Passkeys vs Passwords
A product manager's perspective
Following an earlier posts about Password Rules, let’s have a look at passkeys today.
I'm a big fan of passkeys, because I think they offer a huge improvement in security over simple, reused, easy-to-guess passwords written on a sticky note at the back of your keyboard.
But first:
What are passkeys?
Instead of relying on a password that can be forgotten or stolen, passkeys use a pair of cryptographic keys. They use asymmetric key cryptography, which involves a pair of keys: a public key and a private key. The private key is stored on your device and the public key is stored on a server. When you log in, the server sends a challenge that your device signs using the private key, proving your identity without revealing the key itself. The server never sees the private key, so it cannot be compromised.
The key pair is generated automatically so that the technical details will not be presented to the user.
As a product manager, you would appreciate that passkeys offer several advantages over traditional passwords, particularly in enhancing user experience, security, and operational efficiency. Here are some key points:
Benefits
1. Higher Security
Phishing resistance: Passkeys are less susceptible to phishing attacks since they don’t require users to enter them on a website. Instead, authentication happens through secure device interactions.
No password reuse: Users often reuse passwords across sites, increasing vulnerability. Passkeys are unique and device-specific, reducing this risk.
Secure keys: The user does not need to remember a long or complex password as the key pair is automatically generated.
Not written on sticky notes: The fact that passkeys are not even revealed to the user means that nobody will write them down on sticky notes and stick them onto the screen.
2. User Experience
Simplified authentication: Users can log in without remembering complex passwords or managing resets, leading to a smoother experience.
Fewer frustrations: Eliminating the need to remember passwords reduces user frustration and abandonment rates during login.
4. Cross-Platform Convenience
Device synchronization: Passkeys can be synchronized across devices (like phones and computers) through secure cloud storage, allowing seamless access without needing to re-enter credentials. There are also drawbacks mentioned below.
5. Future-Proofing
Alignment with industry trends: Major tech companies are moving towards passkey adoption, indicating a shift in best practices. Companies can improve their credibility when adopting passkeys.
6. Compliance and Standards
Adherence to security standards: Passkeys are designed to comply with existing and emerging security standards (like FIDO2, WebAuthn), which can help in meeting regulatory requirements more effectively.
Drawbacks
While passkeys offer numerous advantages, there are some current drawbacks and criticisms to consider:
1. Device and Venor Dependency
Single device lock-in: Passkeys are tied to specific devices. If a user loses their device and hasn't set up recovery options, they may lose access to their accounts. That is, unless the operating system vendor synchronizes private keys across devices via cloud services. See drawback 2.
Vendor lock-in: Even if a vendor can synchronize the keys across the devices, it is very hard to transfer them to another vendor or system.
2. Privacy Concerns
Centralization of data: Some users may worry about how their passkey information is stored and managed, especially if it's tied to and synchronized via a cloud service.
3. User Adoption and Awareness
Learning curve: Users may need time to understand and trust passkey technology, especially those who are used to traditional passwords.
Resistance to change: Many users are resistant to changing established habits, which could slow adoption rates.
6. Potential for Exploitation
Device vulnerabilities: If a user’s device is compromised, the passkeys stored on it could be at risk, depending on how they are stored and secured. Please note that the same is also true for traditional passwords saved in password managers.
7. Transition Costs
Implementation challenges: For businesses, transitioning to a passkey system may require significant investment in technology and training.
Conclusion
There are currently some serious drawbacks to passkeys that prevent mass adoption. However, the traditional password also has many drawbacks!
Passkeys provide real value to the user: Security, ease of use, peace of mind, and more.
When comparing the two alternatives, passkeys are already the better choice. I recommend that any vendor building a software product should include a passkey option, preferably as the default choice.
What I read
As usual, I will list some of the best articles I read on the Internet. I will keep a list of the best articles (currently >800) at https://www.digital-product-management.com. These are today’s picks:
Become a better communicator: Specific frameworks to improve your clarity, influence, and impact.
48 Laws of Power in Leadership: Power Tactics Every Manager Should Know
Capture authentic customer voices from the web with AI: An actionable guide to capturing real customer voices and turning them into useful input for product opportunities.