The Passkey Experience
The internet is an essential part of our daily lives. From the start, passwords have been the primary way we sign in to accounts. Despite years of use and widespread adoption, 62% of people still fail to enter their username and password correctly on the first sign in attempt. When users enter characters incorrectly or forget their password, they must then complete a password reset process to proceed or abandon their task.
We all know from personal experience that the internet password experience has fundamental problems. Ideally, each of us would have a personal object (such as a car or door key) that we always carry to unlock our internet services simply and safely, just like our car and door keys conveniently and safely unlock our cars and doors.
When mobile phones arrived, they quickly became this personal object that securely unlocks websites and apps for the user. The user could verify an SMS OTP which allowed the internet service to ensure that the user was carrying that particular mobile phone and was the rightful owner of the account. Phones are still leveraged to make sign-in safer. However, the experience is not very convenient and cybercriminals often phish SMS OTPs.
Now, mobile phones and computers are powerful and smart. They also have proximity technology such as bluetooth, which can be used to confirm that a device is within the proximity of a user. Most users have set up a biometric or PIN on their mobile phones and computers, and unlocking a device is second nature. A very natural evolution would be to leverage this new technology to make sign-in simpler and more secure.
With passkeys, the user does not have to remember and type a password and the user’s device ownership verification is implicit. Instead, passkeys provide a way to sign in to a website or app in the same manner which people unlock their device. While passkeys are a new user experience, people adapt to passkeys rapidly because the steps are familiar.
FIDO has helped to drive a standardized passkey experience. This standardization now means that your passkeys can sync across all of your internet enabled devices with the help of a credential manager.
For users, the primary incentive to use passkeys is convenience. For service providers, this convenience translates to less sign-in failures, faster sign-in, and more business. End users, internet services, and the internet at-large benefit from an overarching security benefit built in to passkeys: the passkey standard is designed to be phishing-resistant. You cannot trick a user to type in a passkey in the wrong place or read it over the phone, it is simply not possible by design.
In some situations the value of an account is great enough that users want a dedicated authentication device to store the passkey. In such cases, security outweighs the convenience of a synced passkey. For these use cases, device-bound passkeys created on FIDO security keys are the best option.
Variations in the user experience
There are two core passkey user experiences:
- Passkey creation
- Sign in with a passkey
Multiple factors that influence the experience a user has during passkey registration and subsequent passkey use. Synced and device-bound passkeys offer different user experiences. For users who choose to use synced passkeys, the passkey is available to use on any device that is accepted by the same passkey provider. For example, a passkey on your mobile phone can sync to your desktop browser.
To avoid the need to initiate an account recovery process, users who choose to use device-bound passkeys on a security key should ideally ensure that they have another passkey registered on a backup security key. This is so they can still sign-in with their backup security key if they lose access to their primary security key.
The operating system, browser, and the UX provided by the service provider also influence the user experience during registration of a passkey and subsequent passkey use.
The page, Live Implementations includes videos that show how various companies are implementing passkeys across various devices, operating systems, and browsers.
Refer to the Required Patterns for more information on implementing these experiences.
Accessibility
Passkeys use operating system UI controls and are therefore significantly more accessible.
Variations in passkey messaging
The end user experience for password creation depends greatly on the messaging from the design patterns you choose to implement as a service provider.
The Design Guidelines can help you determine the best patterns to implement for your organization.
- For messaging around synced passkeys, refer to the Required Patterns.
- For messaging around device-bound passkeys, refer to Security Key Patterns.
- For messaging around sign-in with a passkey, refer to Sign In with a Passkey within the Design Guidelines section.
Basic passkey sign-in experience
With passkey sign-in, a user is asked to sign in to an app or website with the same biometric, PIN, or on-device password they use to unlock their device (phone, computer, or security key). This use of verification of their fingerprint or face, or a device PIN, is the same action that people complete multiple times each day to unlock their devices. The app or website can use a passkey instead of the traditional username and password to authenticate the user. The intent of this design is to help ensure that the user experience is familiar and consistent across devices.
Synced passkeys still work if a user changes devices, loses their device, or uses multiple devices.
For more information, refer to Sign In with a Passkey in the Design Guidelines section.
Switch mobile operating systems as an end user
If the user is still in possession of their old device, the user can use the passkey on the old device (say, an Android device) to sign the user into their account on the new device (say, an iOS device). Once signed in, the user can create a passkey on the credential manager they have on their new device.
If the user has a FIDO Security Key, they can use it to securely authenticate on the new device.
If the user does not have their old device or a security key, then the relying party can treat a sign in from the new device (which might be from a different vendor) as a normal account recovery situation and take appropriate steps to get the user signed in.