1) How does the customer experience improve with passkeys vs. passwords?
2) How does this translate to business benefits?
3) How do I successfully convert users from passwords to passkeys?
4) What are the challenges that I need to consider?
5) How do I manage legacy and modern approaches?
6) How do I get started with passkeys?
7) Which verticals/industries are good candidates for passkeys?
8) How ready are passkeys for prime time?
9) Do all the platform vendors have passkeys available?
10) What parts of the passkey architecture need FIDO certification?
11) Where are passkeys stored?
12) Do Apple devices need to have iCloud Keychain enabled to use passkeys?
13) Are there fallback mechanisms, for example, if your fingerprint reader is damaged?
14) What happens if a bad actor signs in with someone else’s account and creates a passkey?

 

As with any new technology, additional education is needed for digital business leaders and product owners looking to gain a better understanding of the benefits of passkeys and their practical implementation in a digital service.

In this blog post, we’ll provide answers to some frequently asked questions about supporting passkeys in your organization — from the business benefits to converting users from passwords to passkeys.

 

1) How does the customer experience improve with passkeys vs. passwords?

With sign-in — passkeys turn a frustrating memory test into a “tap and go” experience.

With sign up – a passkey-based account creation experience is fast and simple:

  • Gather a username and/or email address
  • Ask for a biometric to register a passkey
  • Significantly lower cognitive load on the end user as there is no need to create a complex password of sufficient length and character complexity to make it secure

 

2) How does this translate to business benefits?

Passkeys deliver a trifecta of business benefits:

› Sign-ups and sign-ins that are faster and more successful

  • Happier users who spend more time/money
  • Lower attrition and abandonment, increased revenues
  • Higher retention, lifetime value (LTV)

› Lower cost of running the business

  • Passkey accounts become phishing resistant
  • Reduced account takeovers (ATO) and account sharing
  • Reduced fraud and fewer manual fraud analysis actions

› And all the benefits of eliminating passwords

  • Reduced password resets
  • Reduced call center complaints

 

3) How do I successfully convert users from passwords to passkeys?

Migrating your existing users away from passwords will take time, but the faster it can be done, the safer those end user accounts will be and the faster you will enjoy the business benefits of passkeys.  One brand was able to achieve a 50% adoption of passkeys in just a few months.

Driving adoption will likely involve a communication campaign to your end users to educate them on passkeys, evangelize their benefits and ultimately get them comfortable with using them.  That campaign will likely include:

  • Priming — email, social media, mobile app prompts, even snail mail such as when packages are delivered
  • During account creation — register a passkey instead of a password or perhaps in addition to a password
  • During sign-in — after a successful authentication, offer to register a passkey and allow the user to sign-in with passkey on their subsequent sign-ins
  • During password reset — after a successful identity verification step, offer to register a passkey and allow the user to sign-in with passkey on their subsequent sign-ins

 

4) What are the challenges that I need to consider?

Make it easy to adopt passkeys. They are better for your users and for your business.

Still, passwords are not going away for a while, so both sign-in approaches will need to co-exist for years to come. And users are likely to have a mix of devices – many of which will support passkeys and some of which may not.

This means that you will need to design your user sign-in journeys with great care. They will need to support sign-ins with both passwords and passkeys depending on the device and browser that are being used. If this is not done properly, users can wind up at “dead ends” that their device can’t support, causing confusion and frustration.

 

5) How do I manage legacy and modern approaches?

Take a strategic approach to planning your business evolution away from passwords. Create a plan the covers the key issues such as:

  • Which sign-in approach do you want to emphasize for your end users? Do you want to offer a choice of sign-in approach? Or if the device is passkey capable, do you offer only sign-in with passkeys?
  • What about social login with Google or Apple — will you continue to do that? Will you offer to register a passkey for users after they successfully sign in with a social login?
  • Do you want to keep creating accounts with passwords? One large brand decided all new accounts will be created with a passkey and not a password, focusing on increasing their account creation conversion rates as the first step in deploying passkeys.
  • Will you migrate your mobile app to using passkeys? If a passkey is created in your mobile app, it can be synched to a user’s other devices and used on your website as well.

 

6) How do I get started with passkeys?

