Last spring we published a multifactor demo, showing how MFA could be seamlessly integrated into an application to create a smooth experience while protecting specific actions.
Around the same time, the FIDO Alliance announced that Apple, Google, and Microsoft have committed to implementing a new standard called "Passkeys." Since then, progress has been rapid, and passkeys are already widely available – a good candidate for implementing strong authentication in 2023. Meanwhile, hardware security keys such as Yubikey and Titan are still valid options.
Luckily for developers, all this authentication goodness is hidden behind one standard web API, WebAuthn.
The MFA demo is now updated to support Passkeys – here is a video showing how these technologies work in practice.
The demo shows multi-factor authentication, but passkeys also support passwordless login. The passkey is tied to a specific username, which means the user does not have to type anything at the login screen – they just select the passkey to log in with.
If you are using SSO, you might already (or very soon) be able to enable passkey authentication in your provider. You then need to consider whether you still need passwords or some form of MFA, or if the multi-factor provided by the user's device (Touch ID, Face ID, etc) is enough in your case.
Passkeys are also "portable" which means they can be transferred from one device to another. Currently, this mostly means within the same "ecosystem"; Apple devices sync with Apple devices via iCloud Keychain, and Android devices sync via Google Password Manager.
Interoperability will probably improve in the future, but right now you might hit some edge cases; Chrome on Mac does not sync anywhere (though support is planned).
The best cross-platform support is when using your phone as a passkey device; you can then use the phone to log in regardless of OS and browser (provided the browser supports Passkeys, which the major players do).
Key portability is very convenient in most cases, and synchronizing between all your devices makes it much less likely that you lose access due to a lost or broken device. However, portability might not be desirable in some enterprises or settings with special requirements regarding security. In these cases, you might want to turn off support for Passkeys or use some other form of MFA.
In summary, the usability and platform support have already made Passkeys a viable alternative, and the situation will keep improving.
Maybe 2023 can be the year we finally make significant progress toward a passwordless future. Let's make it so!