You may have read about passkeys and their capabilities to replace passwords. Following recent passkey announcements from Apple and Google, payment app PayPal issued a press release that they are shipping passkey support gradually to their user base worldwide. Right before that, travel specialist Kayak.com was the first major website to launch their passkey implementation to their website and their iOS app. All this resulted in quite some buzz around the new authentication technology in the past few weeks.
Passkeys are a new authentication standard, created to replace passwords. We've written about passkeys here and we also run passkeys.io, an info page with a passkey-first account demo.
If you’re running a website or app, be it with an existing user base or just starting, you may be wondering: are passkeys for me? Is this something I should think about, let alone spend time on to plan and implement support for my project? Then this article is for you. We’ll lay out what to expect from passkeys today, and what to expect from them over the coming months. Let’s start with today.
With iOS16 and macOS Ventura already released to billions of Apple devices, users on latest Apple hardware can fully benefit from the password successor and sign up to your app or website with just a passkey, i.e., their face, fingerprint, or device PIN. The latest Safari update even brings passkey support to older MacBooks.
Here’s a list of devices where you can expect passkeys to fully work and that also support synchronization through iCloud Keychain, meaning a passkey created on any device is immediately available on all devices signed in to the same iCloud account:
‍
There’s one detail to be aware of: passkey sync is currently only available when using Safari. Chrome for Mac also supports passkeys, but those are still “single-device passkeys”, meaning they only work on the device where they’ve been created. But it is expected that Apple will open the passkey API soon™ so that other applications than Safari (e.g., Chrome, Firefox, native Mac apps) can also access the “Apple platform authenticator” and the passkey sync fabric that Safari currently uses.
‍
Android’s passkey support has been in beta testing for a few weeks now. It requires Google Play Services Beta as well as Chrome Canary. Passkey synchronization on the Google Account is done via Google Password Manager, similar to Apple’s iCloud Keychain passkey feature.
Judging by the stability of the implementation, we expect that Google will hold their promise and ship the required Play Services update to all Android devices running Android 9 and newer before the end of 2022. Until then, Android users cannot use passkeys. But after the update, they immediately can.
‍
Windows 10 and 11 ship with Windows Hello, which currently supports single-device passkeys. Windows Hello is the platform authenticator on Windows – basically the “API” that is still missing on macOS, see above – that Chromium browsers (Edge, Chrome) as well as Firefox can access to create and use (single-device) passkeys and the device’s authentication mechanisms like fingerprint, facial recognition, or a PIN.
Windows Hello will get a major update in the next months that adds full passkey support, most probably including a passkey synchronization feature as part of the Microsoft Account system, similar to the iCloud Keychain and Google Password Manager implementations.
One thing we observe is that Windows Hello may not be enabled for some users. It is an optional feature that can be disabled during Windows installation.
‍
In theory, or in a controlled environment, yes. But we would not recommend doing that for external user logins just yet. There will be situations where your users lose access to their passkeys, or where they want to sign in to your services on a device that does not (yet) support passkeys.
For those reasons, the best way to approach passkeys is as an add-on to whatever authentication methods you are currently supporting. Although passkeys are much more secure than passwords, offering them alongside passwords is perfectly fine - as the first step towards a passwordless future.
As more and more services support passkeys, more and more users will adopt the new authentication method and learn the new paradigms.
The next steps may be prioritizing passkeys above other methods and allowing the users to delete their passwords, and then, if most users have done that, only then is the time to build a login purely on passkeys. Until then, keep the password, but maybe start getting used to the fact that it won’t be around for much longer.
We’ve built Hanko to accompany you on this journey.
‍