We’d highlight several key points:

  • Educate and socialize the business benefits of passkeys across the organization. Adopting passkeys will impact multiple parts of the business and it is best to align the team before the project starts
  • Pick your first use case carefully (i.e. one that has the potential for a quick and clear benefit to the business). Build a clear business case for what is expected and what is outside the project scope. That allows you to show success and build momentum for the larger projects that are to come.
  • Spend the time to get the user journeys right, including UX testing. If the customer experience is poor, then users will not adopt and the business benefits will not happen. Involve your user experience team early on and if you don’t have the needed skills available, find talent to help you get this right.

 

7) Which verticals/industries are good candidates for passkeys?

The short answer is all of them! Phishing is a problem across all industries and if a digital business adopts passkeys, their attack surface will decrease significantly.

That being said, the early adopter industries are those that most need both high security and very low friction and for whom fraud costs are most damaging — industries such as iGaming and sports books, online travel agencies, fintech and B2B eCommerce.

 

8) How ready are passkeys for prime time?

Passkeys are ready to be used at scale today. The browser and OS support on mobile devices is ubiquitous, but still not 100%. The support on desktop devices is lower. Windows 10 and 11 support passkeys, but Windows Hello needs to be enabled and sometimes it is and sometimes it isn’t.

When you implement passkeys, they can be used with most devices, but not all at this time.  Your implementation needs to take this into account and gracefully handle all of the “corner cases” which will be out there for some time.


9) Do all the platform vendors have passkeys available?

Apple and Google have introduced full support for passkeys on their browsers and operating systems. Microsoft supports passkeys but does not provide cloud-based synching of passkeys between devices. That is planned for later this year. For the latest information, please visit passkeys.dev and select the “Device Support” link.

 

10) What parts of the passkey architecture need FIDO certification? 

The FIDO Alliance offers a certification program that is a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy passkey solutions.

The FIDO Alliance has 3 certification programs: 

  • Functional interoperability (for servers, clients and authenticators) 
  • Certified Authenticator  
  • Biometric Component Certification 

For more information, visit: https://fidoalliance.org/certification

 

11) Where are passkeys stored? 

Passkeys are based on standard public key cryptography techniques. During registration, the user’s client device creates a new key pair. It retains the private key (the passkey) and registers the public key with the online service. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button. 

Passkeys are synced to other registered devices belonging to a user on the same platform vendor (such as Apple, Google and Microsoft). In the case of Apple, passkeys are synced using iCloud Keychain. iCloud Keychain is end-to-end encrypted with strong cryptographic keys not known to Apple and are recoverable even if the user loses all their devices. 

To learn more about how FIDO works, visit: https://fidoalliance.org/how-fido-works/ 

 

12) Do Apple devices need to have iCloud Keychain enabled to use passkeys? 

Yes. Passkeys on iPhone require that you use iCloud Keychain. If you don’t have iCloud Keychain turned on when you try to save a passkey, you’ll be asked to turn it on. Passkeys also require that two-factor authentication is enabled for your Apple ID. 

For more information, visit: https://support.apple.com/guide/iphone/sign-in-with-passkeys-iphf538ea8d0

 

13) Are there fallback mechanisms, for example, if your fingerprint reader is damaged?  

Passkeys (and FIDO2 credentials) all support multiple user “gestures” as part of authentication, including fingerprint ID, face ID and a PIN. This means that users can choose amongst these options when they configure their device.   

Many of the operating systems require users to set up multiple gestures. For example, Windows 11 requires users to set up a 6-digit PIN as well as face or fingerprint recognition. That way, if one of the gestures is not possible the PIN can be used instead.  

For even more robust fallback, web sites should also support alternative sign-in mechanisms that are also passwordless but are not based on passkeys. These are typically One Time Passcode (OTP) based mechanisms in which a 6-digit code is sent to the user via an out-of-band communication method such as email, SMS, messaging app or an authentication app. These alternate passwordless sign-in approaches also cover the situation where the user needs access to their applications but does not have access to their normal device(s). 

 

14) What happens if a bad actor signs in with someone else’s account and creates a passkey? 

It is incumbent upon businesses to take appropriate measures to prevent such activities, but in the event that an unauthorized individual gains access to a user’s account and creates a passkey, users can also take independent steps to revoke the unauthorized passkey upon discovery.  

Specifically, the website should provide a feature within the account settings page allowing users to remove any public keys linked to their account. Additionally, web browsers also offer users the ability to manually delete any passkeys associated with a given website.