Product designer Sierre Wolfkostin explains why passkeys haven't completely replaced passwords…yet

But the security landscape is changing. As Sierre Wolfkostin, Principal Product Designer at 1Password and Matt Davey, Chief Experience Officer at 1Password discuss on the Random But Memorable podcast, the world is headed toward a more streamlined, passwordless future.

You can already use 1Password to save and sign in with passkeys. New 1Password customers also can use passkeys to unlock their 1Password accounts (currently in public beta).

Why aren’t we using passkeys for everything, all the time? Read the interview highlights below or listen to the full podcast episode to hear Wolfkostin and Davey talk about the advantages of passkeys, as well as some of the remaining challenges and why we’re not ready to replace all passwords with passkeys – yet.

Editor’s note: This interview has been lightly edited for clarity and brevity.

Matt Davey: Both from a security and usability standpoint, what are the advantages of passkeys and other forms of passwordless authentication over traditional passwords?

Sierre Wolfkostin: I’m glad you zeroed in on usability because during my time working with the FIDO Alliance, that’s what we found consumers tended to value the most: that usability and that convenience factor. What’s neat about passwordless authentication is it removes a ton of friction that didn’t really need to be there in the first place. Logging in with a biometric, it takes just a couple of seconds. In many cases it’s literally as simple as tapping your laptop’s fingerprint sensor or staring at your phone to unlock it. You don’t have to go through this adventure journey of finding your password and getting it in the login box.

There have been reports recently comparing the set-up time, the login time, and also the error rate between passwordless authentication and traditional authentication. Even if you look at the really conservative ones, we’re talking about a 50% increase in speed and maybe a 20% decrease in error rate. It’s not just perceived ease, it’s actual ease. You are able to log in faster and with less hiccups along the way if you are doing so without a password.

MD: So we’re getting to that point where people are comfortable enough with biometrics that we can present them in the authentication or signup flow and it still makes things easier over the long run?

SW: Yes. To be fair, it took time for people to be comfortable with biometrics. I’ve conducted different user interviews and studies over the last six years or so. Six years ago was when Touch ID had started to gain traction as a main way to unlock your phone. I remember at the time, man, there were some people who were very hesitant about Touch ID. Concerns about a company stealing your fingerprint; I think one participant mentioned losing a finger and being unable to unlock their phone because their finger was gone. Just all these really big concerns about Touch ID.

“It’s just a matter of time for people to get comfortable with it."

Gradually those concerns dissipated. Just because it was more familiar, it was more of a public concept, and because a lot of the world’s operating systems took a strong stance on privacy and said, “Hey, your biometrics – of course they’re not going to leave your device. Of course they’re not going to be shared with [insert company].”

I think we’re seeing something similar with passkeys and passwordless authentication now. It’s just a matter of time for people to get comfortable with it.

MD: How do passkeys work, why are they considered more secure, and what parts are there to them?

SW: Passkeys are a specific and popular form of passwordless authentication. They represent the latest evolution of this technology. They’re supported by the majority of the world’s browsers and operating systems.

How they work is that every passkey consists of two different interlocking parts. There’s the public key that’s shared with the website and then there’s the private key that never leaves your accounts and devices.

It’s probably easiest to understand with a real-world scenario. Imagine you’re logging into a website that supports passkeys and you haven’t logged into this website before. You want to create an account, so you choose the option to create an account and to secure it with a passkey as opposed to a normal password. You’d be prompted to confirm where your private key (that’s about to be created) is going to be stored. It could be stored on your device’s keychain like iCloud Keychain. It could be stored on a password manager, like 1Password. It could be stored on a hardware security key. Then, after you pick where it’s stored, you’ll see the confirmation that your account has been created.

Behind the scenes, there’s a lot happening. The private key obviously has been saved to the place of your choosing. A public key is sent to the server of the website or the app or wherever you’re creating your account. Again, you can think of these two keys as interlocking pieces of the same puzzle. They are mathematically connected and together, they make one passkey. You need both pieces for a passkey to work. At this point, you create a passkey.

Let’s say you want to sign in using that passkey. The next time you visit this website or app, you won’t have to enter in a traditional password. You instead use your passkey and you’d be asked to authenticate using that passkey.

“The experience is super simple. You basically unlock wherever your passkey is stored."

The experience is super simple. You basically unlock wherever your passkey is stored. Usually this involves you using biometrics like Touch ID or Face ID, etc., and that’s it. You’re signed in at that point.

Of course, behind the scenes a ton is happening. The website has made a technical challenge and wherever you’ve stored your private key needs to accept this challenge. But before that happens, you have to make sure it’s you and not someone else that’s getting access to your private key to use it. That’s why you have to unlock the place where the private key is stored, whether it’s iCloud Keychain, a password manager, etc.

Only once you do that can this challenge be signed and then sent back to the website (this is behind the scenes). The website checks it with its public key, the two interlocking pieces connect and – voila! – you are allowed access.

I find it helpful to think of it as two keys making one passkey. You need your key and you need the website’s public key.

MD: Something I really like about passkeys is how they work with third-party passkey providers. The companies that own the major operating systems are building in support that third party providers can take control of.

Passkeys are also going to be portable, which is really nice.

SW: Yes, we’ve seen that and honestly, it’s a large part because the whole effort to create passkeys has been so community driven from the beginning. I mentioned the FIDO Alliance before but it’s this massive industry association of 200-plus tech companies, including Apple, Google, Microsoft, all the big ones and more.

In that association you have the owners of the operating systems and the owners of the browsers and the people that make apps and websites all coming together. They’re all asking: “What is the best way to help people securely log in? How do we make that a really good experience?” Portability and passkey migration naturally come out of that.

The heart and soul of passkeys is a very collaborative, community-driven effort in the security industry. That’s in part what makes me really excited about this improvement and also future improvements for passkeys.

