Passkeys See Fresh Momentum With New Pilot Programs – Source: www.darkreading.com

New product announcements are building momentum for passkeys — digital credentials that enable passwordless authentication using private cryptographic keys. This week Apple and Google, as well as leading password manager providers 1Password and Dashlane, further extended their support for passkeys.

Apple, the first to offer passkey support on its iOS platform last year, gave its passkeys a boost this week at the company’s Worldwide Developers Conference (WWDC). Apple announced an API that will let passkeys work with third-party software. The API is designed for the fall release of iOS 17, the annual update to its mobile operating system, previewed at WWDC.

Apple is also expanding support for passkeys on its Safari browser on Macs, iPhones, and iPads. The expanded passkey support will appear in Apple’s Safari 17 browser, previewed at the WWDC. A public beta is available now, with a general release set for this fall.

One advantage of passkeys is that they can speed up logins. Data that Google published last month showed that users could authenticate with passkeys in an average of 14.9 seconds, half of the 30.4 seconds it takes to sign in with passwords.

Proponents of passkeys also say they’re more resilient to phishing attacks than SMS, one-time passwords (OTPs), and various other forms of multifactor authentication (MFA) because each has a unique private and public key tied to a specific device.

Additionally, passkeys are resistant to phishing because they rely on biometric identification, such as face or touch ID, instead of passwords. Because the private key never leaves the device, it can’t easily be stolen, while the public keys reside on both the device and the application or website.

Apple Adoption Adds Market Impetus

Apple’s passkey API will let developers integrate its passkeys into third-party apps, including password managers, to share passkeys. According to Apple, its passkey API will support Managed Apple IDs, enabling synchronization using iCloud Keychain and access controls to manage how users can synchronize and share passkeys.

Notably, Managed Apple ID support for iCloud Keychain will let third-party password managers from companies including 1Password and Dashlane save and exchange iOS, iPadOS, and macOS passwords. Passkeys can use the company’s Autofill, Face ID, or Touch ID biometric verification on Apple devices.

1Password this week announced beta extensions to Safari on macOS, as well as the browsers Chrome, Firefox, Edge, and Brave on macOS, Windows, and Linux. In a blog post this week, 1Password chief product officer Steve Won said that the API would make passkeys more useful on iPhones.

“The API will enable password managers like 1Password to create and use passkeys inside any native app that has added passkey support, including Safari,” Won noted. 1Password’s developers are now integrating the new passkey API into its password manager, according to Won.

While Google had released its passkeys API for Android earlier this year, developers were awaiting Apple’s comparable iOS API. “This change to iOS is the final piece of the puzzle that will allow third-party providers to fully embrace passkeys,” Dashlane director of product engineering and innovation Rew Islam wrote in a blog post announcing its iOS support. “Dashlane will offer passkey support in both iOS and Android, making passkey usage seamless.”

Google Passkeys Are Serious Business

Users and administrators of Google Workspace and Google Cloud can now log in to their accounts with their passkeys. Google this week announced that passkey authentication is available in open beta to over 9 million organizations with Google Workspace and Google Cloud accounts. While Google will continue to let users log in to their work and personal accounts with passwords, the company sees passkeys as an easier and more secure form of authentication.

“When a user signs in with a passkey to their Workspace apps, such as Gmail or Google Drive, the passkey can confirm that a user has access to their device and can unlock it with a fingerprint, face recognition, or another screen-lock mechanism,” Google Workspace engineering manager Shruti Kulkarni and product manager Jeroen Kemperman noted in a June 5, 2023, blog post. “The user’s biometric data is never sent to Google’s servers or other websites and apps.”

Andrew Shikiar, executive director of the FIDO Alliance, sees Google’s latest move as a significant boost for passkeys. “It’s a huge, huge statement that passkeys are ready for primetime and beyond,” Shikiar says. “We think this is going to help accelerate the further adoption of passkeys.” Passkey technology is based on the FIDO Alliance spec that implements the World Wide Web Consortium’s (W3C) WebAuthn standard.

Passkey Pilots Abound in the Enterprise

Shikiar says the number of organizations running pilots with passkeys continues to increase. Among them are several large banks, PayPal, Home Depot, Hyatt Hotels, Intuit, and Shopify. Hyatt has used FIDO authentication with YubiKeys from Yubico to give hotel clerks and call center employees passwordless authentication.

“They’ve done a lot of work adopting FIDO and passkeys, and when you look at the World of Hyatt app, that is where they have invested in protecting their customers’ information,” says Derek Hanson, Yubico’s VP of solutions architecture and alliances.

In April this year, Hyatt added passkey support to its World of Hyatt app. Initially, enrollments were slow, but passkey enrolments soared on the day Google announced passkey support in Google Accounts. “We saw a spike in passkey creations on Google’s announcement day,” says Hyatt senior product manager Hannah Hodak. “We’ve also seen a small but general lift in passkey creations since then.”