Passwordless authentication gaining popularity, Computing research finds
Half of UK IT leaders polled say their organisation is now using passkeys
Passkeys are emerging into the mainstream as a practical and more secure alternative to passwords, promising a better user experience when signing in to apps and services.
Passkeys replace passwords with hardware bound cryptographic credentials that are tied to the user's device.
Developed and promoted by the FIDO (Fast IDentity Online) Alliance, passkeys use public-key cryptography to authenticate the user. The user’s device generates a key-pair retains the private key and sends the public key to the app or service, which then verifies the presence of the corresponding private key via a handshake mechanism.
They are inherently resistant to phishing and credential stuffing, since each key pair is unique, and no human interaction is required.
Over the last few years, passkeys have been adopted by most major operating systems, including Windows, ChromeOS, macOS, Android, iOS and many Linux distributions as well as browsers such as Chrome, Firefox, Edge and Safari. In addition, most modern identity providers and web applications can use passkeys via WebAuthn and FIDO2 standards.
As far as user experience goes, this means being able to sign in with biometrics like Face ID, fingerprint recognition, Windows Hello or a PIN instead of having to remember passwords.
However, not all applications, OSs and devices are compatible, and organisations will typically start with high-value, high-risk services when rolling out passkeys where compromise via phishing is a real risk. Examples include email and office suites, customer facing accounts, cloud services that host sensitive data.
Being tied to a device, passkeys also bring their own risks and inconveniences, such as loss or theft of the device, legacy tech and compatibility issues. Plus, user education is essential to ensure take-up and avoid risky workarounds.
Many organisations begin by offering passkeys as an optional sign-in method alongside passwords, gradually making them the default as adoption grows.
In our recent survey of 104 UK IT leaders, 4% said they were now using passkeys to authenticate users of all apps and services. Meanwhile 18% were getting started with a few apps and a further 28% were offering passwordless access to many apps and services.
The FIDO Alliance says than 15 billion online accounts were passkey‑enabled by the end of 2024, more than double the figure a year earlier.
Computing’s Security Leaders Summit takes place on 26th March in London. Register today