Efforts to phase out passwords gained a burst of momentum this week as Google rolled out passkeys, a secure and frictionless form of password-free login credentials. This enables billions of users to log into their Google Account on all major platforms. And yes, this includes Google Sign-in, the most popular social login with 54% market share. It’s everywhere. Users can even use passkeys to secure their password vault in Google Password Manager.
Passkeys were released in 2022, but they have not yet been widely adopted. However, Google’s move holds the potential for sweeping change. With passkeys, users simply log in with a fingerprint or facial biometric. In one simple action, users present two factors: a biometric and a private key on their device. Passkeys leverage FIDO standards, which are founded in strong cryptographic methods.
Previously, you could use passkeys with a Google account, but it still required a password. Now using passkeys, Google completely replaces passwords — the greatest risk and source of friction is gone. In this blog we’ll explain why that’s a game changer and what Google passkeys rollout means for your business. But it’s not picture perfect; when we solve one problem more problems arise. As such, we’ll also cover a few weaknesses of passkeys and how to secure them.
Why replace passwords and legacy MFA?
First, we all know passwords are phishable, stuffable and guessable — the root cause of 81% of all security breaches. When passwords are stolen, leaked or purchased, bad actors use credential stuffing to take over other accounts. And it’s easy given that 84% of consumers reuse the same or similar passwords for many accounts. All threats that target or use passwords are highly successful and are only getting worse as bots automate attacks.
At the same time, passwords create a terrible customer experience. They’re hard to remember and too often lead to lockouts, sending the user through a friction-filled reset process or leading them to drop off entirely. That’s lost business! And because passwords are weak, we strengthen them by adding one-time passcodes, email magic links or knowledge-based questions. All of these methods further degrade the customer experience, impacting your bottom line.
How do passkeys solve these problems?
Passkey-based credentials are secured by public-private key cryptography, proven to prevent credential stuffing, phishing and a growing number of attacks aimed at OTPs. In terms of improving UX, passkeys remove the need to remember passwords, switch contexts or have additional devices on hand to complete two-factor authentication with an OTP or magic link.
As an extension of FIDO passwordless authentication, passkeys can be used across multiple devices, solving a limitation of FIDO, otherwise bound to a single device. It’s why Apple, Google and Microsoft saw the urgency to use passkeys. They add multi-device support by syncing encrypted biometric credentials to other passkey-supported devices in the cloud.
The strategy for Google is to enable passwordless authentication for their user base by leveraging industry standards. It’s a clear message that strong passwordless MFA should now be a priority for any organization, regardless of whether the user base is B2E, B2B or B2C.
How do Google passkeys work?
To create a passkey for your personal Google account, visit http://g.co/passkeys to set one up. Upon clicking the link, Google will prompt you to create a passkey by first authenticating with your existing sign-in method. After authenticating, you can enroll using a face scan, fingerprint or PIN on your device, which is only stored locally, not shared with Google or third parties.
Once a passkey is created, Google will prompt you to sign in with your passkey on future attempts across the Google ecosystem, sidestepping the need to enter passwords or complete two-step verification. And Google passkeys not only work on Chrome: users can enroll in passkeys on other browsers like Safari as well, although users will need to create a separate passkey for use in another vendor’s ecosystem.
How will Google passkeys change the authentication landscape?
Expect demand for passwordless to accelerate
So far, passwordless has been predominantly the purview of workforce authentication, but Google’s announcement extends the convenience and security of passkeys to customer authentication. This sends a resounding message across the industry, a call to embrace identity-first security principles.
In tests so far, Google has stated that login success rates were higher for users who sign in with passkeys as compared to passwords, as reported in Wired. This is no surprise to us at Transmit Security, having led millions of customers through the passwordless journey, including the world’s largest passwordless implementation with Citigroup. As leaders in FIDO-based passwordless authentication, our case studies have shown that given the option, a majority of end users choose to enroll in passwordless and those who do demonstrate increased user engagement with applications.
Fraudsters will seek passkey vulnerabilities
As passkeys adoption increases and potentially becomes the new normal for identity and authentication, fraudsters will try to find and exploit vulnerabilities in this new technology. Typical FIDO scenarios never transfer private keys over the web, but as we know, passkeys are shared across multiple devices via the cloud or Bluetooth. These methods of transferring credentials, albeit encrypted, may present opportunities for hackers. History tells us they will certainly try.
