Categories
Design Technology UX

The Future of User Authentication: Biometrics vs. Passkeys

The digital age has brought a complex landscape of security threats. Traditional password-based authentication, once considered sufficient, is now increasingly seen as a weak link in the security chain. As cyberattacks grow in sophistication, the demand for robust and user-friendly authentication methods has never been higher. This is where passkeys and biometric sensors come into play.

The Evolution of Biometrics

Biometric authentication, leveraging unique physical characteristics like fingerprints, facial features, or iris patterns, has been gaining traction for years. Pioneered by Argentine scientist Juan Vucetich, who developed the first fingerprint classification system in the late 19th century, biometrics has evolved into a sophisticated tool for identity verification.

However, the widespread adoption of biometric sensors for authentication can be largely attributed to the rise of smartphones. Apple’s iPhone 5S, released in 2013, was the first mainstream smartphone to integrate a fingerprint sensor, forever changing the way we unlock our devices. This innovation sparked a wave of similar advancements from other smartphone manufacturers, making fingerprint scanners a standard feature on most modern phones.

Biometric authentication has also found its way into some enterprise PCs, particularly laptops, equipped with fingerprint readers or webcams that support facial recognition.

What are the Passkeys?

Passkeys represent a quantum leap in authentication technology. Unlike passwords, which can be stolen, reused, or forgotten, passkeys are cryptographic keys securely stored on a user’s device. This makes them highly resistant to phishing and other cyber attacks. The following are just a few benefits of embracing passkeys in the login flow:

  • Enhanced Security: Passkeys eliminate the risk of password reuse, a common vulnerability exploited by hackers.
  • User Convenience: Users can simply use their device’s biometric authentication or PIN to log in, eliminating the need to remember complex passwords.
  • Cross-Platform Compatibility: Major tech companies like Apple, Google, and Microsoft are backing passkeys, ensuring widespread adoption.

The Challenge of Implementation

While passkeys hold immense promise, their widespread adoption has been hindered by several factors. Firstly, users are accustomed to passwords and may be reluctant to embrace a new concept. Secondly, the process of enabling a passkey can be cumbersome, especially for users without tech-savvy backgrounds.

Biometric authentication, on the other hand, offers a more intuitive experience, particularly on mobile devices. However, its effectiveness on desktop computers is limited due to the lack of widespread biometric sensors.

Despite this limitation, popular operating systems like Windows 10/11 and Mac OS offer users the ability to save passkeys on their devices while providing a seamless way to authenticate through facial recognition (Windows Hello) or fingerprint sensors (most Macbook devices since 2016 have one built-in).

How Google (left) and LinkedIn (right) approach the implementation of passkeys.
Passkeys are an optional (but a very hidden) feature on Google and LinkedIn

The Ideal Solution

The optimal approach to authentication lies in combining biometrics and passkeys. Biometrics can be used as a primary authentication method on devices equipped with appropriate sensors, while passkeys serve as a fallback option for other devices or when biometric authentication fails.

Good examples of passkeys and biometric authentication
Clerk utilizes passkeys, while Olympics.com employs a proprietary system akin to passkeys provided by OwnID.

Typically, what these websites do when you log in from a new device is send an email with a one-time code to validate the device ownership. Although this adds a little friction to the flow, it pays off in convenience afterward.

In situations where biometric sensors are not available, leveraging the integrated passkey solution provided by the user’s phone offers an excellent alternative. By scanning a QR code, users can seamlessly authenticate and secure their accounts without the need for traditional passwords, ensuring both ease of use and robust security.

A passkey created on Windows 11 (Chrome browser) and stored on Samsung Pass can be used later to sign in on a device running Mac OS (Safari browser).

As demonstrated in the image above, a single passkey can function seamlessly across different devices and operating systems. For instance, a passkey created in Chrome on Windows 11 can be used to log in to Safari on macOS. This interoperability offers enhanced security, speed, and convenience compared to traditional passwords.

In the example below, the browser triggers a message from the OS itself, requesting the user to check their mobile phone. From there, the user will validate their identity using the device’s unlock method.

The browser displays a message from the operating system (left), prompting the user to validate their identity on their mobile phone (right).

Conclusion

While tech giants like Google and LinkedIn have started incorporating passkeys into their platforms, there’s still room for improvement. Simplifying the passkey setup process and making it more user-friendly are crucial steps. Additionally, educating users about the benefits of passkeys and biometrics is essential to drive adoption.

As technology continues to evolve, we can expect to see even more sophisticated and secure authentication methods emerge. By combining biometrics and passkeys, we can create a future where online security is both robust and user-friendly.

Further reading

Leave a Reply

Your email address will not be published. Required fields are marked *