Unlocking a Passwordless Future: The Case for Passkeys

Passwords have long outlived their usefulness, yet they stubbornly persist as the default for authentication. 61% of consumers believe passwords are inherently insecure, while 47% find them inconvenient and frustrating. With password reuse rampant and phishing on the rise, individuals juggle over 100 passwords on average.

"We've been dependent on passwords for 60 years. That's a long time for a technology most agree has failed us," said Andrew Shikiar, Executive Director of the FIDO Alliance, an industry consortium creating standards for passwordless authentication.

At the recent Oktane 23 conference, Okta, a leader in identity management, made waves by announcing support for passkeys in its Customer Identity Cloud (CIC) platform. Passkeys are emerging as a leading passwordless successor, providing a more secure and seamless sign-in experience.

What Are Passkeys?

Passkeys use public key cryptography instead of shared secrets. Users sign in with biometrics or PIN on their device, which unlocks a private key. This authenticates them to the service without sending vulnerable credentials over the network.

Passkeys offer multiple advantages over passwords:

• Phishing resistant: There are no secrets to steal. Passkeys cryptographically prove users have possession of their devices.
• Easier: Devices can discover passkeys, eliminating forgotten passwords. Users enjoy fast, familiar biometric login.
• Secure: Passkeys are bound to the device and rely on proven public key crypto. No passwords are stored on servers.
• Portable: Passkeys sync through the cloud to users' phones, laptops, and more, providing a consistent experience.

"Passwords alone are not secure to protect users' identities," said Okta's Shiven Ramji. "Passkeys should and can replace passwords."

Google is also betting big on passkeys, recently announcing it will enable passkeys as the default option for Google accounts. As Christiaan Brand, Group Product Manager at Google, wrote, "We’ll keep you updated on where else you can start using passkeys across other online accounts. In the meantime, we’ll continue encouraging the industry to make the pivot to passkeys — making passwords a rarity and eventually obsolete."

Okta Bets on Passkeys for Passwordless Future

With robust security and usability improvements, why haven't passkeys displaced passwords already?

The catch is that widespread adoption depends on easy integration. Okta is removing friction by supporting passkeys natively in its customer identity platform, used by over 17,000 organizations worldwide.

"By supporting passkeys with simple configuration, Okta empowers any organization to embrace a passwordless future today," said Vittorio Bertocci, Principal Architect at Okta. (Note: Vittorio passed shortly after Oktane. Read a Celebration of a Titan in the Identity Industry to see his impact on the industry and people for the past 25 years). 

Organizations can enable passkey authentication alongside passwords with no code changes required. Users see the passkey option at sign-in, allowing gradual migration.

Behind the scenes, Okta handles critical flows like enrollment, sign-in, and account recovery. Admins gain centralized visibility and control over passkey users.

"Achieving ubiquity for passkeys requires ensuring a seamless developer experience. We're doing our part by making sophisticated passkey support easy, whether building new apps or updating existing ones," Bertocci explained.

Overcoming Hurdles to Adoption

Transitioning the world's consumers and workforce away from passwords won't happen overnight. As Shikiar noted, "It's important not to lose sight of the problem, but also the difficulty in replacing passwords."

Jameeka Aaron Green, CISO of Okta's CIC, said collaboration across security, IT, and business leaders is critical but often lacking. They must align on an identity-focused roadmap for rolling out passwordless capabilities like passkeys with supporting technologies.

"CISOs are not thinking about it enough," said Green. "When credentials are compromised, that's when the CISO gets involved." She argued they need a seat at the table for long-term planning.

Driving adoption requires focusing on user experience and education. Okta's research found 25-30% of consumers have questions and concerns about new authentication methods.

"A lot of adoption is psychological. People are used to passwords," said Green. Clear communication and training are key to overcoming inertia.

There are also unique considerations on the workforce side. Shikiar noted that passwords may linger longer there while consumer apps move more quickly.

Hardware security keys are another passwordless approach gaining traction for employees. Okta is deploying these for new hire onboarding, with users productive in hours instead of weeks.

"It's easier to onboard new employees without passwords," said Green. "It's two hours versus two or three weeks."

How Developers Can Accelerate the Passwordless Future

Developers play a crucial role in driving passwordless adoption. Here are some tips on how to advance the future of authentication:

• Enable passkey support: Follow Okta's lead in adding passkey functionality using standards like WebAuthn. Make it an option alongside passwords for a gradual transition.
• Educate users: Communicate to users the security and experience benefits of transitioning to passwordless login. Show them how easy it is to use biometrics.
• Prioritize passwordless: For new features, make passwordless the primary option during development. Only fall back to passwords as a secondary approach if needed.
• Spread awareness: Highlight passwordless capabilities when marketing products and features. Share developer experience stories on channels like blogs and social media.
• Provide feedback: Product vendors rely on developer input to refine the passwordless experience. Try new offerings and give candid, constructive feedback.

Developers hold significant influence over which technologies get adopted. By embracing and evangelizing passwordless, they can tip the scales away from outdated password reliance sooner.

How Businesses Can Improve Experiences With Passwordless

Enterprises and business owners also play a pivotal role in driving passwordless adoption. Here are some tips on how they can accelerate the future of authentication:

• Lead by example: Enable passwordless for employee login and access. Show it improves experience and productivity.
• Educate customers: Communicate the security and convenience benefits of passwordless when marketing products and services.
• Incent enrollment: Offer perks for customers who enroll in passwordless options like passkeys to drive adoption.
• Highlight protection: Reassure customers their biometric data stays on their device when using passwordless.
• Plan for the future: Develop a roadmap for steadily expanding passwordless capabilities across products.

By championing passwordless authentication, businesses can significantly reduce login friction and account takeovers, boosting customer satisfaction, loyalty, and lifetime value.

The Path to a Post-Password World

How long until passwords meet their demise?

"We'll reach a tipping point where passkeys become the norm and passwords the anomaly," predicts Shikiar. "I foresee that happening in the next five years."

Green expects consumer applications will begin requiring passkeys once a critical mass adopts them. She points to how Google auto-enrolls users into passkeys now with opt-out.

Organizations like Okta, Microsoft, Apple, Google, and the FIDO Alliance are steadily building the passwordless foundation.

As Shikiar concluded, "It's incremental progress until it's not. And the future will become self-perpetuating."

In short, the passwordless snowball is steadily accumulating momentum. Okta's push into passkeys signals that it's rapidly approaching critical mass. For CISOs and security leaders, that's welcome news.

Passwords have passed their expiration date. With consumers eager for a better experience and threats looming, the passwordless future is now within reach.