MD: I don’t think passkeys are as pervasive as we want them to be. Is that a website problem, a provider problem, or a people problem?

SW: It’s true. Even though there’s been great progress made by the security industry, I don’t think passkeys are ready to replace passwords, at least just yet, for a few reasons. One is that not all websites and apps and services support them. I know 1Password hosts an index of sorts, passkeys.directory, that can show you some known websites and apps, etc. that support passkeys. If you check the directory, it’s lengthy but not comprehensive. There’s still a long way to go.

“Not all websites and apps and services support passkeys."

Also, not all browsers and operating systems have support for passkeys. The vast majority do, including all the ones you’re used to using. But last time I checked, it was only around ninety-plus percent adoption. We’re not 100% adoption and support for passkeys across all browsers and operating systems.

There are still some wrinkles to be ironed out in the user experience. Passkeys, they’re easy to use if you’re on the happy path, if you’re on the predetermined, simplest path you can be. But some edge cases are still kind of tricky.

For example, there used to be this case where if you had a passkey saved to your iCloud Keychain and then you got a new MacBook and tried to log in using a passkey, but iCloud syncing was not turned on, you didn’t have access to the passkey and got an error. That was one wonky experience. It’s probably been solved by now, but these sorts of things happen often, especially when so many players – browsers, operating systems, apps, services, etc. – are required to work together to make a passkey experience work.

“The biggest barrier is probably the sheer inertia that we’re up against."

There’s a lot of edge cases that still need to be addressed.

Honestly, the biggest barrier is probably the sheer inertia that we’re up against. Password use is so prevalent. I mean, three generations of people are using passwords. That’s a lot for any sort of change to be up against, especially a new technology like passkeys.

MD: What challenges do organizations face when transitioning to passwordless authentication? How can we best drive adoption?

SW: There are a couple that organizations usually run into. The first is the account recovery case. If you lose or don’t have access to your passkey, it’s super frustrating to not be able to log into your accounts.

What I tend to recommend in those situations is to make sure people have a backup when they create their passkey. It could be another passkey stored to a different place. It could be a hardware security key, or some sort of backup. Otherwise, people are going to get stuck. Then you, as the owner of the website, are going to get a lot of requests from people requesting access to their accounts.

Another challenge organizations face is general awareness and knowledge of what a passkey is. I did a lot of research with the FIDO Alliance, and part of what we did was talk to maybe 30 American consumers about the concept of a passkey. This was a few years back, but I remember that not a single person at the time had heard of a passkey – not a single one of them!

“We’re still nowhere near the vast majority of people and consumers knowing what a passkey is."

Times have now changed. When I talk to people, usually there’s a chance that one of them has heard of a passkey, and maybe even used one. But we’re still nowhere near the vast majority of people and consumers knowing what a passkey is. Just the fact that it’s still so new hinders its adoption, especially if you’re an org that wants everyone to use passkeys.

MD: Some companies refer to passkeys as “biometrics” in their authentication flow. Whereas other companies say: “Hey, this is a passkey, it’s a new concept” and deal with it like that. Which approach works better?

SW: By and large, at least in the long run, everyone, every organization, is going to be more successful if there’s some sort of consistency in how passkeys are referenced. It’s very hard to adopt what you don’t understand. It’s super important that we build towards a state of consistency and a known understanding of what a passkey is. When people create one, they know what they’re getting into.

This was actually something that came out of some of the early research in the FIDO Alliance. We did a lot of concept testing, and from some of that testing and following research, we developed a series of guidelines that can help an organization optimize its passkey experience. One of those guidelines is: consistently use the name passkey and also the passkey icon because this is a world where the more familiar people are with the concept, the easier it will be to adopt.

You don’t want to go against the grain and be the one company that doesn’t use “passkey” even though you’re offering the exact same thing.

“It’s super important that we build towards a state of consistency and a known understanding of what a passkey is."

Another guideline is to always associate passkeys with the familiar, because the icon itself is still rather abstract. But when paired, for example, with little images of biometrics or an icon of a security key and having those familiar elements orbiting the passkey icon, it gives something tangible for people to latch onto. It helps what used to be an abstract concept feel a lot more comfortable because now it’s tied to what people already know. Classic example of Jakob’s Law of UX.

You can follow those two principles and others to help people more easily adopt passkeys. But they only work if a significant mass of companies use them. So that’s why I said it’s a long-term play.

MD: How do you envision the future of these authentication standards evolving?

SW: Sometimes it’s useful to think about not how they will change, but what’s going to stay the same? What sort of “rocks” or stable ground with these design standards create for us? The parts I see staying the same include the basic representation of passkeys: the name, the icon, the things that they’re associated with, those general hero images that you now see on most browsers and operating systems when they talk about passkeys.

I think in general, all of that has to stay the same, otherwise public awareness is going to start following different forks and different paths, and people are going to become more confused than unified.

Also, I think the general trend towards optimizing the passkey experience, in part by having really clear additional guidelines that help you do so, that’s going to be one direction people move in.

“I see the industry moving gradually towards passwordless."

Beyond the design standards, I see the industry moving gradually towards passwordless and also towards sometimes more of a state of what we call complete passwordless. This means that instead of mixing passwords with ways of logging in passwordlessly, instead, you have no passwords across your entire service as a business and you are just using passwordless for all of your logins.

That’s currently still in its nascent stages. Very few companies choose to go completely passwordless, but I do see that as the general trend.

MD: Where can people find out about these evolving topics from 1Password? What’s the best place?

SW: Honestly, from what I’ve read so far, the 1Password blog is a fantastic resource. There’s loads of articles there. You can really get into the details. I would recommend starting there and then see where the rabbit holes take you.

Jenn Marshall

Contributing Writer