Search code examples
webauthnfidopassword-lesspasskey

Is password still needed when using Passkeys?

Both Apple and Google have demonstrated Passkeys at their developer conferences (Google I/O and Apple WWDC 2022), and Microsoft is also on board. Being able to transfer passkeys from device to device removes a major limitation of FIDO2/WebAuthn and will likely be the breakthrough.

However, in their presentations both Apple and Google demonstrated the passkey setup on top of an account with username and password. Once the passkey was created, login was possible without password.

  • Does Passkey really require an existing account with password?
  • Or is this just temporarily needed for account setup?
  • Or can a user register a new account with just username and passkey and really go password-less?
Solution

  • Great questions – we've been working on finding good answers since WebAuthn Platform Authenticators (and now passkeys) have been announced.

    tl;dr:

    • Passkeys do not require a password; passkeys and passwords can coexist, but do not require each other
    • Passwordless accounts that are protected only by one ore more passkey(s) are the clear goal and will become a reality once passkeys are fully supported on all platforms

    BUT you have to take into account what your average user knows about authentication and what they expect when they want to create an account or login to your app or website.

    We frequently hear from users as well as service providers things like:

    • "How can my account be secure if I don't need to enter a password??"
    • "I don't want this website to see my fingerprint" (which of course will never happen, but is still the #1 user concern with WebAuthn)
    • "I lost my phone (and therefore my passkeys) and want to sign in, where can I enter my password?"
    • "I'm still on Windows 7 and can't use passkeys"

    Ultimately, it would just not be a good idea to offer only passkey-based authentication for any production login today. In a few years things will look different, but for now the only sensible approach is to offer a regular login with a passkey alternative (on supported devices). Slowly, users will get to know the technology and the term passkey from the big account providers (Apple, Google, MS, Amazon, ...) and the typical username/password login form will be degraded to a fallback/recovery method and hopefully be completely gone someday.