There was a discussion on X a few weeks ago on using passkeys and, ideally, biometrics as CAPTCHA alternative:
I love the idea – and it’s not entirely new. Other companies like Cloudflare worked on this a while ago and we at Hanko also discussed passkeys for bot protection with customers a few times. Let's dig in.
Using biometrics to make sure that an actual human is in front of your app is quite tempting. No one wants to solve these ridiculous riddles we all know as CAPTCHAs. And as the cat-and-mouse race between CAPTCHA technology and bots trying to automate CAPTCHA solving is ongoing with advances on both sides, it’s safe to say that the time is right for a better alternative that’s more convenient and therefore less intrusive and not a conversion killer anymore, and offers more reliable protection against automated attacks.
At their core, CAPTCHAs serve as gatekeepers, distinguishing humans from malicious bots. Bots can inundate websites with spam, perform credential stuffing attacks (using stolen username-password pairs), or even scrape valuable data without permission. CAPTCHAs provide a dynamic challenge that's difficult for bots to solve, while still being manageable for genuine human users. By incorporating them, websites can prevent a substantial portion of automated abuse, ensuring smoother user experiences and safeguarding vital data.
Passkeys are a new way to authenticate users that works without passwords. By leveraging the security capabilities of modern devices like biometrics and secure hardware, passkeys can provide better security while being more user-friendly than both passwords and all current 2-factor authentication (2FA) methods.
Passkeys are based on the FIDO2 protocol and the WebAuthn standard. Under the hood, passkeys utilize asymmetric public key cryptography that is now an integral part of most modern operating systems, browsers, and devices. A long time in the making, passkeys are becoming almost ubiquitous. Just last week, Google announced their passkey-first authentication strategy for all Google accounts. If you’re interested in building a passkey login, with Hanko, it’s as easy as it gets to build a passkey-first login for any app or website.
Now, back to the topic of this article.
So, can passkeys be used as CAPTCHA alternative? The short answer is yes. If a user creates a passkey on signup or uses an existing passkey for authentication, it's currently highly likely that it's not a bot.
But that's not 100% bulletproof due to limitations in current passkey implementations. While passkeys can technically be used to assert user presence and also attest certain hardware characteristics, those features are not supported on all devices, most notably in the Apple ecosystem.
So it's currently not really possible to do a check on the hardware involved in the creation of a passkey. But that would be required to mitigate the risk of software / virtual authenticators, as that's how you would build a bot that can use passkeys. You'd want to make sure that, say, the system-level passkey infrastructure of a MacBook was used, which always requires user interaction.
Additionally, it would be ideal for the user verification method that asserts user presence on both passkey creation and subsequent authentications to be known to the server for further risk analysis. Currently, this signal is limited to "the user was verified", whereas information like "Touch ID on iPhone SE running iOS 16" or "6-digit PIN on Android 13" is not part of the platform's passkey implementations yet.
Fortunately, the capabilities that enable these use cases are already part of WebAuthn, the spec that powers passkeys. And it's not unlikely that operating systems and browsers will add support in future releases.
Until then — yes, a passkey is a strong signal for a human. But in the current ecosystem it's at least theoretically possible to automate passkey creation and usage.
W3C WebAuthn / FIDO Alliance:
Cloudflare:
Building a WebAuthn Click Farm by Luke Young: https://betterappsec.com/building-a-webauthn-click-farm-are-captchas-obsolete-bfab07bb798c