Have to disagree with the author's opinion. I think he compares passkeys only to passwords (single factor) and assume people always use autofill.
But you should compare the passkey UX to conventional MFA UX. I think there it's obvious that passkeys are superior (+ the phishing resistance on top. Even if non-tech-savvy users would like to disclose their credentials on a fraud website, they couldn't).
I believe the client side exposes a global ID as part of the WebAuthn flow, which would let me only accept IDs from 1Password, Bitwarden, etc. But I haven't verified that.
Great step into full cross-platform passkey sync capability - now only iOS of the major operating systems is left. This will be only a matter of time IMO.
I am Vincent from Corbado. We’are building a dev tool that lets you easily integrate passkey auth into your applications. Since secure & user-friendly authentication is very important to us, we have had hundreds of talks with devs and PMs on how we can help them integrate passkeys and thus make the Internet a safer place by sharing our passkey learnings. Many said they are not sure if their users’ devices are passkey-ready.
Therefore, we built State of Passkeys, a free tool, where we provide passkey-readiness data that we collected over the past years to help other developers and product managers roll out passkeys with confidence.
To determine the passkey-readiness of their users’ devices, State of Passkeys serves the largest existing, publicly available data collection on passkey-readiness. You can get analytics on passkey-readiness depending on operating system, device, browser and passkey-readiness features (WebAuthn, platform auth, Conditional UI, passkey sync).
The data is collected (anonymously and GDPR-compliant) via an analytics script by using the browser Web Authentication API.
We're really happy we get to show this to you all, thank you for reading about it! Please let us know your thoughts and questions in the comments.
1) They link the public key to your user account in their database.
2) Passkeys are 2FA by default. Someone needs to steal your phone where the private key is stored (first factor) and they would need your Face ID / Touch ID / PIN Code (second factor). Just loosing your phone doesn't give someone else the chance to use your passkey for authentication.
Yes, that might be a strategic thinking of big tech. Still you can use third-party password managers like Bitwarden, KeePassXC or 1Password to take care of your passkeys. I think, for most non-technical users, they will go for the Apple/Google/Microsoft credential manager option but if you're more tech-savyy, there are ways to stay independent of big tech.
But you should compare the passkey UX to conventional MFA UX. I think there it's obvious that passkeys are superior (+ the phishing resistance on top. Even if non-tech-savvy users would like to disclose their credentials on a fraud website, they couldn't).
What do you think?
reply