The Benefits of Passkeys in CIAM: A Password-less Future

19. September 2023 | 
Thomas Johnson | 
 | 

Some in the cybersecurity landscape are betting that passkeys are just around the corner as a replacement for password authentication, and I couldn’t agree more. Today, organizations are embarking on a password-less journey to deliver a frictionless and secure modern user experience (UX) in their Customer Identity and Access Management (CIAM) stacks. In this blogpost, I will tell you why you should be using, or at least thinking about, passkeys as part of your CIAM password-less journey.

Protecting Accounts from Data Breaches

Customers want to know their data is safe. IBM has reported that in 2022, the average cost of a data breach to be over 9 million dollars, mostly attributed to compromised passwords. [1]

In order to combat this threat, security teams have put in place strong authentication flows with password policies that require more stringent passwords and additional steps in the flow with MFA. Even with these endeavors, compromised passwords are still plaguing the industry.

Enhancing User Experience (UX): The Consumer’s Desire for Seamless Authentication

Consumers don’t want a lot of friction when signing up for or signing in to their account. If they get frustrated with the user interface, they may choose to go elsewhere, which will result in lost revenue for you. For every dollar you invest in your user experience, your company can earn additional revenue due to less abandonments and more customer loyalty.

A survey of 3,400 consumers in the U.S., UK, Australia, France and Germany conducted by Ping Identity and Wakefield Research in mid-2021 found that “56% of online consumers have abandoned an online service when logging in was too frustrating,” and that “63% of consumers are likely to leave an online service for a competitor who makes it significantly easier to authenticate.” [2]

Balancing Strong Security with Exceptional User Experience: Is It Possible?

The short answer is a resounding: Yes! In March 2022, the FIDO Alliance – an industry group dedicated to “solving the world’s password problem”, which Apple, Google and Microsoft belong to – announced that they created a way to store digital keys securely and let them sync between users’ devices, which they called “multi-device FIDO credentials” or simply “passkeys”. [3] Passkeys solve the problem by making the process simpler and stronger by using asymmetric (public-key) cryptography for multi-factor authentication.

Consumer Preferences in CIAM: The Rising Trend of Passkeys

A FIDO alliance survey of over 1000 consumers conducted by NextTech Communication during beginning of 2023 provided the following key points as part of an Executive Summary [4]:

  • Although passwords are still the most common form of authentication, biometrics are actually preferred by consumers for an overall better UX.
  • Consumer readiness for passkeys is nearly up 20 points since the fall of 2022. More than 57% of consumers are now interested in using passkeys to sign into their accounts.
  • The shift of getting away from passwords and using passkeys instead is mainly driven by a better UX. Relying on passwords can result in higher percentage of cart abandonment impacting the bottom line.
  • Passwords are no longer a fit for consumers’ increasingly digital lives. This is demonstrated by their need to recover or reset passwords often. In fact, 90% of consumers have had to reset their password at least once, with over 32% doing so multiple times a year.

Top 10 Benefits of Adopting Passkeys in Digital Authentication

  1. Seamless login via an automatically provided device passkey using a single gesture approach, Touch ID, Face ID or other biometric method. MFA is accomplished in a single step and replaces both password and OTP. It also eliminates the OTP cost.
  2. Passwords are a big problem. Everyone keeps using the same weak passwords over and over again, and even then, we can’t remember them.
  3. Passkeys are more secure than passwords, incredibly easy to use, providing a seamless UX, and supported by every major platform run by Apple, Google, and Microsoft.
  4. It’s always strong and never guessable by a hacker and phishing resistant due to cryptographic technology involved. Eliminates risk of credential compromise.
  5. Blast radius is reduced since passkeys are tied to individual application unlike passwords that are tied to multiple applications through SSO.
  6. The private key is never made available to websites or third-party applications, so it cannot be leaked by websites or apps. Even if the device with the private key was stolen, you would need to have the other factor (biometric, pin, etc.).
  7. For smartphone users on IOS: Your iPhone stores the passkey in iCloud Keychain, so it’s available on all your apple devices for login. Very convenient for IOS users.
  8. For android users, passkeys are synched to Google Password Manager and made available to all android devices signed into the same Google Account.
  9. Passkeys have cross-device and cross-platform capability. They can be shared across platforms and devices via QR codes and Bluetooth.
  10. Now, FIDO credentials are no longer bound to a specific device, but rather are automatically synced to the cloud. This makes them reusable across the multiple devices that a user may own on the same platform, making enrollment and account recovery simpler and more resilient.

Implementing Passkeys in CIAM: Key Requirements and Steps

Understanding Passkeys: The Two-Part Authentication Revolution

Each passkey consists of two interlocking parts (Public key cryptography). The first part, the private key, is bound to a trusted platform module (TPM) and synced with the user’s platform account such as the iCloud key chain. The second part, the public key, is shared with the application or website that you have an account with. When you want to sign in, your device will prompt you to verify your identity using biometrics. Both parts of your passkey are then used to generate an authentication token for the app or website you’re signing in to.

There are certain requirements that must be met to support Passkey usage:

  1. An IDP that supports the FIDO2 authentication standard
  2. Updating the front end application login (sign-in) and registration code (sign-up) to handle the FIDO2 protocol Client to Authenticator Protocol (CTAP) with the Web Authentication API (WebAuthn)
  3. Setup a back-end FIDO server to authenticate FIDO registration and authentication challenge requests.
  4. The online service or web application must register the public key through a backend server somewhere.
  5. User must be using browsers that support WebAuthN : Chrome, Firefox, Edge and Safari.

Elevate Your CIAM Journey with PingOne’s DaVinci Cloud Service and iC Consult

Now that you know the benefits and have a general understanding of what is involved with implementing passkeys, let me demonstrate how you can use PingOne’s Davinci service to make this a reality:

PingOne’s DaVinci service is an orchestration identity platform that uses a visual programming drag and drop interface. This allows you to create a seamless UX as part of your consumer sign-up and sign-in flows without having to write your own code.

All you need to do is embed a javascript widget in your web application that reaches PingOne Davinci Cloud service for login and registration flows. The PingOne Davinci cloud service can do all the heavy lifting by implementing the previously mentioned requirements while choreographing a great UX.

Get in contact with our iC Consult experts so we can help you understand passkeys more in-depth and how to implement them as part of your CIAM journey. We can show you a demo of a typical CIAM implementation that uses passkeys to provide a seamless, more secure IDAM environment and help you plan or get you started with your CIAM passkey journey. What are you waiting for? Your consumers will appreciate the seamless experience. Don’t let your competitors beat you to this game changing technology.

References

[1] IBM – Cost of Data Breach Report (https://www.ibm.com/reports/data-breach), 2023

[2] Ping Identity and Wakefield Research – 2021 Consumer Survey: Brand Loyalty is Earned at Login (https://www.pingidentity.com/en/resources/content-library/misc/2021-consumer-survey-passwords-privacy-brand-loyalty.html), 2021

[3] FIDO Alliance (https://fidoalliance.org)

[4] FIDO Alliance – Report: Consumers are ready to embrace new authentication methods (https://media.fidoalliance.org/wp-content/uploads/2023/05/FIDO-Alliance-consumer-attitudes-report-May-2023.pdf), May 2023