Passkeys Improve the Customer Experience, But Passwordless Authentication Provides Greater Identity Verification Accuracy

Adrienne Slaughter
January 24, 2024

Combined, Google and Apple serve almost four billion accounts. The customers using their services rely on these behemoths with all types of personal data, so it’s most certainly in the best interest of these companies to provide the highest degree of user safety and security. At the same time, these companies are at the forefront of customer service excellence, one that is both frictionless and devoid of risk. 

To support their efforts, both companies and many other digital economy leaders are adopting passkeys as an alternative to passwords. The Wall Street Journal reports that the two companies have decided to adopt a passkey approach to customer access as a way to streamline authentication. The effort is certainly noble in its intent to improve the customer experience, but, unfortunately, it falls short in the goal of actually protecting user identities. Passkeys offer a much better and more efficient way to protect user accounts than passwords, but they still lack some of the fundamental issues that are required to protect user identities. 

It is important to create context and definition for the idea of how an account and the authentication of that account are related. A user account is simply a construct of personally identifiable information (PII) that is based on whatever an organization wants to know about a particular user. But passkeys, like passwords, focus on the account, and not the actual person. The issue is that fraudsters only have to manipulate the elements that are required to have an account. The user – the human with an actual identity – is viewed within the account as a series of data points, and these data points can all be imitated or faked. The person – the actual human behind all of this data – cannot. Passkeys are missing the fundamental aspect of binding personal data directly to an actual person, and passkeys provide only some part of that.

Why the New Focus on Passkeys?

It’s clear that passkeys serve an important purpose and offer many benefits, both to customers and the companies that manage customer accounts. They are a unique login approach that uses cryptographic elements to identify a user and provide that user with access to digital services. These cutting-edge keys offer heightened security compared to the conventional password which has to be remembered, changed, and managed. It is also clear that passkeys provide added convenience, requiring only a facial or fingerprint scan, or a simple button click. The FIDO Alliance, an industry association that promotes authentication standards, has done considerable work to establish policies and best practices for passkeys, and they are among the leading proponents of the effort being championed by Google and Apple.

To see how these keys go far beyond just providing basic access to accounts, consider the differences between passkeys and passwords

  • ​​Generation: Passkeys are automatically generated using cryptographic techniques, while passwords are user-generated.
  • Storage: Passkeys are typically not transmitted or stored on servers, whereas passwords are usually stored on servers in some form.
  • Security: Passkeys are phishing-resistant and can't be easily compromised. You can't create a weak passkey.
  • Ease of use: Passkeys are designed to be faster, easier to use, and more secure than passwords.

Think of it this way: passkeys function as a digital analogy to a lock and key system. Imagine a website having a dedicated keyhole tailored specifically for your passkey, which is a securely encrypted piece of software code stored within a password manager. When the passkey matches the lock, access is authorized.

Passkey Fundamentals: Efficient, But Not Bound to an Identity

What distinguishes this from passwords is that the passkey is exclusively stored on your personal device, like a phone or laptop, extending its functionality beyond traditional passwords. As detailed in the Google Security Blog's aptly named article, So Long Passwords, Thanks For All the Phish, passkeys streamline the login procedure by removing the necessity to memorize information and surpass the inconvenience of two-factor authentication codes typically needed for account access. For users, this is a major improvement over passwords.

The adoption of passkeys by Google and Apple has significant implications as it reflects a shift in the approach to safeguarding user accounts. While on the surface, it appears to be a sensible advancement in enhancing account security, the primary hurdle in utilizing passkeys derives from their reliance on a user's Apple or Google accounts. These accounts, though linked to Apple and Google, are not directly tied to an individual's identity. The issuer of the passkey serves as the guardian for the distribution and management of these authentication tokens. As the passkey is inherently linked to a specific device, complications arise when users seek to extend its usage to new devices.

To illustrate the point, let’s continue with the examples of the tech giants. For Apple and Google users to incorporate a passkey into a new device, there has to be interaction with the user’s individual Apple and Google accounts. While these accounts introduce extra security layers through traditional passwords, a complicated paradox occurs: the very mechanism intended to bolster security (the passkey) depends on pre-existing, more conventional authentication methods (such as passwords and one-time passcodes, or OTPs) for its distribution and activation on new devices. It’s kind of like an authentication doom loop. Users are right back where they started, relying on passwords and passcodes.

