As more big companies are showing support for passkeys, FIDO Alliance CEO Andrew Shikiar believes that our dependence on passwords will be gone in several years.
As passwords continue to be criticised as a serious weakness for cybersecurity, the alternative method of passkeys is gaining traction.
The fact passwords can become stolen, reused by people across multiple accounts or just plain simple and easy to guess means they are constantly exploited by cyberattackers, whether they are attempting to impact a single individual or gain access to a larger organisation.
A report from VPN service provider Surfshark last year claimed that 9.5bn passwords had been leaked since 2004, leading to billions of unique email addresses being compromised. Meanwhile, there are studies warning that AI could be used to guess passwords with very high accuracy by listening to what people type on their keyboards.
The FIDO Alliance, an open industry association that is looking to reduce reliance on passwords, claims that passwords are the root cause of more than 80pc of data breaches.
With these concerns in mind, certain organisations have been making the move to passkeys, which are designed to be more secure and convenient for users to sign in with than passwords. Certain tech giants like Google and Microsoft showed support for a “passwordless future” last year, with Google rolling out passkey support in May 2023.
Recently, Sony announced passkey support for its PlayStation 4 and PlayStation 5 customers, pushing this form of sign in to the gaming sector.
But how long will it take for passkeys to become the dominant form of sign in for people? FIDO’s executive director and CEO Andrew Shikiar, told SiliconRepublic.com that he believes our dependence on passwords will be gone in “the next several years”.
“We want to see half the top 1000 sites supporting passkeys by 2026,” Shikiar said. “And I think that’s actually attainable, if you look at the progress we’ve seen this year.”
How do passkeys work?
The growth of passkeys appears to be ramping up, but Shikiar said that passwords have been a problem for a long time, with people wanting to remove them “ever since really the history of the internet”.
In 2004, Microsoft founder Bill Gates declared that passwords were on the way out as they can’t “meet the challenge” of keeping critical information secure.
“The reason why it has taken so long is because it’s difficult to do,” Shikiar said. “Passwords are ingrained in the fabric of the internet and that’s been a major problem, in the sense that passwords are the leading cause of data breaches.”
Shikiar said concepts like two-factor authentication have been created over the years to try to “mitigate the shortcomings of passwords”, but he said these security measures are still “easily bypassable”.
The way passkeys differentiate themselves from passwords is through the use of “public key cryptography”.
“With public key cryptography, what you have instead is a virtual key pair, if you will, with what’s called a public key that sits on a server. And then the private key is the valuable part that sits on the user’s device.”
For a user to activate the private key, they need to verify themselves locally using “typically a biometric” such as a security key or something else that involves “possession-based authentication”.
“So attackers now must literally be in possession of your device and you to take over your account,” Shikiar said. “And that thwarts the phishing attacks that really are the source of so many of the problems that we see.”
The recent boons for passkey growth
Shikiar said FIDO has been working for more than a decade to reduce the reliance on passwords and to improve the ease in which passkeys can be used. In 2019 the organisation created FIDO2, as a way for people to easily authenticate themselves to online services through both mobile and desktop devices.
Roughly a year and a half ago, Shikiar said they adopted a way to allow private keys to be “securely managed across the cloud”, which means if a user enrols one device to a particular service that becomes “automatically available on the next device”, which he described as an “explosive” change as it reduced a barrier to scaling up the use of passkeys.
He noted that last year saw “all sorts of major services” start supporting passkeys and that Sony is now “the latest on this front”. While security is a key benefit for the adoption of passkeys, Shikiar said there are also competitive benefits for companies like Sony moving to support them.
“A lot of the early adopters have been companies whose primary objectives are about enabling access, avoiding password resets, avoiding abandonment, making sure that people can get on to consume services as quickly and as easily as possible,” he said.
“So passkeys introduced a way for them to actually make an easier way for gamers to sign on to things whether it’s on their own console or visiting someone else’s house.”
The future of passkeys
Shikiar hopes that over time, consumers will see both the security and the convenience aspects of passkeys and start expecting it as an option, while businesses start seeing it as a “competitive advantage” to offer passkey support.
He noted that the early adopters of passkeys were companies in the e-commerce and content sectors – companies such as PayPal and Shopify – because passkeys accelerate “access to services and it accelerates commerce”.
Research from FIDO suggests nearly half of US consumers have abandoned a purchase online due to forgetting a password. With potential financial benefits for companies, Shikiar believes sectors such as travel hospitality and airlines will be some of the next big adopters of passkeys.
Meanwhile, Shikiar said the banking sector has been slower to adopt passkeys as there can be “a lot of stringent policies” that can make banks more “reticent”.
“So the one thing about the key synchronisation that we enable through passkeys is it’s really good for access,” he said. “But having a super-high level of assurance, that can present some challenges.
“For example I can share opacity. And so banks generally don’t like that, they want to know that is me. So what we’re learning is finding ways to accomplish the same goal using passkeys.
“So you can do passkeys plus added types of proofing – identity proofing, using risk signals, other things – to give higher levels of assurance for banking that this is the customer that they assume it is. I think banking will be the next wave and we’ll start seeing that wave in 2024 and 2025.”
Shikiar appears hopeful that passkeys will become the default method of signing in in the near future and that while passwords won’t be eliminated entirely, they will “fall into the background” as passkeys become adopted more.
“The tipping point for this is going to be when there’s past passwords that are used so infrequently that they become an anomaly,” he said.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.