Passkeys and Biometrics Can Thwart Bad Actors

Cybersecurity breaches are a constant threat, and it’s only getting worse. In 2021, 45% of US companies suffered data breaches related to compromised credentials, 42 million individuals suffered losses greater than $50 billion in aggregate value due to identity theft and associated fraud, and over the last five years, more than 500 million credentials and passwords have been hacked or stolen .

There are also new forms of attacks coming online with the advent of AI. For instance, since ChatGPT came online, Darktrace research showed that the linguistic complexity of phishing emails jumped 17% , making the emails far more convincing and dangerous.

The Bridge to Biometrics: Passkeys

One of the most powerful multifactor authentication (MFA) security methods available is biometric authentication. Users support it, so anyone who cares about better, easier, more secure ways to authenticate should make biometrics a top priority. However, its use is still not widespread. The question remains: Why isn’t it the primary option when we sign up for and log in to all the online accounts we all manage?

The short answer? Because widespread adoption of biometrics hasn’t been scalable–until now. In May 2022, the Fast ID Online Alliance (FIDO Alliance) announced a major development in passwordless technology that would make biometric authentication much better suited for consumer use: Passkeys.

With passkeys, users can sign into apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN or pattern, freeing them from having to remember and manage passwords.

Passkeys solve some of the major user interface obstacles with existing biometric authentication and they have support from the major tech platforms (Apple, Google, Microsoft). Essentially, passkeys make a major improvement on earlier technologies by enabling biometric authentication to work across all major devices and browsers. That wasn’t possible in the past, and it discouraged companies from offering biometric authentication as a primary option for sign-up or login. Instead, biometrics have historically been relegated to a 2FA option on mobile devices.

In contrast, Passkeys support cross-device and cross-browser biometric experiences, finally making biometrics a true option for companies’ authentication flows. Passkeys provide a simple and secure way for consumers to sign up and log in to sites and apps without the need for a password. They are also a phishing-resistant password replacement that can be used across all user devices.

Priming the Pump: Laying the Foundation for Passkeys Adoption

Widespread adoption of passkeys is not going to be instantaneous, but it’s not too soon to put passkeys on your roadmap. Here are three ways that you can make your app more secure while getting your users ready for passkeys to go primetime:

  1. Optionality: Choice builds trust. Seventy-three percent of users report that being able to choose their auth method would increase their trust with a service provide r. Meet users where they are while leading them toward more modern methods of authenticating. Offer the option of face or fingerprint sign-in as an added layer on top of your password-based or passwordless authentication flows. As just one example, when you authenticate yourself on the Best Buy mobile app, you have the option of face or fingerprint sign-in. Let your users opt in (or out) to biometrics. Build a bridge so that users become familiar with more secure yet user-friendly authentication options.
  2. Feedback : Ask your users to try and test biometrics out with you. Identify early adopters and give them a chance to provide feedback and input so that you can learn where they have concerns or where a biometric-based flow might be introducing friction (whether real or perceived) and adapt accordingly.
  3. Transparency: To make users more comfortable with sharing fingerprints or facial imagery, make sure you let users know where data is stored and who has access to it. Companies can do this independently. Also, biometric privacy laws and regulations are coming online that require businesses to track, inform and provide methods for employees or consumers to consent to the collection of biometric information or biometric identifiers. Education and transparency about how biometrics work and how it benefits them will go a long way in ensuring that users are comfortable with this solution.

Let’s Act Now

With cybersecurity threats ever-present and growing, easy-to-use yet powerful MFA options like biometrics and passkeys are increasingly necessary—but we have to act fast, adopt stronger MFA authentication methods and get rid of passwords with options like passkeys and biometrics. It’s going to take better education, transparency, meeting users where they are—and, above all, passkeys. It’s vital to act now to make authentication easier and more secure before bad actors get a head start.

Reed McGinley-Stempel

Reed McGinley-Stempel is the co-founder and CEO of Stytch, a company focused on retiring the password. Stytch is the first company that's built a platform for passwordless authentication, so that any application or website can embed passwordless sign-up and login flows. Stytch has had thousands of companies choose its software to eliminate the security and user experience shortcomings of password-based authentication. With Stytch, companies can offer users a more secure and delightful experience while also driving higher conversion rates at onboarding and login, creating significant economic upside for these businesses. He and his Co-founder, Julianna Lamb, are building the product they wished they had when they were working on authentication at their previous employers, Plaid and Very Good Security. Together, they build easy-to-integrate and flexible APIs so that developers can focus on building their core products while Stytch does the heavy lifting when it comes to authentication.

reed-mcginley-stempel has 1 posts and counting. See all posts by reed-mcginley-stempel