Is password still needed when using Passkeys?

Question

Both Apple and Google have demonstrated Passkeys at their developer conferences (Google I/O and Apple WWDC 2022), and Microsoft is also on board. Being able to transfer passkeys from device to device removes a major limitation of FIDO2/WebAuthn and will likely be the breakthrough.

However, in their presentations both Apple and Google demonstrated the passkey setup on top of an account with username and password. Once the passkey was created, login was possible without password.

Does Passkey really require an existing account with password?
Or is this just temporarily needed for account setup?
Or can a user register a new account with just username and passkey and really go password-less?

score 10 · Accepted Answer · answered Jun 14 '22 at 09:20

Great questions – we've been working on finding good answers since WebAuthn Platform Authenticators (and now passkeys) have been announced.

tl;dr:

Passkeys do not require a password; passkeys and passwords can coexist, but do not require each other
Passwordless accounts that are protected only by one ore more passkey(s) are the clear goal and will become a reality once passkeys are fully supported on all platforms

BUT you have to take into account what your average user knows about authentication and what they expect when they want to create an account or login to your app or website.

We frequently hear from users as well as service providers things like:

"How can my account be secure if I don't need to enter a password??"
"I don't want this website to see my fingerprint" (which of course will never happen, but is still the #1 user concern with WebAuthn)
"I lost my phone (and therefore my passkeys) and want to sign in, where can I enter my password?"
"I'm still on Windows 7 and can't use passkeys"

Ultimately, it would just not be a good idea to offer only passkey-based authentication for any production login today. In a few years things will look different, but for now the only sensible approach is to offer a regular login with a passkey alternative (on supported devices). Slowly, users will get to know the technology and the term passkey from the big account providers (Apple, Google, MS, Amazon, ...) and the typical username/password login form will be degraded to a fallback/recovery method and hopefully be completely gone someday.

I fully agree that accounts with passwords are still needed for quite some time. However, am I correct that the Passkey features to be introduced by Apple and Google by the end of the year will make it possible to offer "Sign up with Passkey (without password)" as one of the options? So users who trust Passkey and have capable devices can choose to register without ever setting a password. — Codo, Jun 14 '22 at 10:00
Yes, that is possible and exactly the idea behind passkeys. Typically the user still has to provide some information, e.g. an email address or a name, but a password would not be required anymore. — FlxMgdnz, Jun 15 '22 at 09:34
"I'm still on Windows 7 and can't use passkeys" -- I don't understand why web browsers don't just add a soft authenticator to solve this problem. You don't even need to be on Windows 7, you can just be on any hardware without a TPM and WebAuthn currently doesn't work in any web browser. There's no reason for this. — Dolda2000, Sep 30 '22 at 11:31
Passkeys ultimately make the most sense when they are managed by the operating system, not by the browsers. Otherwise you have inconsistencies when using multiple browsers, native apps also need access to passkeys, and we want users to always interact with the same consistent UI / UX when using passkeys. All this is only possible on OS level. Passkey sync & backup happens either through the platform fabric (iCloud et al), or hopefully soon by 3rd-parties enabled by OS-level APIs. — FlxMgdnz, Jan 31 '23 at 08:14

EvilGG · Answer 2 · 2022-07-20T16:06:51.723

1

Passkeys does requires an account. However, it doesn’t require a password because biometrics is used in authentication. I added passkeys to my site using OwnID API https://youtu.be/DAJHaUbHs44

edited Jul 20 '22 at 16:06

answered Jul 20 '22 at 16:04

EvilGG

29
5

score 1 · Answer 3 · answered Aug 16 '22 at 17:38

1

You don't need passwords when going with the passkeys approach. Generally, you can use out-of-the-box solutions for passkeys, as passkeys.com for example

answered Aug 16 '22 at 17:38

Yedidya Schwartz

146
2
5

score 0 · Answer 4 · answered Jun 15 '22 at 11:12

0

An authentication is the process of checking who you are when you talk to the service. The authentication typically is bound to the user's identity. Such identity is mostly verified during onboarding process and you register some credentials (authenticators) for future identification and authentication. Typical identity proofing (and verification) process requires some complex couple of steps.

In this case, you might leverage a password as an authenticator and others. It's up to your choice. So, even without supporting the passkey, you can entirely remove the password if there is any fallback authenticators.

Since the password is very easy to deploy and universal way of authentication, most of the service providers are now relying on the password and they are the root cause of the most of security breaches.

Passkeys are the alternative way for the users to authenticate themselves to the services with possession factor and it tries to be universal by synchronized the credential across user's devices.

answered Jun 15 '22 at 11:12

Ki-Eun Shin

36
1

1

So will Apple's and Google's passkey implementation support accounts without passwords? – Codo Jun 15 '22 at 12:06
Technically, the passkey implementations by Apple, Google, and Microsoft are just APIs and OS/browser features that all websites and apps (services) can use for authenticating their users. Each service can decide whether to support passkeys alongside passwords or just to offer passwordless options, or even passkeys as the only auth method. How e.g. Google will support passkeys with their own Google accounts is another story, but I think we can assume they all will offer fully passwordless accounts at some point, since they specifically design the protocol for that. – FlxMgdnz Jun 16 '22 at 07:24
One more thing – be careful not to mix up passkeys and 3rd party logins like "Sign in with Apple". Passkeys are a straight-forward password replacement, where the platforms just have to play a part by making certain devices features (biometrics and access to crypto features of the secure hardware) available to websites and apps through standardized APIs and protocols (i.e., WebAuthn, CTAP). But a passkey login always happens directly between a service and the user, no 3rd party involved. Sign in with Apple etc. always redirect the user to the 3rd party for authentication. – FlxMgdnz Jun 16 '22 at 07:39
3rd-party login providers can (and will) also support passkey logins for sure, but it's a fundamentally different thing. A passkey is always bound to a domain (origin), and can only be used there. So if you login to service.com with a passkey on, say, your macbook, Apple is not involved. On the other hand, if service.com offers "Sign in with Apple", and you use that, you may use your apple.com passkey at some point to login with your Apple account at the Apple login form. Only then Apple would be involved because you authenticate with them and they redirect you back to service.com. – FlxMgdnz Jun 16 '22 at 07:47

Is password still needed when using Passkeys?

4 Answers4