Passkeys for Google Accounts. Ask Me Anything (AMA) with Felix from Hanko and passkeys.io

@alan_youngblood Thanks Alan, the biggest challenge when integrating passkeys is that the user flows need to change quite a bit when compared to classic password logins. Finding the right balance between modern passkeys and learned password behavior is not a simple task, which we at Hanko and others in the FIDO Alliance have been working on for more than 5 years. Our own approach to this is our open source authentication solution Hanko that has been built from the ground up with passkeys in mind and can be used by developers and project teams to build their own auth and user management. Another huge challenge for passkey adoption was device and browser support, and there are still some (minor) pieces left. For example, we're still struggling with passkey autofill support in Edge Chromium on Windows, and also the inability of browsers other than Safari to access iCloud Keychain on macOS is a problem. For the development of Hanko, the most helpful community contributions would be new framework integrations that we haven't had the time to do yet like e.g. for C#, Java, Python, PHP, or Rails. We'd love to see example code or even guides that eventually can become a part of the official Hanko project docs. Also, any feedback is always highly appreciated and directly impacts our feature roadmap planning.

@mathias_n Thanks for your question, Mathias. Passkeys have the potential to revolutionize the online world by replacing traditional passwords. Apple, Google, and Microsoft, along with other members of the FIDO Alliance, are working together to create a solution that will be accessible to a vast majority of internet users. Initially, these prominent identity providers are focusing on implementing passkeys for their consumer accounts, where the user base is enormous, and the adoption process is less hindered by risk assessments, complex organizational processes, or legacy systems. Other consumer-oriented companies such as eBay, KAYAK, and Shopify have also begun implementing passkeys, while popular B2B security providers like Okta and Duo Security have started offering passkey support to their business clients. In the coming weeks, Google Workspace accounts will also support passkeys, with Microsoft following suit later this year with a Windows update for comprehensive passkey support. This rollout is expected to extend to both B2C accounts (e.g., XBOX, personal) and B2B accounts (e.g., O365, Azure AD). Widespread adoption of passkeys across both B2C and B2B sectors is anticipated within the next 18-24 months. Ultimately, passkeys will become the default option for logging into various platforms, including online marketplaces, banking services, SaaS tools, and single sign-on (SSO) providers for businesses. Passkeys provide a more secure alternative to traditional passwords and current 2FA methods, offering robust protection against phishing, password guessing, replay attacks, credential stuffing, and man-in-the-middle attacks. In addition to improved security, businesses can benefit from adopting passkeys in various ways: Reduced support costs: With passkeys eliminating the need for password resets, businesses can expect a decrease in support costs associated with account lockouts and password resets. Improved security posture: Passkeys help businesses strengthen their overall security posture by removing the need to store and manage sensitive password data and reducing the risk of password-related breaches and attacks. Simplified compliance: Implementing passkeys can help businesses meet regulatory and industry compliance requirements by ensuring secure authentication methods are in place. As passkeys become more prevalent, their use will likely result in better conversion rates, as users will no longer need to create passwords when setting up new accounts.

@flxmgdnz Thanks a lot for your elaborated reply. Will there be still options for things like service accounts? Imagine you need an automation that logs into an account to automate a process with tech like RPA...

@mathias_n Legacy software will continue to exist for many years or probably even decades and RPA will continue to work there as it does today. Service accounts for modern software that fully switched to passkeys and does not offer passwords anymore (this will take a while) have to rely on using so called soft-authenticators where the passkey is not stored by the operating system and therefore the passkey login flow can be automated. The software will know that it’s a soft-authenticator, though, and may block access for security reasons.

@shreyasiyer Thank you for the questions, Shreyas. We anticipate that passkeys and passwords will co-exist for many more years, but passkey adoption will skyrocket over the next 18 months. Users will be given the choice to skip passwords or even to delete their old passwords as soon as they’ve enrolled passkeys for their accounts, allowing for a smooth transition. The most critical precondition for passkey adoption has been platform and browser support, which both are now almost 100% there. As much as passkeys simplify authentication for users, they do make things more complex and sophisticated for developers. Especially when paired with other non-trivial auth tech like OAuth, JWTs, OpenID Connect, SAML, and bot detection, “just auth” becomes a multi-month if not multi-year project, occupying valuable developer resources. We do think that auth will get more and more outsourced, like hosting, payments, messaging, and other crucial parts of modern app development.