Limitations of Passkeys For Identity Verification

We know that passwords and OTPs not only offer a less-than-ideal user experience but also expose customers to risks associated with social engineering and various fraud vectors. If you've ever found yourself frustrated, either grappling with the memory of a password or waiting endlessly for a one-time passcode that never materializes, you're not alone.

A recent survey conducted by Prove in collaboration with OnePoll uncovered some interesting insights about password usage. About 62% of U.S. consumers indicated that they would abandon attempts to log into an account after just three failed password entries. Also, 34% expressed their readiness to switch service providers entirely if the login process proved cumbersome. From a security standpoint, 81% of hacking-related breaches involved the use of stolen or weak passwords, underscoring the inadequacy of passwords in thwarting unauthorized access.

Passkeys are an attempt to fix all of this, and they’re a good start. But they have their limitations. At its core, a passkey serves as a means of authentication, a digital token validating the legitimacy of access attempts. However, the passkey does not inherently encapsulate the user's identity. Unlike traditional methods where personal information may be part of the authentication process, the passkey remains distinctly focused on validating possession of a cryptographic key or biometric data, and not on an actual device. Passkeys give the appearance of a better approach, but the reality proves to be quite different.

Ultimately, passkeys create the need for a layered approach to security: the passkey safeguards device-specific access, while the traditional password and OTP safeguard the broader ecosystem that manages and disseminates passkeys. The challenge, therefore, lies in balancing the security benefits of passkeys with the necessity of maintaining secure access to the accounts orchestrating their deployment. Additionally, all of that effort to render the passkey effective has the unintended consequence of adding more friction to the user experience. Logging in through multiple gates, each requiring some level of password and/or passkey step-up, leaves a user frustrated, and frankly, not much more secure than if she just relied on a password in the first place.

The distinction becomes clearer when we consider that the passkey, as an authentication mechanism, is intimately linked to the user's device. It is not a portable entity that spans across various platforms; rather, its existence is confined to the specific hardware and software environment of the consumer's device, be it a smartphone, laptop, or another designated tool.

When passkeys rely on a device-centric approach there are certainly security advantages, but there is also a need for some caution. On the positive side, tying the passkey to a particular device fortifies security by creating an isolation layer. Even if the passkey is compromised, its validity is constrained to the device of origin. This containment mitigates the risk of widespread unauthorized access.

Yet, the efficacy of the passkey is contingent upon the robustness of the device's security measures. Should the device become compromised, the sanctity of the passkey is jeopardized. Furthermore, the lack of portability may introduce challenges for users accustomed to seamless authentication across multiple devices. Again, the issue is not the identity (and the data that’s used to verify an identity); that’s simply a part of the identity verification equation. The issue is the limitations of the passkey construct itself. 

The device-centric approach, however, when devoid of passkeys provides a completely new dynamic. Binding of an actual person to that person’s legitimate device is where fraud teams move from standard verification to an almost 95%+ match rate for reduced false positives. Prove has led the effort to change the thinking, and as a result, there has been a dramatic shift from user-centric to device-centric approaches to identity verification.

Bind Identities to Devices With Passwordless Identity Verification

Prove has led the efforts, which are now embraced by leaders in financial services and other industries, to use passwordless approaches, opting for sophisticated identity authentication solutions like deterministic authentication through mobile devices. Employing a cryptographic key, such as a SIM card on a mobile device, achieves a passwordless approach that offers several advantages:

  • Widespread Accessibility: This approach capitalizes on the ubiquity of mobile phones, a possession nearly every adult across the globe already has.
  • Reduced Reliance on OTPs and Passwords: No longer do users have to rely on one-time passwords (OTPs) and traditional passwords. Instead, they can implement passive, deterministic authentication across various channels (mobile, desktop, call center).
  • Enhanced Customer Experience: It elevates user satisfaction by streamlining the login process, making it easy and seamless.
  • Versatile Device Authentication: This approach authenticates any device, anywhere, utilizing methods such as app push notifications or biometrics.
  • Cost Reduction: Using passwordless approaches, companies can cut down on authentication costs by eliminating charges associated with OTPs and password resets.

