webauthnfidopassword-lesspasskey

Is password still needed when using Passkeys?


Both Apple and Google have demonstrated Passkeys at their developer conferences (Google I/O and Apple WWDC 2022), and Microsoft is also on board. Being able to transfer passkeys from device to device removes a major limitation of FIDO2/WebAuthn and will likely be the breakthrough.

However, in their presentations both Apple and Google demonstrated the passkey setup on top of an account with username and password. Once the passkey was created, login was possible without password.


Solution

  • Great questions – we've been working on finding good answers since WebAuthn Platform Authenticators (and now passkeys) have been announced.

    tl;dr:

    BUT you have to take into account what your average user knows about authentication and what they expect when they want to create an account or login to your app or website.

    We frequently hear from users as well as service providers things like:

    Ultimately, it would just not be a good idea to offer only passkey-based authentication for any production login today. In a few years things will look different, but for now the only sensible approach is to offer a regular login with a passkey alternative (on supported devices). Slowly, users will get to know the technology and the term passkey from the big account providers (Apple, Google, MS, Amazon, ...) and the typical username/password login form will be degraded to a fallback/recovery method and hopefully be completely gone someday.