An important announcement came out this Monday from PayPal. Starting immediately PayPal customers can get rid of passwords and use their on-device authentication to checkout. This announcement has a significant impact on customer experience and customer security. PayPal is definitely leading this new passwordless era as one of the first in the financial and retail space to demonstrate innovation and superb customer experience.
NOTE: This recent news on PayPal is another important marker on the broad adoption of passwordless authentication from trusted brands. Citi – in partnership with Transmit Security – shared their story and learnings on rolling out FIDO2-based passwordless authentication to 200 million customers at this year’s Authenticate 2022.
So what did PayPal do? They’ve implemented the relatively new passkeys experience which allows customers to use the authentication method offered by their device instead of typing a password. For example, if a customer has an iPhone they could use FaceID® to authenticate. If a customer has a Mac® they could use TouchID® to authenticate. No need for passwords.
Passkeys are a more secure authenticator vs usernames and passwords. This method is resistant to phishing and social engineering attempts, as a hacker can’t steal a user’s login credentials to breach their account. This new login option from PayPal will roll out first to iPhone, iPad and Mac users on PayPal.com, with expanded support for other platforms over time.
But many applications allow customers to use TouchID and FaceID so how is this different?
We can actually look at three milestones in the evolution of passwordless authentication.
Milestone 1: On-device authentication for mobile apps
First came the interfaces that Apple® and Google® released for mobile OS’s and apps. These interfaces allow mobile apps to use on-device authentication to log into the app. On-device authentication refers to the authentication methods offered by the device; for example face recognition, fingerprint scanning or even passcodes. The difference here is that these authentication methods are implemented by the device, whether a phone, tablet, or computer and the device itself is responsible for authenticating the customer. The app is just leveraging this device capability.
Milestone 2: WebAuthn
The second milestone was the WebAuthn protocol which expanded this capability to web applications, not just mobile apps. So now websites that run in a browser could do the same as mobile apps and invoke the on-device authentication process. WebAuthn is a significant evolution as it allows online businesses to offer the same passwordless, on-device authentication experience across both mobile apps and websites.
Milestone 3: Passkeys
The third milestone is the passkey. Passkey is the common term for multi-device FIDO credentials that were created by The FIDO Alliance to overcome a very specific limitation of WebAuthn. With WebAuthn, customers can register their device for passwordless authentication but as soon as they move to another device, they have to re-register the device again for passwordless. The registration process can be complicated and can create some friction.
Using passkeys, Apple, Google and Microsoft implemented a standard way to transfer authentication keys between the different devices of the same customer. For example:
- I register my iPhone for passwordless authentication to website “A”
- I also have a Mac
- I can use my Mac to authenticate to website “A” with the fingerprint scanner on my Mac and without having to register my Mac for passwordless.
- Apple in this case will take the authentication key that was created on my iPhone and synchronize it with my Mac. This will be the case for all the Apple devices I have that are configured with the same Apple ID.
Passwordless, and specifically FIDO standards, will continue to evolve.
Helping to make true passwordless authentication a reality today
At Transmit we’re working with some of the biggest financial institutions and retailers in the world on passwordless and passkeys projects. We definitely see a change from a year ago where just a handful of organizations were considering going full passwordless to today, where many are making the move. As a vendor that is consulting and helping the largest organizations in the world to implement their passwordless strategy, there are few areas we recommend you pay attention to:
- Account takeover methods are different
Everything you know or knew on how to prevent customer account takeover changes with passwordless and Passkeys. The attacks are different, their timing is different and the technologies to detect them are different. Also note that cybercriminals love these changes in behavior as it allows them to launch creative and successful campaigns against your customers. So make sure you have the right controls in place to detect and prevent account takeover during the migration of your customers to passwordless and after. We’ve seen some organizations being hit heavily by fraudsters during that period so be prepared.
- Testing complexities are real
Testing passkeys and on-device authentication is technically challenging. There is no simple way of testing how on-device authentication works on all devices, browsers, and OS’s without having a lab of all devices, configurations and a lot of manual effort.. Automation breaks when it comes to on-device authentication because browser and OS vendors constantly change their implementations over time. The ongoing testing cycles are required and costly.
- Design and refine customer registration flows thoughtfully
Registration flows using passkeys and passwordless authentication can make all the difference in terms of customer adoption – or confusion- and the volume of support calls you’re getting. If not designed and managed properly you may end up with frustrated customers and frustrated executives
- Factor in the user experience edge cases
There are lots of dependent and moving parts your user’s experience will rely on. These can break the experience if not considered and designed for up front. A few edge cases to consider include:
You need to factor these—and other scenarios—in so your service can gracefully address the non-optimal situations.
- Registrations that are being deleted on the device
- Device settings that block the information you need
- Faulty authentication hardware
- Customers switching from supported devices or unsupported devices and losing access to their account
- Accelerating your time to market
PayPal has been on the FIDO Alliance Board for many years and has teams working on these passwordless projects for years with a lot of expertise. Transmit has been on the FIDO Alliance Board as well. We know the protocols and challenges inside out and can help you navigate. If you’re getting into this world right now and are looking for fast returns you should get expert advice and support.
Interested in learning more on how to run a successful passwordless project? You can start with this run-down from one of Transmit Security’s customers, Matt Nunn, Director, Global Head of Identity & Access Management Engineering for Citi or contact us. We’re helping teams across industries and across the globe take full advantage of passwordless authentication.