Identity authentication that leverages mobile signals can be more secure due to the requirement for users to possess their mobile devices. This contrasts starkly with the vulnerabilities of passkeys, which can be easily compromised since they are tied to Apple and Google account passwords. The implementation of a "possession check" in this context renders fraudulent activities unscalable and financially burdensome for attackers. Notably, deterministic authentication through mobile signals not only enhances security but also prioritizes user-friendliness, leveraging a device—mobile phones—that individuals consistently have nearby.

At Prove, we look at the problem of identity verification through a lens that goes beyond just account access. As we mentioned previously, mechanisms that drive access can be manipulated, and we know all too well how good fraudsters are at doing it. As a result, we see the problem being about how we bind an identity to the device that a person possesses. By establishing a robust identity link, the Prove Auth® passwordless authentication solution facilitates passwordless and OTP-less authentication across mobile apps, web-based platforms, and multi-channel experiences. 

The Prove Auth® solution ushered in the era of passwordless login and authentication for virtually all account types and channels. Enterprises are using the Prove Auth® solution to significantly reduce reliance on traditional passwords and passkeys, providing consumers with a seamless, one-tap authentication solution that is not only user-friendly but also cost-effective and secure. The solution is backed by Prove's network of identities, Prove Identity Network®, which has been supported by machine learning techniques informed by human intelligence across our 15 years of transactions and 20+ billion annual authentication events. The Prove Auth® solution enables authentication with minimal friction, effectively overcoming the constraints posed by antiquated risk-based authentication systems.

Whether dealing with a mobile app or extending authentication to diverse channels like mobile web or desktop, the Prove Auth® solution offers a range of options for completely passive or partially passive authenticators. For scenarios beyond the mobile app realm, Prove Auth® simplifies the deployment of FIDO2 web-based authentication. This allows users to authenticate either directly through Prove or harness on-device biometrics for enhanced security measures. The flexibility and sophistication of Prove Auth® make it a versatile and robust solution for modern authentication challenges across various digital channels.

Prove and Passwordless Authentication

The Prove Auth® solution capitalizes on the cryptographic key embedded in a mobile device, notably the SIM card, to execute a highly precise authentication of consumers. The methodology involves a rigorous "possession check" that requires users to have physical possession of their mobile devices. This implies that fraudsters would find it challenging to pass this check unless they physically possess the consumer's device. While such possession is conceivable, the unscalable nature of this approach, coupled with the significant time and effort required, typically deters fraudsters.

Adding to its effectiveness, the Prove Auth® solution seamlessly incorporates a ubiquitous possession of most adults— their mobile phones. Leveraging a device that users are already intimately familiar with eliminates any learning curve for customers. Unlike one-time passcodes (OTPs), which also utilize mobile phones but often entail active user involvement, Prove Auth® operates passively in the background in most instances. This minimizes the friction and frustration associated with traditional passwords and OTPs.

Prove's suite of services facilitates the cultivation of a high level of trust in using the phone number as an authenticator for specific transactions. The Prove Auth® solution takes this a step further by enabling the device itself to inherit that trust through the establishment of a bind or key between the device and a designated identity. Once this initial bind is established, the key becomes a reliable substitute for traditional, phone number-based authenticators. This innovative approach enhances security, user experience, and trust in the authentication process.

Learn how global brands are getting better identity verification accuracy, and reducing onboarding friction, with passwordless authentication. Get a demo of Prove Auth®.

Keep reading

See all blogs
2024 Mobile Fraud Market Trends in the UK and Europe

The UK and Europe are experiencing a massive increase in mobile fraud. Consumers, businesses, and government agencies are alarmed and pondering their next steps as they prepare to deal with several emerging trends that have surfaced in 2024.

Charlie Rowland
June 18, 2024
Prove’s Brad Rosenfeld Explains the New Customer Onboarding Process on Fast Company

No longer confined to top-of-funnel engagement and brand awareness, CMOs are now leading efforts to shape the entire customer experience journey.

Kaushal Ls
June 6, 2024
PYMNTS TV: Prove CEO Rodger Desai Explains Need for Phone-Based Approach to Authentication

Prove’s CEO Rodger Desai was featured recently on PYMNTS TV, where he met with PYMNTS CEO Karen Webster to discuss trends and shifts in the identity verification market.

Kaushal Ls
June 4, 2024