On World Password Day, the industry dreams of passkeys

Yesterday was World Password Day, which is fitting, as a new survey from the FIDO Alliance shows that passwords are yesterday’s news. According to a press release from FIDO, half of people in the US and UK have begun the process of breaking up with passwords, as they seek more convenient and secure passwordless alternatives in passkeys and biometric authentication.

According to the survey, which involved 2,000 consumers across the UK and US, 53 percent of people have enabled passkeys on at least one of their accounts, with 22 percent going all-in and switching to passkeys across every compatible account. The biggest drivers of adoption will be familiar to anyone who has ever struggled to remember a difficult password before being locked out of an account: security concerns, frustration, and the increasing availability of passkeys and other advanced identity verification options.

Survey results show that in the last year, 24 percent of people had at least one account compromised due to password vulnerabilities, and 26 percent had to reset or recover at least one password per month. Retention is also a significant (and costly) problem, with 45 percent of respondents saying consumers will bail on their purchases if they forget their password and are faced with the hassle of recovery.

Ultimately, what will put passkeys over the top is uptake and standardization by major tech industry players. Many already support passkeys: Adobe, Amazon, Apple, Google, Nintendo, PayPal, PlayStation, Shopify and TikTok all offer passkey support. Microsoft has added itself to the list, announcing that its services will now support passkeys. As more and more major consumer brands come on board, awareness will continue to grow, boosting consumer confidence in cryptographic technology. The FIDO Alliance says 62 percent of people are now aware of passkeys as an option, and that number is only expected to increase.

“It was just two years ago that FIDO Alliance, alongside the world’s largest platform providers, introduced the vision for passkeys to accelerate the scale and usability of password-free sign-ins,” says Andrew Shikiar, the Alliance’s executive director and CEO. “The market’s reaction since then has been nothing short of phenomenal, with hundreds of services enabling billions of consumers to use passkeys. Our research makes it clear that when offered, people prefer the better security and usability of passkeys over passwords.”

Biometrics and digital ID executives share love for passkeys

Carla Roncato, vice president of identity for Watchguard Technologies, is among a group of executives who seized World Password Day as an opportunity to endorse passkeys for an article in Dynamic Business.

“On this World Password Day, we should all pause and think about how we can adopt passkeys,” Roncato says. “Passkeys represent a significant industry shift in identity security, moving away from traditional credentials of usernames and passwords to a more secure ‘no knowledge’ approach to authentication that is a vastly better user experience.” Roncato says it is clear that passkeys can eliminate the inherent risk factors of traditional credentials. But she also emphasizes how the tools prioritize data privacy. “Any use of biometrics and biometric data for fingerprint or face unlock remains on your device and is never shared with any website that accepts passkeys,” she says.

In the end, Roncato is fine to dismiss passwords as unworthy of our continued affections – at least unless they bring a friend. “Passwords alone are woefully insufficient; you should always use multi-factor authentication (MFA),” Roncato says. “MFA is still considered a significant (albeit not a complete) deterrent for hackers attempting account takeover.”

Google sees more than a billion passkey authentications in a year

Google has announced updates to passkeys across its suite of products, in a blog by Heather Adkins, VP of security engineering. Google launched passkey support a year ago, on World Password Day 2023. “Today,” writes Adkins, “we’re proud to announce that they have since been used to authenticate users more than 1 billion times across over 400 million Google accounts.”

Google’s anniversary updates include passkey support for enrollment in its Advanced Protection Program (APP) for users who are most at risk of targeted attacks, which it notes will be useful in a critical election year. Users now have more choice in where to store passkeys, as independent password manager vendors such as 1Password and Dashlane leveraging the passkeys management APIs on Android and other operating systems. More and more partners are coming aboard, says Google – in just the last 12 months, Amazon, 1Password, Dashlane, Docusign, Kayak, Mercari and Shopify.

Google seems confident in its assessment of why passkeys are on a path to mass adoption: “Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50 percent faster than passwords.”

Microsoft updates come with enthusiasm but time tells a different story

Sadly, none of this doomsaying is new for passwords. Or, perhaps it is not so sad. Although the FIDO Alliance and Google passkey support are relatively recent additions to the authentication ecosystem, Microsoft’s announcement of its own passkey updates for World Password Day contains a tell. “Ten years ago, Microsoft envisioned a bold future: a world free of passwords,” says a blog for the occasion. “Every year, we celebrate World Password Day by updating you on our progress toward eliminating passwords for good. Today, we’re announcing passkey support for Microsoft consumer accounts, the next step toward our vision of simple, safe access for everyone.”

Very good, then: a giant like Microsoft has taken the next step. The company’s announcement means you can now use a passkey to access a Microsoft account using face or fingerprint biometrics (or a device PIN) on Windows, Google and Apple platforms.

But for all the fawning over passkeys, industry analysis suggests that, ten years from Microsoft’s initial promise, the world is still a long, long way from “eliminating passwords for good.” It is hard to argue with Microsoft’s own assertion: “If you’re like many people, you probably still use passwords to sign in to most of your websites and apps, most likely from multiple devices.”

Are we willing to give passwords another chance?

The thing about any whirlwind romance is that eventually, the honeymoon period will end. In a post on a site called Firstyear’s blog-a-log, entitled “Passkeys: A shattered dream,” software developer William Brown tells a story that suggests it may already have, at least for some. Having been denied access to a home lighting system after a passkey was deleted from Apple Keychain, Brown arives at a grim conclusion. “This is just the icing on a long trail of enshittification that has undermined Webauthn,” he writes. “I’m over it at this point, and I think it’s time to pour one out for Passkeys.”

Arguing that the industry has jumped to promote passkeys before really understanding the technology – perhaps contributing to passkeys’ ongoing communications problem – Brown says the technology has probably already been ruined. “At this point I think that passkeys will fail in the hands of the general consumer population. We missed our golden chance to eliminate passwords through a desire to capture markets and promote hype. Corporate interests have overruled good user experience once again.”

So what should users look to as an alternative? William Brown has an answer: “I’m here saying passwords are a better experience than passkeys.”

She loves me; she loves me not. The course of true love never did run smooth.

Article Topics

biometric authentication  |  biometrics  |  FIDO Alliance  |  FIDO2  |  Google  |  Microsoft  |  passkeys  |  passwordless authentication  |  passwords