The Future of Passkeys
The Future of Passkeys is a guide for organizations who have rolled out passkeys fully to their end users, across all of their important use cases, and are enjoying the business benefits at scale. These organizations are ready to examine the logical next step, which is to remove passwords from the end user experience and their systems.
Benefits of password deprecation include:
- Fewer customers drop off from critical conversion path.
- Lower costs for:
- Monitoring and defending malicious actors in real-time.
- Continuous hardening of password policies.
- Account reset due to forgot password and account lockout.
- Service costs for SMS text messages associated with authentication.
Typically, a division leader or vice president leads this strategy. Implementation typically requires support from multiple departments and might also require support from the CEO and the executive leadership team. More specifically, this strategy requires buy-in and collaboration between multiple teams and departments including product, engineering, risk, fraud, legal, marketing, and customer support.
In December of 2023, Kayak removed passwords from their services and implemented support for passkeys. Watch Matthias, KAYAK'S Chief Scientist and SVP, Technology, explain why KAYAK chose this path in this segment from the video UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consumer Authentication.
Cross-department considerations
When your organization sets a goal to remove passwords, marketing departments need to develop campaigns to promote and educate customers about passkeys. There is opportunity for marketing departments to tie the implementation of passkeys and removal of passwords to a larger vision and commitment to keep services secure. This can have positive impact on your organization's brand.
Because a large volume of customers will rapidly adopt passkeys and ultimately no longer be able to use their passwords, customer success and support must prepare to support customers who have questions or encounter issues during the change.
Password strategy
Most organizations remove passwords in three phases. The plan is to notify users, give them time to convert to using passkeys instead of their current sign-in method, and then over time, deprecate all other sign-in methods besides passkeys.
| Phase | Timing | End user experience |
|---|---|---|
| 1 | Initial roll-out | End users are discouraged from using passwords. If they use passwords, additional authentication steps are required in addition to the password. |
| 2 | After roll-out | End users are prohibited from using passwords and must use passkeys or other authentication modalities your organization deems suitable. |
| 3 | Deprecation over time | End users no longer have passwords tied to their account and passwords are no longer stored or referenced in your organization's systems. |
As more and more companies implement support for passkeys, both end users and organizations will be more secure, more resilient against cybercriminal attacks such as phishing, and will find account sign-in to be a much less frustrating experience.
