Q&A: The state of passkey adoption

Passkeys are quickly gaining traction as an alternative to passwords for authenticating users. Many major websites already let users sign in using them, and more are surely to follow.

To learn more about the state of passkey adoption, as well as the benefits of passkeys, in the latest episode of our podcast we interviewed Andrew Shikiar, CEO and executive director of the FIDO Alliance, the organization behind the passkey standard.

Here is an edited and abridged version of that conversation.

What is a passkey?

Passkeys are a true password replacement that help users sign into applications and websites without ever using a password. Underneath the hood — I’m gonna get a little geeky on you — Passkeys are based on FIDO’s standards for user authentication, called FIDO2 or UAF. These are different protocols that enable this to happen. All of FIDO’s protocols use something called asymmetric public key cryptography, which transforms the way we authenticate users from a very centralized, shared secret model, where there’s a secret stored in a server and the user knows a secret to a model where you have a cryptographic key pair, where there is what’s called a public key on the server and the corresponding private key in the user’s possession on their device. That key pair must match up precisely for the user to sign in, and the private key must be in the user’s possession so the user verifies himself to the key through, typically through a biometric or anything on device, any local authentication, which is proving that again, they’re in possession of that key. Once they do that, then the key pairs can have their encrypted dialog and authentication happens. 

What that does is ensures that there’s an actual user signing in, and in doing so, eliminates the massive threat and problems associated with remote attacks, right? If you can compare that to passwords where there’s a secret, all I have to do is prove that I know the secret. Anyone can do that. I can pretend to be Jenna. I could guess your email address and sign into a website if I guess your password or find it on the dark web where it quite likely resides. With passkeys you simply cannot do that. You need to be in possession of a device. To summarize, now, pass keys are a much more user friendly, unphishable approach to user authentication that do not rely on passwords.

So on our website, ITOps Times, we did this predictions roundup at the end of last year, and one of the predictions was from you, and you had said that “by the end of 2025 we expect one in four of the world’s top 1000 websites will make passkeys available.” So now that we’re a couple of months into the year, how on track would you say we are to meeting that goal?

I think this is more of a kind of directional and thematic goal than anything else. We actually tracked this last year. I think we’re at around 12% of the top 1000 sites. But frankly, it was a very happy problem of more sites are supporting pass keys than we can track. Passkeys are just becoming part of the fabric of doing business on the web itself.

For example, here in the US, pretty much every leading e-commerce site supports passkeys, Amazon I think has over 150 million users having pass keys enrolled. Walmart, Best Buy, Target, eBay — that’s just top of mind here in the US. The key message here is that the top sites are using passkeys today, and we’ll continue to continue to see that grow. That’s just e-commerce, right? If you talk about sites like Google and Apple and TikTok, the earliest adopters have been companies whose motivation is to get you online quickly and securely, so you can take part in commerce or consume content. So, yeah, I do think we’ll hit that goal. 

Another very important thing to note is that I think we’ll see the banking sector start to adopt passkeys more broadly, and they’ve been more reticent to adopt because they need to have higher confidence in transforming user sign-ins. It’s so critical to their business. But we’re already seeing the banks adopt passkeys and use passkeys in different corners of the world. In the US I believe we’ll see at least one or two major banks start to support passkeys as well. So, yeah, I feel good about that prediction and about the general trajectory of passkey utilization and adoption.

What should organizations be doing to ensure that they’re able to properly support this as a sign on method?

Yeah, that’s a great question. First thing they should do is, if they’re interested in pursuing passkeys and haven’t gotten started on that journey yet, we released a resource called Passkey Central. We released it to answer this very question, which is, “how do I get started and how do I navigate my passkey journey?”

Passkey Central is a new resource we launched in October of last year, co-funded by companies like Google and Yubico and Craig Newmark Philanthropies to educate the market at large on why and how to begin and manage their passkey journey. Ultimately, the motivations and strategy for deploying passkeys comes down to security and usability. And I think things to think about are a) how does this fit with my current technical stack? And how can I get started down this path, starting perhaps with a pilot, or maybe you have an IAM vendor that you can work with that supports pass keys. Another part is usability, and while passkeys do bring much better usability benefits, and we’re seeing great success on that front, something to contemplate is like, how do I introduce this to my users? Whether it’s consumers or your employees, there is a transformation that needs to happen. So education, messaging, and marketing preparation is really important. And the good news is we made resources for all of this on Passkey Central. 

These are freely available resources. We have these landmark UX and design guidelines that have been utilized by dozens of service providers to jump start their own passkey rollouts that give guidance on just best practices, on how to contemplate where to introduce passkeys in the user journey. And this is based on research that we’ve invested a lot of money and time into that has given us data-driven guidance that we’re happy to share in these forums.

You kind of touched on this a little bit already, but can you talk about the user experience benefits of passkeys over passwords. Because, I mean, a lot of people seem to struggle with passwords and storing them securely, or remembering them if they’re not using a password manager. So how do passkeys differ in that regard?

I mean, we can probably spend an entire podcast talking about the problems with passwords. And so I’m going to set aside the security challenges, which we touched on earlier. The usability challenges are massive, right? So I mean, passwords have the advantage of ubiquity, right? And then you can use a password anywhere. You could even type it in on a keyboardless device or a smart TV or a car, so there’s that advantage. But other than that, the usability quotient is quite low to use passwords effectively. You should be using a very complex, hashed  password that only you know. You should be using a different password for every site. So you can certainly use credential credential managers to do that, or you can trust yourself to do that. But most people rely on their own password practices, which means they’re probably reusing passwords, or they try to reuse passwords, and different sites make them do different things. They forget their password. They need to reset passwords, so anyone who’s gone through a password reset can talk about the pain associated with passwords, if you simply can’t get into your account, or it takes too long to get into your account. 

So passkeys eliminate all that, right? When you enroll a passkey, it’s readily available across all of your devices, starting with the devices within that ecosystem. So if I enroll a passkey on my iPhone, it’s managed through Apple’s credential manager called Apple Passwords, and that passkey is readily available anywhere I’m signed into iCloud. So that could be on my MacBook, could be in my iPad, could be my other iPhone, you name it. Likewise, same thing with Chrome, same thing with Android, same thing with Windows. So where you enrolled one passkey, it’s readily available across all of those devices. 

Also, if I’m going across ecosystems, I can actually bootstrap from one to the next. For example, I shop quite a bit with merchants that happen to support Shopify. I have a Shopify passkey on my iPhone. If I go to a site on my Windows desktop that supports passkeys, one of my options is, use a passkey, and then I click on that, I get a QR code, and I can shoot it from my phone, which basically allows me to leverage a passkey in my hand to sign-in and confirm that transaction on a website I may not have an account with, but what I’ve never had to do is, you know, create an account, create passwords, set up set up services with a third party site, because I can use a passkey associated with Shopify in my hand. So these are all much better user experiences. 

Generally, if I kind of flip this question around a little bit: what are the benefits that businesses are seeing from deploying pass keys? There’s a couple of common KPIs. One is time to sign in. How long does it take someone to sign in? Another one is, how quickly do they sign in? And time and time again, we’re seeing much better numbers on both fronts, so much quicker to sign in, especially versus legacy forms of 2FA like one-time passwords, and a much higher sign in success rate. 

And so if you’re in the business of selling things, like I mentioned, Amazon and Walmart and companies like this, this means that you will be generating more revenue. It’s creating revenue opportunities, decreasing fraud costs, all while providing a much better user experience for the consumer or for the user.