The key to simplifying and securing account creation and conversion

Chances are, Apple’s release of passkeys as part of iOS 16 in a few years will be remembered as the beginning of a revolutionary change in the way companies implement logins for their products. Do you offer three different ways to login with another company? Or rather none at all due to concerns about privacy and data ownership? Allow guest checkout so as not to lose users to horrific password requirements on the last few meters? These concerns will subside once consumers become familiar with passwords.

Passkeys are backed by strong cryptography, are stored securely on the user’s devices, and are protected by biometrics. Passkeys are based on open web standards and do not require integration with a third party. Businesses can reduce their exposure to data breaches while preparing for a cookie-free future with passwords that can be used today.

The need for accounts — and the challenges of providing them

For many companies, allowing website visitors and app users to become account holders is a matter of dining. From offering subscriber-only content, to verifying that a visitor belongs to a particular group, to easily storing personal information with creating an account, enabling more personalized and streamlined experiences.

Most companies address this by inviting consumers to create an account, either by setting a password, receiving a message with a link or code, or by creating an existing account with another company such as Google, Apple or Facebook. to use.

None of these options are worry-free. Providing password-based accounts is a very big undertaking in today’s threat landscape. Social engineering, reuse of already compromised credentials, and SIM swapping attacks are just a few examples that require systems and processes to flag suspicious logins. All this is in addition to warning users about compromised passwords, blocking automated attacks, informing about account changes, detecting and closing fake login portals, and protecting a huge amount of passwords. Message-based login mechanisms such as “magic link” also share many of these problems.

Much is at stake for those who decide to build authentication from scratch, an enterprise prone to error. For this reason, most small and medium-sized businesses are better off using a third-party identity provider for adding user accounts. With this option, the added challenge is to balance costs – especially when scaling quickly – not to mention the worries about vendor lock-in once a cap is reached with the chosen solution.

Federated login, also commonly referred to as “social” login, aims to remove the need to manage yet another password – both on the consumer and business side – while verifying identities. However, in response to events such as the Cambridge Analytica scandal, it has become increasingly difficult to maintain these third-party integrations.

Regular tasks like Facebooks Facts To use CheckApple’s new requirements for account management and other control tasks are time consuming. New uncertainty is introduced by data protection laws such as GDPR and CCPA, including topics such as data transfers between regions. Exact security specifications and guarantees are usually not available and cannot be explained to a regulator or a cyber insurance insurer. All in all, the adoption and acceptance of social logins already seems to be declining.

The hope that comes with passwords

Password keys are purposely designed to fix commonly known password weaknesses. Phishing has been tackled from the ground up by not just replacing passwords with cryptographic keys, but by strictly limiting in which context (web page domain, specific app) a passkey can be used. The server using authentication never sees the user’s sensitive private keys – and as such, it’s a much less interesting target for hackers. Users also do not have direct access to their private keys, but can only unlock them during authentication using biometrics or device passcodes.

Whether and how these security measures hold up can only be tested with time, and it would be naive to assume that passwords cannot be hacked. Still, it’s reasonable to assume that the multi-year efforts of the FIDO Alliance, the W3C, and partners such as Apple, Google, and Microsoft have resulted in one of the most secure systems out there. Passkeys will make regular browser updates even more important and eliminate the potential to steal large amounts of login data from websites or cloud-based password managers.

Still, perhaps the best part about passkeys is the streamlined experience consumers get when registering or using an account with passkeys. Creating a new account or logging in in seconds is the new norm when it comes to using passwords, but unheard of when it comes to passwords. Additional inconveniences such as periodic password changes are no longer a problem when using passkeys.

While it may be too early to know for sure, passkeys also have the potential to make multi-factor authentication (MFA) obsolete. Passkeys offer the same or even a higher level of security compared to mechanisms such as a password supplemented with an SMS as a second factor. Companies that implement passkeys can reap significant benefits in meeting compliance and security requirements, which translates directly into financial benefits in the case of cyber insurance premiums.

Passkeys are available in the real world today

At KAYAK, we started offering passkeys as the default option for creating a new account with a supported Apple device immediately when iOS 16 was released. Existing users can add a passkey to their account. In just three weeks, thousands of users created passwords for our products. Interestingly, almost 20% are existing users who have manually signed up for a more secure account. The feedback we received was overwhelmingly positive (praising tweets are not common for new login features), with ease of use being a major benefit mentioned.

Consumers who are not yet able to use passkeys will fall back to a “magic link” login, and we expect the proportion of non-passkey logins to decrease over time until large margin passkeys become the dominant login method.

The importance of planning the future of authentication today

With Apple, Google, and Microsoft all deeply committed to passkeys, there’s no doubt that passkeys will soon be available to millions of users. Supporting passwords is desirable for any organization that offers accounts.

However, it is important to understand how passkeys work correctly when planning a deployment to avoid pitfalls later. There will always be a group of users who cannot use access keys because their devices are too old or do not contain a compatible security chip or biometric capabilities. That’s why it’s important to provide at least one backup authentication method, probably less secure, that eventually becomes available only to users who can’t use passkeys.

Second, it’s important to understand that passkeys can only be accessed through the domain or mobile app in which they were created. This can cause problems when the web page address changes at a later date, i.e. when switching to a different identity provider or when changing domains during a rebrand. Allowing users to continue using their existing passkeys in such a scenario is not impossible, but very challenging.

Third, it must be recognized that we are at the very beginning of using passwords. Not all use cases may be supported yet, we don’t know when certain adoption levels will be reached. Questions such as matching out-of-the-box multi-factor security also need confirmation from regulators and other certification bodies.

Matthias Keller is Chief Scientist and SVP Technology at KAYAK.