We have already seen this today with basic MFA. Attackers have exploited the notion of popular MFA techniques (i.e. SMS and or out-of-band authentication) by constantly notifying users, invoking what’s called “MFA fatigue.” With more organizations embracing MFA, more bad actors are employing MFA fatigue tactics to compromise these so-called secured accounts.
Similarly, it should be expected that passkeys — despite providing great CX and security benefits — will be subject to evolving threats and additional measures will be needed to harden passkeys security against these threats. Some of the key vulnerabilities to address include:
- Shared devices: Syncing passkeys across Google Password Manager means that all of a user’s shared devices within the Google ecosystem will automatically have passkeys stored on them. This presents potential security and privacy challenges if passkeys are synced to unregistered, shared devices — a phenomenon known as passkey leakage, which we discuss in our Authentication Services brief.
- Lost or stolen devices: When device PINs are used in place of biometrics to authenticate passkeys, they remain vulnerable to a number of attacks, such as shoulder surfing, which can allow bad actors to gain access to user accounts and data.
- Fallback to legacy authentication methods: In the event that a user is not able to authenticate with their registered passkey, they will fall back to the user’s legacy authentication method, such as a password or OTP, resurrecting the risks of phishing and other attacks that legacy authentication presents.
- Protecting cloud accounts: Social engineering, a constant and evolving risk, could be used to gain access to Google Password Manager or other cloud accounts where passkeys are stored, especially if the account is not protected by two-factor authentication.
- The need for risk-based monitoring: Although non-phishable MFA provides superior protection during authentication, passkeys do not provide continuous risk and trust assessments throughout the user journey to protect against session hijacking and other attacks that target users after login.
How Transmit Security improves passkeys implementation
As organizations aim to improve overall security with identity-first security principles, MFA has become a standard practice. Unfortunately, basic MFA will no longer suffice. Security and identity leaders must move to non-phishable credentials, based on strong cryptographic standards such as FIDO and passkeys.
Businesses will need to accelerate their support for passkeys, ensure a consistent user experience across environments (including edge cases) and fortify the security of passkeys in applications and websites that are frequently targeted for fraud, such as financial applications and e-commerce using additional security and risk detection methods to strengthen the benefits of passkeys and overcome their limitations.
Transmit Security Authentication Services helps businesses meet each of these challenges, ensuring a fast, secure and successful rollout of passkeys support:
- Accelerating deployment: By providing prebuilt user flows and interfaces as well as extensive testing, Transmit Security eliminates the need to design, build and continuously test registration, authentication and recovery flows for iOS, Android and web environments, reducing the time to value and ensuring that edge cases do not create complications. We also provide support for complex scenarios such as backchannel authentication, transaction signing and authentication on devices that do not have a web browser.
- Securing vulnerabilities: As explained in our blog on securing passkeys, we mitigate risk across the user lifecycle through native integration with Detection and Response Services that leverage machine learning to detect anomalies in usage that may indicate fraudulent registration and usage of passkeys.
- Strengthening and improving recovery: Device fingerprinting with 99.7% accuracy helps businesses determine whether recovering devices were previously registered with passkeys, whereas rich telemetry assesses risk during cross-device recovery, reducing the need to fall back on legacy authentication methods that degrade security and user experience.
While passkeys provide users with stronger login credentials, they do not provide the ability to dynamically assess trust throughout the user lifecycle, and registering passkeys ultimately requires users to enroll and authenticate with the same legacy methods that are increasingly compromised by bad actors.
By natively integrating passkeys with a complete and modular set of identity services, including Detection and Response Services for risk, trust, fraud, bots and behavior, Transmit Security enables continuous adaptive trust that takes into account the full context of user behavior. This best-in-class risk engine, as well as natively integrated Identity Verification Service, can also be leveraged to ensure that the right user is enrolling in passkeys, preventing fraud during registration.
Expedite your passkeys deployment
The time for businesses to implement passkeys is now. As customers grow more familiar with passkeys and adoption increases, customer demand for passkeys support will grow, further diminishing conversions for accounts protected by legacy authentication methods. To learn more about how you can quickly and securely implement passkeys, check out our Authentication Services or contact sales to set up a personalized demo today.