DEV Community

Cover image for Passkeys Explained For Product Managers
vdelitz for Corbado

Posted on • Edited on • Originally published at corbado.com

Passkeys Explained For Product Managers

With passkeys, product managers never have to worry about a user-unfriendly login again.

Google revolutionized the login experience for billions of users by introducing passkeys a few weeks ago, marking a significant step towards a password-free world.

For those who want to streamline their product login with passkeys the same way Google did, we have written a white paper which takes an in-depth look at the world of passkeys from a product manager’s perspective.

Below we have summarized some key insights. To delve deeper into the insights covered here and explore additional topics like the role, and relevance of passkeys, we invite you to download our white paper "Passkey bible for product managers" for free here.

Functionality of passkeys

Passkeys rely on the FIDO2 / WebAuthn standard, which replaces traditional passwords or one-time passcodes (OTP). The standard is based on a cryptographic key pair designed to be more convenient than traditional passwords and provides enhanced security.

During registration, the key pair is generated in the background and verified via the user’s biometrics (e.g., Face ID or Touch ID). The public key is sent to the server and linked to the website / app.

To login, the server sends a challenge to the user’s device. Biometrics are used to access the private key stored inside the user’s device. The challenge is signed with the private key and sent back to the server, which verifies the authentication request. Thus, neither the private key nor the biometric data ever leaves the device.

Passkeys are a form of “disguised” two-factor authentication (2FA), as the device (1st factor) and the user’s biometric verification (2nd factor) is needed.

Moreover, passkeys are synced within an ecosystem via Apple iCloud Keychain, Google Password Manager, or Microsoft account. That makes them available out-of-the-box on all devices using the same account, which prevents the repeated creation of a passkey for each device.

Integration challenges of passkeys for product managers

Building passkey authentication on your own is a complex and costly endeavour. Depending on the technical and organizational setup of your business, the costs may amount to more than € 100,000. In addition to paying experienced software developers, who are responsible for the technical implementation and testing, a large cost block results from **the work of the product managers on **several challenging tasks (specific details to be found in our white paper):

  • Providing a great UX
  • Designing an end to end-to-end authentication process
  • Guaranteeing cross-platform usage
  • Guiding user transition
  • Taking care of recovery services
  • Ensuring backwards compatibility
  • Having deep technical understanding of WebAuthn and passkeys

Passkeys have become increasingly popular as a convenient and secure way for users to authenticate. Devices that can create and use passkeys for authentication are referred to as "passkey-ready" (e.g., through facial recognition or fingerprint scan). Our data has revealed that over 80% of all devices support passkeys, and major companies have started to roll out passkeys in their web and native apps.

Rollout strategies for passkeys

Based on established best practices, we identified three distinct rollout strategies for passkeys: the passkey-only today strategy, the passkey-first/passwordless strategy, and the hybrid strategy. Please refer to our white paper for the concrete steps that need to be followed for each strategy.

1. Passkey-only strategy: The passkey-only strategy involves implementing passkeys as the only authentication method. This strategy is only applicable for new products that are mobile, native apps without existing users. Passkey availability on those device types is extremely high. Without these existing users, the need to support other authentication methods drops and no user transition is required.

2. Passkey-first/passwordless strategy: The passkey-first/passwordless strategy involves password-free authentication through passkeys or other passwordless methods like social logins, one-time passcodes (OTPs), or email magic links. This strategy works for new products that don't have existing users yet. It doesn’t matter if the product is a web app, native app, or both. Without existing users and legacy authentication, you directly follow the future-ready, passwordless path.

3. Hybrid strategy: The hybrid strategy involves offering both passkey and traditional password authentication to users. By providing both options, companies can gradually transition existing users to passkeys over time, while still maintaining a level of familiarity for those who prefer traditional passwords.

If you want to introduce and promote passkeys at sign-up and login, there is currently one proven way in practice serving as a best practice for passkey process flows: the “KAYAK” way.

If you want to introduce and promote passkeys at login only, there are currently three ways in practice serving as a best practice for passkey process flows. These modes differ in terms of how users are introduced to passkeys during the login process: the “Shopify” way, the “Google” way, and the “eBay, PayPal, and Binance” way.

Ready to dive in? Click the link to access our white paper.

Top comments (0)