Blazing the Trail on Passwordless Authentication with Passkeys

Blazing the Trail on Passwordless Authentication

If you were to follow security best practices, your passwords would be long and complex, containing no dictionary words. You'd have a unique one for every online account, service, or application – roughly 100 passwords if you're like most people. You'd change them regularly and you'd remember them all, perhaps using a password manager but never saving them in a file (or a notebook next to your bed).

Passwords have become the bane of most people's online experiences. If you switch devices, you'll have to enter your credentials and remember that complex password. If you forget, you may have to go through a reset — you might even get locked out of your account.

We've all heard it before, but I'll say it again: passwords are inherently bad. They're bad for the user experience, bad for security, bad for support, and bad because they enable credential phishing attacks. And yet, as we head into 2023, passwords remain the most widely used form of authentication. ¯\_(ツ)_/¯

It's time to do away with passwords; "passkeys" represent a major step forward

As a long-time champion (and enabler) of passwordless authentication, ForgeRock has been a part of the war on passwords. The latest front in this war has come from the FIDO2 (Fast Identity Online 2) Alliance's introduction of passkeys, quickly followed by announcements from Apple and Google about their support for the use of passkeys on iPhone and Android operating systems.

This introduction remedies a key usability and experience gap that has been holding back the broader adoption of passwordless authentication, promising to deliver better end-user experiences and reduce the risk of credential phishing attacks.

Passkeys remove login friction by working across your devices

Passwordless authentication is based on the FIDO2 WebAuthn standard, and features the convenience of biometrics, such as a fingerprint or facial scan. WebAuthn eliminates the need to enter a password by utilizing private and public key cryptography for secure authentication.

Until now, the widespread use of passwordless has faced headwinds due to limitations in the portability of WebAuthn, which has been tied to the physical device enrolled to the user. The private keys stay in the vault on the user's mobile phone or device. So the frictionless experience goes away when the user changes devices or gets a new one, as the new device no longer holds the login credentials (private key) to authenticate.

Passkeys eliminate this restriction by allowing the private keys to be stored in a vault in the device vendor's cloud instead of on the device itself. Passkeys remove the reliance on hardware from the equation and, in so doing, remove friction when you change devices.

By eliminating passwords, you thwart the most common types of attack

Unauthorized or fraudulent access remains the number one attack vector and will continue to be as long as passwords are around. According to the 2022 ForgeRock Consumer Identity Breach Report, compromised credentials accounted for half of all data breaches in 2021. Passkeys and other approaches to passwordless authentication remove attackers' ability to use and re-use stolen credentials, and can play a powerful role in your multi-factor authentication (MFA) strategy.

ForgeRock delivers no-code, out-of-the-box support for passkeys

While other vendors have had to code it into their platform and upgrade their systems to support passkeys, we are excited to announce that the ForgeRock Identity Platform already supports passkeys without requiring any coding changes or upgrades to the platform. Passkeys have been supported by ForgeRock since their inception and available for our customers to use.

Our unique platform enables passkey support to be offered out-of-the-box (OOTB), and it's seamlessly integrated into user journeys to deliver multiple authentication choices to users. ForgeRock customers with active deployments will receive passkey support along with FIDO support, as the platform does not differentiate between, and equally supports, keys that are device-bound and those that aren't.

Enabling more flexibility and choices in passwordless authentication

ForgeRock customers are already building no-code passwordless authentication journeys with ForgeRock Intelligent Access Trees, which facilitate journey orchestration in the identity platform. We also provide OOTB integrations for the FIDO2 WebAuthn standard through Intelligent Access.

With passkeys already supported by these WebAuthn nodes, our customers can provide more passwordless authentication choices to end users, depending on the user's specific mobile device. Building passwordless user journeys is quick and easy — you simply drag and drop the pre-configured WebAuthn nodes and adjust the journey to meet your needs. Supported in WebAuthn nodes, passkeys are easily embedded in user journeys which then steer towards different passwordless paths based on run-time signals.

Never login again

Passkeys represent an important step forward in achieving truly seamless, outstanding experiences while dramatically reducing credential-based attacks — all by making passwords a thing of the past. We are enhancing passkey configuration options for different deployments to further improve security and interoperability, and to address customer needs for maximum choice and flexibility. As the recognized leader in passwordless technology, we continue to innovate and move closer to our mission of "never login again."

Learn more about our passwordless solutions for the digital enterprise, and why we were selected as the overall leader in the 2022 KuppingerCole Passwordless Authentication Leadership Compass. We invite you to download the free report here.