, passkeys of course also take care of that.
With passkeys, this simple and secure login flow will become true on all your devices, old or new, as long as you're signed in with the same platform account.
Now, how can passkeys get synchronized across multiple platforms, e.g., from your iPhone to your Windows notebook? That is not yet clear, although there are ideas already in testing that involve a QR code and Bluetooth LE to connect such two devices and let you use the passkey and biometric on your phone with your nearby Windows device. Some may say that making this possible would be against the interests of the platform providers, especially those that aim for a high “lock-in” effect. But time will tell and we can certainly hope for the best.
In technical terms, passkeys are so-called discoverable credentials. That means they not only allow passwordless logins, but they let you also forget your usernames (typically email addresses nowadays). In its first manifestation, the user experience of passkeys will probably look like this:
The user can sign in with a passkey instead of username and password. The passkey selection UI is part of the operating system that can be triggered by the website.
When a passkey is created, it is unique to the website and to the user account it was created for. So, a passkey not only fulfills the roles of a password and a phishing-proof 2nd factor, it also contains a unique credential ID that can be resolved by the website to identify the associated user account.
You go to a website, click on a “Sign in with passkey” button, and after successfully authenticating with a biometric, the credential ID, together with the signature generated by the passkey, will automatically be sent to the website. And you’re in. Passwordless & “usernameless”.
To avoid the extra passkey button (non-passkey logins must still be possible as not everyone will immediately switch to passkeys), a concept called “Conditional UI” is also planned. Here, available passkeys will be displayed by your browser in a “auto-fill” dropdown that opens directly under the username field of a login form. If no passkey is available, the user needs to type in their email address into the input field, as it is now. But if a passkey is available, it can be selected from the list and the flow will be as described above – minus the extra button, but “hidden” behind the username input instead. This allows for a very clean UI that “always works”, no matter if you use passkeys or not.
At Hanko, we've been following the development of passkeys since its very beginning and our open source authentication product is tailored around the passkey experience.
Following Apple’s WWDC last year, we created two rather extensive guides on passkeys that are still relevant today for everyone willing to get their hands dirty:
Passkeys for web authentication: Passkey Series – Part 1
Passkey authentication for native iOS apps: Passkey Series – Part 2
We’ll continue to optimize everything we do to allow for the best-possible user experience while at the same time providing the best-possible security. And while we’re at it, we’ll surely keep you posted, so stay tuned.
If you wanna chat with us about cool authentication technology, feel free to join our Slack community, we'd love to have you there.