In a nutshell: The adoption of passkeys, the much-heralded passwordless authentication technology, has made significant strides over the past year but has fallen short of some ambitious predictions from 2024. While the technology has proven effective in streamlining logins to a simple fingerprint tap, many companies remain hesitant to embrace this innovation, seemingly stuck in the past.
Andrew Shikiar, CEO and Executive Director of the FIDO Alliance has been a vocal advocate for passkeys. PC Mag notes that Shikiar didn't mince words about the current state of password security.
"Long story short, passwords suck," he said during a panel on identity and authentication in Washington DC, last week.
Shikiar highlighted the growing vulnerability of multi-factor authentication to sophisticated phishing attacks, particularly as attackers leverage generative AI to craft increasingly convincing emails. In contrast, passkeys offer a robust defense against such threats.
"Passkeys can't be fooled by phishing sites since the quick and silent exchange of cryptographic keys that makes them work won't even start without the correct site involved," Shikiar explained.
He cited impressive adoption figures from tech giants, noting that Amazon has created 175 million passkeys while Google has enabled them for over 800 million accounts. They are also much faster and easier to use than traditional authentication methods.
Microsoft reports that signing in with a passkey is three times faster than using a password and eight times faster than a password with multifactor authentication. Google's data shows a 63.8 percent authentication success rate for passkeys, compared to just 13.8% for passwords.
Despite these promising numbers, passkey adoption has not quite reached the lofty goals set in previous years. Last year, Shikiar predicted that passkey-enabled accounts would reach 20 billion by 2025. However, by early January, the figure stood at just over 15 billion. While this represents significant growth, it falls far short of his and others' projections.
"We're in a phase of strong adoption," Shikiar told PC Magazine after his presentation. "But it's still early adoption."
Shikiar expressed disappointment in the slow uptake among airlines and hotel chains, industries he had identified as prime candidates for passkey implementation. However, he remains optimistic about the future. Shikiar still believes that travel and hospitality will drive growth in 2025, pointing to the convenience of biometric authentication compared to traditional passwords. He also hinted at an upcoming passkey rollout by a major American bank, though he declined to provide specifics.
Humans are resistant to change, and unless there is a compelling reason to move away from the status quo, they would rather stay where they are, even if it's less convenient. Therefore, companies must create a slick user experience (UX) to get more people on board.
"A lot of companies that are employing passkeys are still improving their user experience," Shikiar noted.
Aside from the UX, the enthusiasm of OS and browser vendors in promoting their passkey services has led to a confusing array of prompts for users. This fragmentation in the passkey ecosystem has drawn criticism from security experts.
"There are too many cooks in the kitchen, and each one thinks they know the proper way to make pie," Ars Technica's Dan Goodin opined suggesting there should be a universal standard.
Passkeys reach 15 billion accounts but fall short of expectations so far
