The digital age has brought a complex landscape of security threats. Traditional password-based authentication, once considered sufficient, is now increasingly seen as a weak link in the security chain. As cyberattacks grow in sophistication, the demand for robust and user-friendly authentication methods has never been higher. This is where passkeys and biometric sensors come into play.
The Evolution of Biometrics
Biometric authentication, leveraging unique physical characteristics like fingerprints, facial features, or iris patterns, has been gaining traction for years. Pioneered by Argentine scientist Juan Vucetich, who developed the first fingerprint classification system in the late 19th century, biometrics has evolved into a sophisticated tool for identity verification.
However, the widespread adoption of biometric sensors for authentication can be largely attributed to the rise of smartphones. Apple’s iPhone 5S, released in 2013, was the first mainstream smartphone to integrate a fingerprint sensor, forever changing the way we unlock our devices. This innovation sparked a wave of similar advancements from other smartphone manufacturers, making fingerprint scanners a standard feature on most modern phones.
Biometric authentication has also found its way into some enterprise PCs, particularly laptops, equipped with fingerprint readers or webcams that support facial recognition.
What are the Passkeys?
Passkeys represent a quantum leap in authentication technology. Unlike passwords, which can be stolen, reused, or forgotten, passkeys are cryptographic keys securely stored on a user’s device. This makes them highly resistant to phishing and other cyber attacks. The following are just a few benefits of embracing passkeys in the login flow:
- Enhanced Security: Passkeys eliminate the risk of password reuse, a common vulnerability exploited by hackers.
- User Convenience: Users can simply use their device’s biometric authentication or PIN to log in, eliminating the need to remember complex passwords.
- Cross-Platform Compatibility: Major tech companies like Apple, Google, and Microsoft are backing passkeys, ensuring widespread adoption.
The Challenge of Implementation
While passkeys hold immense promise, their widespread adoption has been hindered by several factors. Firstly, users are accustomed to passwords and may be reluctant to embrace a new concept. Secondly, the process of enabling a passkey can be cumbersome, especially for users without tech-savvy backgrounds.
Biometric authentication, on the other hand, offers a more intuitive experience, particularly on mobile devices. However, its effectiveness on desktop computers is limited due to the lack of widespread biometric sensors.
Despite this limitation, popular operating systems like Windows 10/11 and Mac OS offer users the ability to save passkeys on their devices while providing a seamless way to authenticate through facial recognition (Windows Hello) or fingerprint sensors (most Macbook devices since 2016 have one built-in).
The Ideal Solution
The optimal approach to authentication lies in combining biometrics and passkeys. Biometrics can be used as a primary authentication method on devices equipped with appropriate sensors, while passkeys serve as a fallback option for other devices or when biometric authentication fails.
Typically, what these websites do when you log in from a new device is send an email with a one-time code to validate the device ownership. Although this adds a little friction to the flow, it pays off in convenience afterward.
In situations where biometric sensors are not available, leveraging the integrated passkey solution provided by the user’s phone offers an excellent alternative. By scanning a QR code, users can seamlessly authenticate and secure their accounts without the need for traditional passwords, ensuring both ease of use and robust security.
As demonstrated in the image above, a single passkey can function seamlessly across different devices and operating systems. For instance, a passkey created in Chrome on Windows 11 can be used to log in to Safari on macOS. This interoperability offers enhanced security, speed, and convenience compared to traditional passwords.
In the example below, the browser triggers a message from the OS itself, requesting the user to check their mobile phone. From there, the user will validate their identity using the device’s unlock method.
Conclusion
While tech giants like Google and LinkedIn have started incorporating passkeys into their platforms, there’s still room for improvement. Simplifying the passkey setup process and making it more user-friendly are crucial steps. Additionally, educating users about the benefits of passkeys and biometrics is essential to drive adoption.
As technology continues to evolve, we can expect to see even more sophisticated and secure authentication methods emerge. By combining biometrics and passkeys, we can create a future where online security is both robust and user-friendly.
Further reading
- Google, “Passkeys and the UX”, web.dev
- OwnID, “The Impact Going Passwordless with Passkeys Can Have on Your Website”, OwnID Blog
- Clerk, “What Are Passkeys”, Clerk Blog
- Apple, “Passkeys”, Apple Developer
- Yubico, “Passkey User Flows”, Yubico Developers