Passkeys are rapidly gaining ground as a mainstream authentication method, according to Andrew Shikiar, CEO of the FIDO Alliance. As of 2024, over 15 billion accounts globally are equipped with passkey capabilities. Shikiar forecasts this number to “march towards 20 billion” by the end of the year. The surge in passkey adoption comes as companies like Cloudflare experience reduced phishing attacks through this enhanced security measure.
Despite this progress, several companies continue to grapple with implementing passkey systems efficiently. These organizations often find that users perceive little time savings when using passkeys. The FIDO Alliance is addressing these challenges by working on a draft of the passkey specification, expected to be published later this year. However, even with advancements, passkeys are not foolproof. Attackers increasingly use generative AI to craft convincing phishing emails, tricking users into entering multi-factor authentication (MFA) codes on fraudulent sites.
Phishing attacks have underscored the limitations of MFA as a security measure, prompting companies like T-Mobile to transition to passwordless authentication following significant breaches. In 2021, T-Mobile faced a massive breach that led to the purchase of over 200,000 Yubico security keys for its employees. Shikiar remarked on such reactive measures, stating:
“It’s unfortunate that some companies do so after the fact” – Andrew Shikiar
Variations in Terminology and Security Protocols
In government sectors, nomenclature differs slightly, with services like login.gov opting for terms such as “face or touch unlock” instead of “passkeys.” Meanwhile, some companies still require MFA verification even after a passkey login, highlighting the ongoing evolution of digital security protocols.
Passkeys have yet to achieve widespread adoption. Only a few major players like Amazon and Google have rolled out passkey authentication extensively. Amazon has generated approximately 175 million passkeys, whereas Google boasts over 800 million accounts secured with passkeys. Shikiar remains optimistic about the future of passkeys, predicting their mainstream adoption by 2025.
Shikiar acknowledges the current landscape:
“We’re in a phase of strong adoption, But it’s still early adoption” – Andrew Shikiar
While companies like Cloudflare benefit from passkey authentication deflecting phishing attempts, others are caught in transitional phases. Shikiar notes:
“A lot of companies that are employing passkeys are still improving their user experience” – Andrew Shikiar
Even with robust security measures in place, human error remains a vulnerability. As Shikiar points out:
“We can’t stop people from answering the phone call about the IRS demanding everything” – Andrew Shikiar
To combat these challenges, the FIDO Alliance aims to refine passkey specifications and improve user experiences. The forthcoming draft later this year underscores their commitment:
“We hope to have a published draft later this year of the specification” – Andrew Shikiar
Author’s Opinion
The expansion of passkeys as a secure alternative to traditional passwords marks a significant step in cybersecurity. While the technology shows promise, the real challenge lies in overcoming user inertia and enhancing the user experience to accommodate this new method. As companies refine their implementations and more entities adopt passkeys, the potential for a safer digital environment increases, although human factors like susceptibility to phishing remain a significant hurdle.
