...By Henry George for TDPel Media.
Passwords are deeply flawed, yet they are everywhere.
It is a well-known fact that transitioning the world away from passwords would take years.
However, the FIDO Alliance, a secure-authentication industry association, has been promoting “passkeys” as a password-less alternative for signing into applications and websites.
Despite the broad adoption of passkeys by major tech companies such as Google, Apple, and Microsoft, many users still use passwords on a daily basis.
In this article, we will look at Christiaan Brand’s talk at the RSA security conference in San Francisco next week, where he will discuss new features and growth in passkey adoption.
Brand is the co-chair of the FIDO2 technical working group and an identity and security product manager at Google.
He will examine the current challenges that passkeys face in countering the inertia passwords have built up over decades.
Passkey Adoption: Progress and Hurdles
Brand notes that FIDO has made significant progress in rolling out features to support its password-less vision.
The infrastructure is now in place to back up passkeys, allowing them to sync between devices, prompting users about passkeys, and using Bluetooth-based proximity sensing to share passkey authentication between devices.
All three of these features address major usability issues that FIDO set out to improve a year ago.
However, developing a coherent “user experience” (UX) for passkeys across different operating systems and web services remains an ongoing challenge.
When a user logs into their Google account from a Mac using traditional passwords, their credentials get checked against what Google has on file for their account on one of the company’s servers.
But the security and phishing-resistant benefits of passkeys come from the fact that they work differently. If a user uses a passkey to log into their Google account from a Mac, the cryptographic check happens locally, and Apple is never directly involved.
Everything the user experiences during the interaction is facilitated by macOS, not Google.
The Challenges of Overcoming Password Inertia
Brand acknowledges that passwords are bad, yet everyone is accustomed to them.
Users don’t want to be surprised, and they don’t like change.
Therefore, it is essential to think about passkeys as an augmentation rather than a complete replacement for passwords.
Users need to be gently nudged towards the thing that will be easier and more secure.
The Slow Grind Against Passwords
Brand’s talk will examine the long game of slowly grinding down the password’s dominance.
Passkeys face an uphill battle in countering the inertia that passwords have built up over decades.
Developing solutions to improve passkeys has taken time, and there are still hurdles to overcome.
For example, the new Bluetooth-based proximity-sensing protocol was carefully engineered to avoid security issues that often plague Bluetooth implementations.
In conclusion, while passkeys offer a more secure and convenient way to sign in to applications and websites, there are still challenges to overcome before they can fully replace passwords.
It is essential to develop a coherent user experience for passkeys across different operating systems and web services while slowly grinding down the dominance of passwords.
