Winners and Losers in a Passkey Future

Passkey is a new password-less authentication method that is being developed by the FIDO Alliance. Passkey promises to eliminate passwords once and for all, and it has the potential to disrupt (in a good way) the field of identity and access management. So, if Passkey is going to disrupt our industry, who are the winners and losers going to be as Passkey replaces passwords in our day-to-day lives?

Passkeys are designed to be more secure and easier to use than passwords, and they can be used to sign in to websites and apps on any device. Passkeys work by generating a unique key pair for each website or app that a user signs in to. The public key is shared with the website or app, while the private key is stored on the user's device. When the user signs in, the website or app can use the public key to verify the user's identity without requiring them to remember and enter a password.

Passkey is a feature of the operating system and all major OS vendors support it. From the client system perspective, the latest versions of major operating systems and browsers from Apple, Microsoft and Google support Passkey. Passkey works equally well on desktop or mobile devices. Passkey does not require a physical device or additional software to be downloaded on a mobile phone. It cost consumers nothing to use but they do need to use the upgrade to the latest OS and browsers. Support for Passkeys does require changes to the server-side systems so websites (relying parties) will need to add support for their users to take advantage of this technology. Many sites already have announced support for Passkey. Notably, Google has recently enabled Passkey logins for personal and Workspace accounts.

Passkey technically meets the requirements of multi-factor authentication as the user authenticates to the site or relying party using something they have (private key) and that is often unlocked by a mechanism determined by the vendor OS (interaction with a mobile device or application, fingerprint, facial recognition, or inputting a PIN). So it's possible to consider Passkey as a replacement for MFA. According to the FIDO Alliance they are still working with regulators to have them accept Passkey as strong authentication that meets the needs of MFA.

So hopefully you are convinced that Passkeys are going to revolutionize how we authenticate to the myriad of web sites and apps we use every day. So who wins, who loses, and who should we watch out for as this revolution takes hold?

• Consumers will clearly be the biggest beneficiaries of the benefits of Passkey. Consumers will now have a very strong, phishing-proof, way to sign into websites and applications. Passwords will all but be eliminated. Passkey will improve registration and sign-in user experience making it easier than ever for people to secure online access. They will simply not have to remember, write down, or otherwise manage multiple passwords for their online interactions.

• Businesses that adopt Passkey will see benefits that derive from easier account sign up and password-less login experiences. E-commerce companies will benefit from much smoother checkout processes as the barrier to creating a secure account gets lower. Not to mention financial institutions will see an increase in security, lower incidents of account takeover, and fraud. Depending on the FIDO Alliance's work with regulators, Passkey logins meet MFA requirements raising the level of assurance of Passkey protected accounts.

• The Bad Guys (criminals, phishers, etc) are going to lose big time as more users adopt Passkey. Passkey will make it nearly impossible to conduct a successful phishing attack as there isn't a way to steal a credential or MFA factor from an unwitting human. This should have a huge impact on account takeovers and fraud. Criminals that target consumers and their online accounts are going to lose passwords as an attack vector which will make hacking individual consumer accounts much more difficult.

• Consumer-grade Password Manager vendors are going to struggle for relevance in a world with Passkey. As the OS vendors improve the user experience there will simply be less of a need for third party vendors to supply solutions to manage passwords. This will become particularly acute when Passkey becomes more widely available as a sign in option for more and more web sites. Password Managers may see increased usage in the enterprise but I'd place a fairly large bet of these vendors seeing their businesses dry up as Passkey becomes more popular.

• Customer Identity and Access Management vendors that don't currently support or don't have plans to support Passkey are going to be in trouble. It won't be long before Passkey becomes part of the selection criteria for any company dealing with customer authentication. They will simply be eliminated from consideration.

• Consumer websites and service providers who are slow to adopt Passkey could see drops in sign-ups and ultimately revenue. Customers are more likely to do business with companies that have friction free processes for sign-up in order to transact. Passkey will transform these interactions into password-less ones that just work. It will lower the cognitive load on consumers at purchase time because they won't suddenly be faced with complex choices between creating an account with email and password vs social provider login. They'll just be able to use Passkey. So service providers ignore Passkey at their own peril.

I'm not categorizing Enterprise Password-less Solution vendors just yet because I'm not exactly sure how things will pan out for this group. On the one hand they do stand to win since enterprises will want to provide password-less sign-on experiences for their workforce. This is especially true of vendors who can provide password-less login to legacy systems. On the other hand they might lose in the long run as companies adopt more modern systems and phase out legacy solutions precisely because they can't be secured with ubiquitous low cost solutions like Passkey.

There is no question Passkey will have an impact on customer access management. The FIDO Alliance and its member organizations have finally created a standard for strong authentication that eliminates the password. Furthermore they've managed to foster the wide adoption of Passkey with all OS and browser vendors. It's a technology that you can use today. We are definitely on the brink of major change. Change that is going to shake things up. I can't wait to see what unfolds and I can't wait to ditch all the passwords I'm using. I'll bet you will too.