CIAM by example in four recipes: Add passwordless auth with passkeys
This recipe is part of the series Learn CIAM by example: Four recipes to improve your apps security and UX. You can learn more about the series by downloading our four recipes in a cookbook format. In this recipe, you learn how to add passwordless auth to your application using passkeys. |
Attack vectors are becoming more sophisticated every day, and passwords aren’t the only easy target for malicious behavior.
Consumers, legislators, and organizations are becoming more aware of malicious targeting with AI to phish, or fraudulently convince a party to share sensitive information.
For example, if a user’s number is leaked, bad actors can deploy a bot to harass them with a blast of push notifications through their registered devices, to pressure them to authorize a transaction, or even redirect them with a QR Code to a fake vendor page to sign in to steal even more data.
Phishing tactics include but are not limited to malware deployment, spyware monitoring, and account takeover to trick users into sharing more personal data that may see repeated abuse.
What is a passkey?
A passkey is a pair of keys — one for you that is public and one for your known user that is private and you never see.
Users can count on their passkey’s private key to authorize any channel with an associated public key, which means your users never have to set up biometrics directly with you but instead benefit from re-using their existing biometrics across your services and partner services.
Developers can rest easy knowing that bad actors can’t do anything with their hosted public key because no consumer profile information or credentials are associated with a public key — only a user-authorized private key can link up with the public key to grant access.
With passkeys, organizations can sign in consumers across networks using their smartphone’s existing mobile technology, making it possible to authenticate almost anywhere using the same biometric or pin they use to unlock their devices.
Why are passkeys so hot right now?
Customers want to spend less time logging in.
The way we send texts, make calls, and even post social media updates is the same technology that service providers like Apple and Google have baked into their products to make it easier and faster to log in to their ecosystems.
Now, organizations can make their own vendor ecosystems and offer users more secure ways to sign in and manage their data without a password. Passkeys can also speed up authentication by 2.6x on your platform.
Passkeys deliver better UX that gives organizations more control over their digital properties across systems and devices, with the added benefit for users of avoiding passwords altogether.
Fundamentally, passkeys make consumers happy because they can change devices in different contexts and environments and maintain a seamless experience, and organizations can boost their funnel.
While it may seem intimidating to add yet another digital credential to the list, passkeys are backed by strong cryptographic standards that are worth the hype, and any organization can add passkeys to their anti-phishing strategy with Auth0 by Okta.
Recipe
Ingredients:
Passkeys are super easy to set up. With just a few steps in the Auth0 dashboard, your cloud-hosted New Universal Login will update the rest, with passkeys available for all users.
- Navigate to Authentication > Authentication Profile, and select Identifier First.
- Navigate to Authentication > Database and select Create DB Connection. Name it "Passkeys" and click Create. Select the Authentication Methods tab on the next screen and enable Passkey
.
- And that’s it! When you go to log in or sign up, you will see passkey as an option, with all UX and secure authentication best practices baked in:
Passkeys: The customer-friendly security
Passkeys make it easy for users to safely traverse multiple networks and channels because passkeys cut through multiple vendor networks without sharing credentials, including passwords.
Passkeys are never shared outside of their device or services and capture a user’s consent (double tapping that side button) to access their digital properties without entering a password.
Software-bound
Passkeys can authenticate users without passwords across devices and services to continue streaming your favorite show from your smartphone to your tablet.
Let’s say your user signed up for your streaming service using their Google credentials, but they use their Apple ID for everything else because they have an iPhone and an iPad.
A user’s iPhone passkey can be used (with their consent) to create a passkey for that streaming service on their iPad for their Google account, without any of the steps that are involved with normal biometrics enrollment and sharing between vendors, which are replaced by a synced passkey.
|
|
|
|
Device-bound
Passkey hardware, like a Yubikey, is the gold standard for phishing resistance and consumer-available security. In fact, when performed over near-field communication, it is the most secure way to use a passkey because the passkey never leaves the device, and the use of a physical device accommodates proof of presence.
A device-bound passkey can be used to perform cross-device authentication in proximity to each other — and instantly sync, sign in, (and start streaming) across devices, and is considered the most secure passkey pattern.
Brands can protect their perimeters by encouraging the use of passkey hardware and, like one media giant, see higher conversion rates and a dramatic decrease in account service requests, all while protecting against malicious activity and delivering a secure, frictionless experience that consumers love.
To learn more about device-bound passkeys, check out our post on how to set up with Auth0.
What's next?
Congratulations on adding passwordless to your apps with passkeys! Now, we're ready to check in on data privacy! To fully protect your customers' information and comply with regulations like GDPR, HIPAA, and CCPA, your app needs to deliver additional features like user consent, data auditing, and a preference center.
In our upcoming recipe, we'll delve into essential elements to get your app inline with data privacy. To get all recipes in a comprehensive guide, download our cookbook.